Edit tour

Windows Analysis Report
CYA75gigem.exe

Overview

General Information

Sample name:	CYA75gigem.exe renamed because original name is a hash value
Original sample name:	c063144d97874cb1e7edf5bdb84c3599.exe
Analysis ID:	1614874
MD5:	c063144d97874cb1e7edf5bdb84c3599
SHA1:	f6acb702e7571633ad2c5bdd1e519d617eb34c3d
SHA256:	f19da3c90ad45036e225845169410e70c0e3cd9e9394b000f3bb1102badc6d7b
Tags:	exeuser-abuse_ch
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Monitors registry run keys for changes

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

CYA75gigem.exe (PID: 6856 cmdline: "C:\Users\user\Desktop\CYA75gigem.exe" MD5: C063144D97874CB1E7EDF5BDB84C3599)

BitLockerToGo.exe (PID: 7588 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

chrome.exe (PID: 7744 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 8012 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2204,i,1790315144490273545,12717934201771538317,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

msedge.exe (PID: 3988 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5680 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2576 --field-trial-handle=2424,i,4433328751228120541,16908853615490472188,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cmd.exe (PID: 6968 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\jmo89" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 3564 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

msedge.exe (PID: 5084 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1340 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2608 --field-trial-handle=2084,i,1114583297904604921,16776871692402841659,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 180 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6628 --field-trial-handle=2084,i,1114583297904604921,16776871692402841659,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6740 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7048 --field-trial-handle=2084,i,1114583297904604921,16776871692402841659,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6204 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6516 --field-trial-handle=2084,i,1114583297904604921,16776871692402841659,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199825403037", "Botnet": "oomaino5"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1592577669.000000000A340000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.1592577669.000000000A340000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
00000009.00000003.1660632126.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000009.00000003.1647208456.00000000028A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000009.00000003.1647170572.00000000028D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000009.00000002.2101492330.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000009.00000002.2101492330.0000000000400000.00000040.00000400.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1ad7f:$str01: MachineID: 0x19d4f:$str02: Work Dir: In memory 0x1ae27:$str03: [Hardware] 0x1ad68:$str04: VideoCard: 0x1a4c0:$str05: [Processes] 0x1a4cc:$str06: [Software] 0x19de0:$str07: information.txt 0x1aabc:$str08: %s\* 0x1ab09:$str08: %s\* 0x19ffd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1a392:$str12: UseMasterPassword 0x1ae33:$str13: Soft: WinSCP 0x1a86b:$str14: <Pass encoding="base64"> 0x1ae16:$str15: Soft: FileZilla 0x19dd2:$str16: passwords.txt 0x1a3bd:$str17: build_id 0x1a484:$str18: file_data
00000001.00000002.1592577669.000000000A2E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.1592577669.000000000A2E0000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
00000001.00000002.1592577669.000000000A416000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000009.00000003.1673952082.00000000028CE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.1592577669.000000000A2C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.1592577669.000000000A2C0000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
00000001.00000002.1592577669.000000000A300000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.1592577669.000000000A300000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
00000001.00000002.1592577669.000000000A320000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.1592577669.000000000A320000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
00000009.00000003.1660700445.00000000028CE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: CYA75gigem.exe PID: 6856	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 7588	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 7588	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.CYA75gigem.exe.a320000.6.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.CYA75gigem.exe.a320000.6.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
1.2.CYA75gigem.exe.a2e0000.3.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.CYA75gigem.exe.a2e0000.3.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
9.2.BitLockerToGo.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
9.2.BitLockerToGo.exe.400000.0.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
1.2.CYA75gigem.exe.a300000.5.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1917f:$str01: MachineID: 0x19227:$str03: [Hardware] 0x19168:$str04: VideoCard: 0x188c0:$str05: [Processes] 0x188cc:$str06: [Software] 0x18ebc:$str08: %s\* 0x18f09:$str08: %s\* 0x183fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x18792:$str12: UseMasterPassword 0x19233:$str13: Soft: WinSCP 0x18c6b:$str14: <Pass encoding="base64"> 0x19216:$str15: Soft: FileZilla 0x187bd:$str17: build_id 0x18884:$str18: file_data
9.2.BitLockerToGo.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
9.2.BitLockerToGo.exe.400000.0.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1ad7f:$str01: MachineID: 0x19d4f:$str02: Work Dir: In memory 0x1ae27:$str03: [Hardware] 0x1ad68:$str04: VideoCard: 0x1a4c0:$str05: [Processes] 0x1a4cc:$str06: [Software] 0x19de0:$str07: information.txt 0x1aabc:$str08: %s\* 0x1ab09:$str08: %s\* 0x19ffd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1a392:$str12: UseMasterPassword 0x1ae33:$str13: Soft: WinSCP 0x1a86b:$str14: <Pass encoding="base64"> 0x1ae16:$str15: Soft: FileZilla 0x19dd2:$str16: passwords.txt 0x1a3bd:$str17: build_id 0x1a484:$str18: file_data
1.2.CYA75gigem.exe.a300000.5.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.CYA75gigem.exe.a300000.5.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
1.2.CYA75gigem.exe.a340000.1.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1917f:$str01: MachineID: 0x19227:$str03: [Hardware] 0x19168:$str04: VideoCard: 0x188c0:$str05: [Processes] 0x188cc:$str06: [Software] 0x18ebc:$str08: %s\* 0x18f09:$str08: %s\* 0x183fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x18792:$str12: UseMasterPassword 0x19233:$str13: Soft: WinSCP 0x18c6b:$str14: <Pass encoding="base64"> 0x19216:$str15: Soft: FileZilla 0x187bd:$str17: build_id 0x18884:$str18: file_data
1.2.CYA75gigem.exe.a2e0000.3.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1917f:$str01: MachineID: 0x19227:$str03: [Hardware] 0x19168:$str04: VideoCard: 0x188c0:$str05: [Processes] 0x188cc:$str06: [Software] 0x18ebc:$str08: %s\* 0x18f09:$str08: %s\* 0x183fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x18792:$str12: UseMasterPassword 0x19233:$str13: Soft: WinSCP 0x18c6b:$str14: <Pass encoding="base64"> 0x19216:$str15: Soft: FileZilla 0x187bd:$str17: build_id 0x18884:$str18: file_data
1.2.CYA75gigem.exe.a320000.6.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1917f:$str01: MachineID: 0x19227:$str03: [Hardware] 0x19168:$str04: VideoCard: 0x188c0:$str05: [Processes] 0x188cc:$str06: [Software] 0x18ebc:$str08: %s\* 0x18f09:$str08: %s\* 0x183fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x18792:$str12: UseMasterPassword 0x19233:$str13: Soft: WinSCP 0x18c6b:$str14: <Pass encoding="base64"> 0x19216:$str15: Soft: FileZilla 0x187bd:$str17: build_id 0x18884:$str18: file_data
1.2.CYA75gigem.exe.a340000.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.CYA75gigem.exe.a340000.1.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
1.2.CYA75gigem.exe.a2c0000.4.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.CYA75gigem.exe.a2c0000.4.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
1.2.CYA75gigem.exe.a2c0000.4.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1917f:$str01: MachineID: 0x19227:$str03: [Hardware] 0x19168:$str04: VideoCard: 0x188c0:$str05: [Processes] 0x188cc:$str06: [Software] 0x18ebc:$str08: %s\* 0x18f09:$str08: %s\* 0x183fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x18792:$str12: UseMasterPassword 0x19233:$str13: Soft: WinSCP 0x18c6b:$str14: <Pass encoding="base64"> 0x19216:$str15: Soft: FileZilla 0x187bd:$str17: build_id 0x18884:$str18: file_data
Click to see the 14 entries

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe", ParentImage: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, ParentProcessId: 7588, ParentProcessName: BitLockerToGo.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 7744, ProcessName: chrome.exe

Suricata Signatures

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-14T08:25:16.037670+0100	2044247	1	Malware Command and Control Activity Detected	88.99.124.230	443	192.168.2.7	61121	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-14T08:25:17.369010+0100	2051831	1	Malware Command and Control Activity Detected	88.99.124.230	443	192.168.2.7	61130	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-14T08:25:16.037483+0100	2049087	1	A Network Trojan was detected	192.168.2.7	61121	88.99.124.230	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-14T08:25:18.943895+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	61141	88.99.124.230	443	TCP
2025-02-14T08:25:19.879113+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	61145	88.99.124.230	443	TCP
2025-02-14T08:25:28.065645+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	61217	88.99.124.230	443	TCP
2025-02-14T08:25:28.299998+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	61224	88.99.124.230	443	TCP
2025-02-14T08:25:29.316863+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	61230	88.99.124.230	443	TCP
2025-02-14T08:25:31.395559+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	61246	88.99.124.230	443	TCP
2025-02-14T08:25:33.253284+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	61248	88.99.124.230	443	TCP
2025-02-14T08:25:39.531802+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	61279	88.99.124.230	443	TCP
2025-02-14T08:25:39.847509+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	61284	88.99.124.230	443	TCP
2025-02-14T08:25:40.981259+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	61291	88.99.124.230	443	TCP
2025-02-14T08:25:42.021082+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	61297	88.99.124.230	443	TCP
2025-02-14T08:25:43.700853+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	52410	88.99.124.230	443	TCP
2025-02-14T08:25:44.725174+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	52417	88.99.124.230	443	TCP
2025-02-14T08:25:46.939672+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	52422	88.99.124.230	443	TCP
2025-02-14T08:25:51.453196+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	52425	88.99.124.230	443	TCP
2025-02-14T08:25:55.943724+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	52432	88.99.124.230	443	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-14T08:25:28.299998+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	61224	88.99.124.230	443	TCP
2025-02-14T08:25:29.316863+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	61230	88.99.124.230	443	TCP
2025-02-14T08:25:31.395559+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	61246	88.99.124.230	443	TCP
2025-02-14T08:25:39.847509+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	61284	88.99.124.230	443	TCP
2025-02-14T08:25:40.981259+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	61291	88.99.124.230	443	TCP
2025-02-14T08:25:42.021082+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	61297	88.99.124.230	443	TCP
2025-02-14T08:25:43.700853+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	52410	88.99.124.230	443	TCP
2025-02-14T08:25:44.725174+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	52417	88.99.124.230	443	TCP
2025-02-14T08:25:46.939672+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	52422	88.99.124.230	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-14T08:25:13.208019+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.7	61102	88.99.124.230	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: CYA75gigem.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://webdisk.lodrat.org/i;	Avira URL Cloud: Label: malware
Source: https://webdisk.lodrat.org/webdisk.lodrat.org	Avira URL Cloud: Label: malware
Source: https://webdisk.lodrat.org/nt.documentE	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000001.00000002.1592577669.000000000A340000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199825403037", "Botnet": "oomaino5"}

Multi AV Scanner detection for submitted file

Source: CYA75gigem.exe	ReversingLabs: Detection: 40%
Source: CYA75gigem.exe	Virustotal: Detection: 48%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00405FE7 CryptUnprotectData,LocalAlloc,LocalFree,	9_2_00405FE7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_0040E7E9 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree,	9_2_0040E7E9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00406062 BCryptCloseAlgorithmProvider,BCryptDestroyKey,	9_2_00406062
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_0040627F LocalAlloc,BCryptDecrypt,	9_2_0040627F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_0040609C BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,	9_2_0040609C

Source: CYA75gigem.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:61084 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.124.230:443 -> 192.168.2.7:61094 version: TLS 1.2

Source: CYA75gigem.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbA source: CYA75gigem.exe, 00000001.00000002.1592577669.000000000A340000.00000004.00001000.00020000.00000000.sdmp, CYA75gigem.exe, 00000001.00000002.1590446144.000000000A256000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2101492330.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: vdr1.pdb source: CYA75gigem.exe, 00000001.00000002.1592577669.000000000A340000.00000004.00001000.00020000.00000000.sdmp, CYA75gigem.exe, 00000001.00000002.1590446144.000000000A256000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000009.00000002.2101492330.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: CYA75gigem.exe, 00000001.00000002.1592577669.000000000A3DC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: CYA75gigem.exe, 00000001.00000002.1592577669.000000000A3DC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: CYA75gigem.exe, 00000001.00000002.1592577669.000000000A340000.00000004.00001000.00020000.00000000.sdmp, CYA75gigem.exe, 00000001.00000002.1590446144.000000000A256000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000009.00000002.2101492330.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00412A5D wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	9_2_00412A5D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00407891 FindFirstFileA,CopyFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindNextFileA,FindClose,	9_2_00407891
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_0040A69C FindFirstFileA,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,	9_2_0040A69C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00408776 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	9_2_00408776
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00413B10 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindNextFileA,FindNextFileA,FindClose,	9_2_00413B10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00411BD2 wsprintfA,FindFirstFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	9_2_00411BD2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_004013DA FindFirstFileA,FindNextFileA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindNextFileA,FindClose,	9_2_004013DA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00406784 ExpandEnvironmentStringsA,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	9_2_00406784
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00411187 wsprintfA,FindFirstFileA,memset,memset,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	9_2_00411187
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00409C78 wsprintfA,FindFirstFileA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	9_2_00409C78
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00408224 FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	9_2_00408224
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00412539 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	9_2_00412539

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 9_2_00411722 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

9_2_00411722

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 29MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.7:61102 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.7:61121 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:61145 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:61141 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 88.99.124.230:443 -> 192.168.2.7:61130
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 88.99.124.230:443 -> 192.168.2.7:61121
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:61217 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:61224 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:61224 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:61248 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:61246 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:61246 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:61279 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:61230 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:61230 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:61291 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:61297 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:61297 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:61291 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:61284 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:61284 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:52417 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:52417 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:52422 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:52422 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:52410 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:52410 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:52425 -> 88.99.124.230:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:52432 -> 88.99.124.230:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199825403037

Source: global traffic	TCP traffic: 192.168.2.7:52380 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.7:61052 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: GET /b4cha00 HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 2.22.242.11 2.22.242.11
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 13.74.129.1 13.74.129.1

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 51.137.137.111
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 9_2_00403C79 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

9_2_00403C79

Source: global traffic	HTTP traffic detected: GET /b4cha00 HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0Host: webdisk.lodrat.orgConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlqHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlqHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlqHLAQiFoM0BCLnKzQEIitPNARj1yc0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.db56afd7ad4ece15d946.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.45sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=EF3D1CEC59894898A5CA1011D58FBBA8.RefC=2025-02-14T07:25:35Z; USRLOC=; MUID=2DC2684C548A6DF12F7B7DDF55E86C57; MUIDB=2DC2684C548A6DF12F7B7DDF55E86C57; _EDGE_S=F=1&SID=3483B987A5026DF620DEAC14A4F66CE6; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.96ac23719317b1928681.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.45sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=EF3D1CEC59894898A5CA1011D58FBBA8.RefC=2025-02-14T07:25:35Z; USRLOC=; MUID=2DC2684C548A6DF12F7B7DDF55E86C57; MUIDB=2DC2684C548A6DF12F7B7DDF55E86C57; _EDGE_S=F=1&SID=3483B987A5026DF620DEAC14A4F66CE6; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.f30eb488fb3069c7561f.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.5da1d823f3d7131a6bff.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.4d74ce6d770d1f2b035e.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.ea60ee3e04f7fd86bc43.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/ASuc5ohfQPNzGo5SSihcSk6msC8CUKw5id-p0KCEkBKwK2LS4AjdrDP0wa1qjzCTaTWEfyM52ADmUAdPETYA5vgD87UPEj6gyG11hjsvMLHGmzQgJ9F5D8s8Lo0Lbai5BQYAxlKa5esPJXukyaicyq83JwZ0HIWqzrjN/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_86_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=2DC2684C548A6DF12F7B7DDF55E86C57; _EDGE_S=F=1&SID=3483B987A5026DF620DEAC14A4F66CE6; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1739522257441&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=ef3d1cec59894898a5ca1011d58fbba8&activityId=ef3d1cec59894898a5ca1011d58fbba8&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=2DC2684C548A6DF12F7B7DDF55E86C57; _EDGE_S=F=1&SID=3483B987A5026DF620DEAC14A4F66CE6; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b?rn=1739522257442&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=2DC2684C548A6DF12F7B7DDF55E86C57&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b2?rn=1739522257442&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=2DC2684C548A6DF12F7B7DDF55E86C57&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1A60c9c0d8add1857a8a1ee1739517942; XID=1A60c9c0d8add1857a8a1ee1739517942
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.35sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 250sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 3gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=EF3D1CEC59894898A5CA1011D58FBBA8.RefC=2025-02-14T07:25:35Z; USRLOC=; MUID=2DC2684C548A6DF12F7B7DDF55E86C57; MUIDB=2DC2684C548A6DF12F7B7DDF55E86C57; _EDGE_S=F=1&SID=3483B987A5026DF620DEAC14A4F66CE6; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=bb3dee72-a8ad-421a-bfb4-11b5bb6f4868; ai_session=HpATCAGQEzVThnhJBZ6yZv\|1739522257436\|1739522257436; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=EF3D1CEC59894898A5CA1011D58FBBA8.RefC=2025-02-14T07:25:35Z
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":51,"imageId":"BB1msySq","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=EF3D1CEC59894898A5CA1011D58FBBA8.RefC=2025-02-14T07:25:35Z; USRLOC=; MUID=2DC2684C548A6DF12F7B7DDF55E86C57; MUIDB=2DC2684C548A6DF12F7B7DDF55E86C57; _EDGE_S=F=1&SID=3483B987A5026DF620DEAC14A4F66CE6; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=bb3dee72-a8ad-421a-bfb4-11b5bb6f4868; ai_session=HpATCAGQEzVThnhJBZ6yZv\|1739522257436\|1739522257436; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=EF3D1CEC59894898A5CA1011D58FBBA8.RefC=2025-02-14T07:25:35Z
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1739522257441&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=ef3d1cec59894898a5ca1011d58fbba8&activityId=ef3d1cec59894898a5ca1011d58fbba8&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=9A4981D3FDDD481BBE8A0876958624B3&MUID=2DC2684C548A6DF12F7B7DDF55E86C57 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=2DC2684C548A6DF12F7B7DDF55E86C57; _EDGE_S=F=1&SID=3483B987A5026DF620DEAC14A4F66CE6; _EDGE_V=1; SM=T; _C_ETH=1; msnup=%7B%22cnex%22%3A%22no%22%7D

Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000B.00000003.1715827786.0000009C003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1715637633.0000009C00F9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1715695595.0000009C00F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 0000000B.00000003.1715827786.0000009C003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1715637633.0000009C00F9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1715695595.0000009C00F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;

Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: webdisk.lodrat.org
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: browser.events.data.msn.com
Source: global traffic	DNS traffic detected: DNS query: r.msftstatic.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----w4w4wl68y5ph47qi589rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0Host: webdisk.lodrat.orgContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: CYA75gigem.exe	String found in binary or memory: http://.css
Source: CYA75gigem.exe	String found in binary or memory: http://.jpg
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: CYA75gigem.exe	String found in binary or memory: http://html4/loose.dtd
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 0000000B.00000003.1716979235.0000009C010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716606649.0000009C01078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716731219.0000009C01088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716809579.0000009C00F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: chrome.exe, 0000000B.00000003.1716979235.0000009C010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716606649.0000009C01078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716731219.0000009C01088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718356616.0000009C00F9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718308209.0000009C00ED4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718707541.0000009C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718826358.0000009C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718331686.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718586350.0000009C003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716809579.0000009C00F38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716774978.0000009C010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718279497.0000009C00C78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 0000000B.00000003.1716979235.0000009C010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716606649.0000009C01078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716731219.0000009C01088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718356616.0000009C00F9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718308209.0000009C00ED4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718707541.0000009C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718826358.0000009C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718331686.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718586350.0000009C003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716809579.0000009C00F38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716774978.0000009C010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718279497.0000009C00C78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 0000000B.00000003.1716979235.0000009C010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716606649.0000009C01078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716731219.0000009C01088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718356616.0000009C00F9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718308209.0000009C00ED4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718707541.0000009C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718826358.0000009C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718331686.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718586350.0000009C003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716809579.0000009C00F38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716774978.0000009C010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718279497.0000009C00C78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 0000000B.00000003.1716979235.0000009C010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716606649.0000009C01078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716731219.0000009C01088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718356616.0000009C00F9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718308209.0000009C00ED4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718707541.0000009C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718826358.0000009C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718331686.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718586350.0000009C003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716809579.0000009C00F38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716774978.0000009C010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718279497.0000009C00C78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_434.13.dr	String found in binary or memory: http://www.broofa.com
Source: BitLockerToGo.exe, 00000009.00000003.1804037779.0000000005005000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000005005000.00000004.00000020.00020000.00000000.sdmp, 8y58gl.9.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 0000000B.00000003.1732864087.0000009C002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 0000000B.00000003.1732864087.0000009C002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 0000000B.00000003.1732864087.0000009C002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 0000000B.00000003.1741099077.0000009C01340000.00000004.00000800.00020000.00000000.sdmp, chromecache_434.13.dr, chromecache_433.13.dr	String found in binary or memory: https://apis.google.com
Source: msedge.exe, 0000000E.00000002.1841069278.000002240B737000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: 2cc80dabc69f58b6_1.15.dr	String found in binary or memory: https://assets.msn.cn/resolver/
Source: 2351b84e-e2df-4584-b041-fba5ee3b4e44.tmp.17.dr	String found in binary or memory: https://assets.msn.com
Source: 2cc80dabc69f58b6_1.15.dr	String found in binary or memory: https://assets.msn.com/resolver/
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://bard.google.com/
Source: 2cc80dabc69f58b6_1.15.dr	String found in binary or memory: https://bit.ly/wb-precache
Source: BitLockerToGo.exe, 00000009.00000002.2108827400.000000000556D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, 3euk6x.9.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: BitLockerToGo.exe, 00000009.00000002.2108827400.000000000556D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, 3euk6x.9.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: 2cc80dabc69f58b6_1.15.dr	String found in binary or memory: https://browser.events.data.msn.cn/
Source: 2cc80dabc69f58b6_1.15.dr	String found in binary or memory: https://browser.events.data.msn.com/
Source: 2cc80dabc69f58b6_1.15.dr	String found in binary or memory: https://c.msn.com/
Source: BitLockerToGo.exe, 00000009.00000003.1804037779.0000000005005000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000005005000.00000004.00000020.00020000.00000000.sdmp, 8y58gl.9.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 0000000B.00000003.1713217284.0000009C00BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 0000000B.00000003.1713217284.0000009C00BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: BitLockerToGo.exe, 00000009.00000002.2105782432.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1804037779.0000000005005000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000005005000.00000004.00000020.00020000.00000000.sdmp, Web Data.15.dr, ppp8y5.9.dr, 8y58gl.9.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000009.00000002.2105782432.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1804037779.0000000005005000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000005005000.00000004.00000020.00020000.00000000.sdmp, Web Data.15.dr, ppp8y5.9.dr, 8y58gl.9.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 0000000B.00000003.1713149844.0000009C00C88000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000002.1839259406.000001F80017C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: manifest.json.15.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: chrome.exe, 0000000B.00000003.1712802741.0000009C004AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708439027.0000009C00CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718391002.0000009C00C98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718160839.0000009C00C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1715124461.0000009C00CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718131654.0000009C0033C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708377791.0000009C00C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1713107680.0000009C00C78000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1713149844.0000009C00C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000000B.00000003.1700607500.00000904006B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1700077950.0000090400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1744611949.000009040080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1700282888.000009040039C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 0000000B.00000003.1700607500.00000904006B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1700077950.0000090400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1744611949.000009040080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1700282888.000009040039C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1700540659.0000090400684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1700077950.0000090400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1744611949.000009040080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1700282888.000009040039C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: msedge.exe, 0000000E.00000002.1839259406.000001F80017C000.00000004.00000800.00020000.00000000.sdmp, manifest.json.15.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: 2351b84e-e2df-4584-b041-fba5ee3b4e44.tmp.17.dr	String found in binary or memory: https://clients2.google.com
Source: chrome.exe, 0000000B.00000003.1696435684.000051DC002E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1696401582.000051DC002D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 0000000B.00000003.1713217284.0000009C00BD8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000002.1838722453.000001F800040000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.15.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 0000000B.00000003.1713217284.0000009C00BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx=
Source: 2351b84e-e2df-4584-b041-fba5ee3b4e44.tmp.17.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: BitLockerToGo.exe, 00000009.00000002.2108827400.000000000556D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, 3euk6x.9.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: BitLockerToGo.exe, 00000009.00000002.2108827400.000000000556D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, 3euk6x.9.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: manifest.json0.15.dr	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: manifest.json0.15.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json0.15.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json0.15.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json0.15.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json0.15.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json0.15.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json0.15.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 0000000B.00000003.1718586350.0000009C003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: manifest.json0.15.dr	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 0000000B.00000003.1713217284.0000009C00BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: BitLockerToGo.exe, 00000009.00000002.2105782432.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1804037779.0000000005005000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000005005000.00000004.00000020.00020000.00000000.sdmp, Web Data.15.dr, ppp8y5.9.dr, 8y58gl.9.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000009.00000002.2105782432.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1804037779.0000000005005000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000005005000.00000004.00000020.00020000.00000000.sdmp, Web Data.15.dr, ppp8y5.9.dr, 8y58gl.9.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000009.00000002.2105782432.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1804037779.0000000005005000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000005005000.00000004.00000020.00020000.00000000.sdmp, Web Data.15.dr, ppp8y5.9.dr, 8y58gl.9.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.log0.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log0.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 000003.log.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_163_music.png/1.0.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr, HubApps Icons.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr, HubApps Icons.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_bard_light.png/1.0.1/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_hc.png/1.0.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_dark.png/1.0.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_light.png/1.0.3/asse
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_dark.png/1.0.6/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_light.png/1.0.6/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr, HubApps Icons.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gaana.png/1.0.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr, HubApps Icons.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gmail.png/1.5.4/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_help.png/1.0.0/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_iHeart.png/1.0.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_instagram.png/1.4.13/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_ku_gou.png/1.0.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_last.png/1.0.3/asset
Source: 000003.log0.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_dark.png/1.1.0/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_hc.png/1.1.0/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_light.png/1.1.0/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_naver_vibe.png/1.0.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr, HubApps Icons.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_hc.png/1.1.0/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_dark.png/1.1.0/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_light.png/1.1.0/asse
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_qq.png/1.0.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_hc.png/1.1.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_dark.png/1.1.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_light.png/1.1.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr, HubApps Icons.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr, HubApps Icons.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_dark.png/1.3.20/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_hc.png/1.3.20/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_light.png/1.3.20/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_dark.png/1.2.19/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_hc.png/1.2.19/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_light.png/1.2.19/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_telegram.png/1.0.4/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_hc.png/1.0.5/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_dark.png/1.0.5/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_light.png/1.0.5/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tidal.png/1.0.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tik_tok_light.png/1.0.5/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr, HubApps Icons.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_twitter_light.png/1.0.9/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_vk.png/1.0.3/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whats_new.png/1.0.0/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whatsapp_light.png/1.4.11/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_youtube.png/1.4.14/asset
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: chromecache_434.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_434.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_434.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_434.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://gaana.com/
Source: chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/%n
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/(n
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com//n
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1700077950.0000090400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1744611949.000009040080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1700282888.000009040039C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2n
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/9n
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Cl
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Fl
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Ml
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Pl
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Zl
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/al
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/dl
Source: chrome.exe, 0000000B.00000003.1700540659.0000090400684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/gj
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/kl
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/n
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/nl
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/ul
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/xl
Source: chrome.exe, 0000000B.00000003.1700540659.0000090400684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1700077950.0000090400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1744611949.000009040080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1700282888.000009040039C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 0000000B.00000003.1700540659.0000090400684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 0000000B.00000003.1700540659.0000090400684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 0000000B.00000003.1700801053.00000904006E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 0000000B.00000003.1700077950.0000090400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1744611949.000009040080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1700282888.000009040039C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: msedge.exe, 0000000E.00000002.1839487207.000001F800314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://i.y.qq.com/n2/m/index.html
Source: 2cc80dabc69f58b6_1.15.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/
Source: 2cc80dabc69f58b6_1.15.dr	String found in binary or memory: https://img-s.msn.cn/tenant/amp/entityid/
Source: 3euk6x.9.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 0000000B.00000003.1749747828.0000009C01884000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 0000000B.00000003.1749747828.0000009C01884000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 0000000B.00000003.1700077950.0000090400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1744611949.000009040080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1700282888.000009040039C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 0000000B.00000003.1700077950.0000090400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1744611949.000009040080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1700282888.000009040039C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 0000000B.00000003.1700282888.000009040039C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 0000000B.00000003.1734685865.0000009C012C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1734511999.0000009C01340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1741148027.0000009C0135C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1733964962.0000009C01340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1741858666.0000009C0141C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1741099077.0000009C01340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://latest.web.skype.com/?browsername=edge_canary_shoreline
Source: chrome.exe, 0000000B.00000003.1718707541.0000009C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718826358.0000009C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718586350.0000009C003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 0000000B.00000003.1718707541.0000009C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718826358.0000009C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718586350.0000009C003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 0000000B.00000003.1700859761.00000904006EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718707541.0000009C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718826358.0000009C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718586350.0000009C003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 0000000B.00000003.1700282888.000009040039C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://m.kugou.com/
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://m.soundcloud.com/
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://m.vk.com/
Source: chrome.exe, 0000000B.00000003.1734685865.0000009C012C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1734511999.0000009C01340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1741148027.0000009C0135C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1733964962.0000009C01340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1741858666.0000009C0141C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1741099077.0000009C01340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://mail.google.com/mail/mu/mp/266/#tl/Inbox
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://manifestdeliveryservice.edgebrowser.microsoft-staging-falcon.io/app/page-context-demo
Source: msedge.exe, 0000000E.00000002.1839487207.000001F800314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 0000000E.00000002.1839487207.000001F800314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: msedge.exe, 0000000E.00000002.1839487207.000001F800314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/Y
Source: Cookies.17.dr	String found in binary or memory: https://msn.comXID/
Source: Cookies.17.dr	String found in binary or memory: https://msn.comXIDv10sZ
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://music.amazon.com
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://music.apple.com
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://music.yandex.com
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 0000000B.00000003.1715637633.0000009C00FC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: 2cc80dabc69f58b6_1.15.dr	String found in binary or memory: https://ntp.msn.cn/edge/ntp
Source: 000003.log2.15.dr	String found in binary or memory: https://ntp.msn.com/
Source: 000003.log2.15.dr	String found in binary or memory: https://ntp.msn.com/0
Source: QuotaManager.15.dr	String found in binary or memory: https://ntp.msn.com/_default
Source: 2cc80dabc69f58b6_1.15.dr, 000003.log2.15.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp
Source: 000003.log2.15.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: Session_13383995852385827.15.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: QuotaManager.15.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
Source: msedge.exe, 0000000E.00000002.1839487207.000001F800314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 0000000B.00000003.1741099077.0000009C01340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 0000000B.00000003.1741905875.0000009C002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 0000000B.00000003.1741099077.0000009C01340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 0000000B.00000003.1741099077.0000009C01340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://open.spotify.com
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://outlook.live.com/mail/0/
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://outlook.office.com/mail/0/
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chrome.exe, 0000000B.00000003.1715637633.0000009C00FC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 0000000B.00000003.1718707541.0000009C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718826358.0000009C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718586350.0000009C003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chromecache_434.13.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chrome.exe, 0000000B.00000003.1715637633.0000009C00FC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: 2cc80dabc69f58b6_1.15.dr	String found in binary or memory: https://sb.scorecardresearch.com/
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: 2cc80dabc69f58b6_1.15.dr	String found in binary or memory: https://srtb.msn.cn/
Source: 2cc80dabc69f58b6_1.15.dr	String found in binary or memory: https://srtb.msn.com/
Source: chrome.exe, 0000000B.00000003.1732864087.0000009C002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 0000000B.00000003.1734685865.0000009C012C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1734511999.0000009C01340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1741148027.0000009C0135C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1733964962.0000009C01340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1741858666.0000009C0141C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1741099077.0000009C01340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: CYA75gigem.exe, 00000001.00000002.1592577669.000000000A340000.00000004.00001000.00020000.00000000.sdmp, CYA75gigem.exe, 00000001.00000002.1589538121.000000000A044000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000009.00000002.2101492330.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199825403037
Source: BitLockerToGo.exe, 00000009.00000002.2101492330.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199825403037oomaino5Mozilla/5.0
Source: BitLockerToGo.exe, 00000009.00000002.2110494220.000000000576D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000009.00000002.2110494220.000000000576D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000009.00000003.1632368494.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2101868029.000000000289A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1647208456.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1660632126.000000000289F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/)d
Source: BitLockerToGo.exe, 00000009.00000003.1632368494.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2101868029.000000000289A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1647208456.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1660632126.000000000289F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/8d
Source: BitLockerToGo.exe, 00000009.00000003.1660632126.000000000289F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1605382347.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1605382347.00000000028D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/b4cha00
Source: BitLockerToGo.exe, 00000009.00000003.1632368494.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1647208456.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1660632126.000000000289F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/b4cha00k
Source: BitLockerToGo.exe, 00000009.00000002.2101492330.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/b4cha00oomaino5Mozilla/5.0
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://tidal.com/
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://twitter.com/
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://vibe.naver.com/today
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_canary_shoreline
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_stable_shoreline
Source: BitLockerToGo.exe, 00000009.00000003.1605192736.00000000028D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://web.telegram.org/
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://web.whatsapp.com
Source: BitLockerToGo.exe, 00000009.00000003.1673952082.00000000028CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdisk.lodr
Source: BitLockerToGo.exe, 00000009.00000003.1619179591.00000000028D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdisk.lodra
Source: BitLockerToGo.exe, 00000009.00000003.1619179591.00000000028D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1605382347.00000000028D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2105782432.000000000531B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdisk.lodrat.org
Source: BitLockerToGo.exe, 00000009.00000003.1804855035.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdisk.lodrat.org/
Source: BitLockerToGo.exe, 00000009.00000003.1660632126.00000000028C1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1647170572.00000000028D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1673952082.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1632317356.00000000028D5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1660700445.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1619240121.00000000028D4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1619179591.00000000028D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdisk.lodrat.org/)
Source: BitLockerToGo.exe, 00000009.00000003.1647170572.00000000028D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1660632126.000000000289F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdisk.lodrat.org/--
Source: BitLockerToGo.exe, 00000009.00000003.1660632126.00000000028C1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1660700445.00000000028CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdisk.lodrat.org/0
Source: BitLockerToGo.exe, 00000009.00000003.1660700445.00000000028CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdisk.lodrat.org/Content-Disposition:
Source: BitLockerToGo.exe, 00000009.00000003.1647170572.00000000028D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdisk.lodrat.org/I;
Source: BitLockerToGo.exe, 00000009.00000003.1632317356.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdisk.lodrat.org/Q
Source: BitLockerToGo.exe, 00000009.00000003.1673952082.00000000028CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdisk.lodrat.org/a;
Source: BitLockerToGo.exe, 00000009.00000003.1673952082.00000000028CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdisk.lodrat.org/i;
Source: BitLockerToGo.exe, 00000009.00000003.1647170572.00000000028D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1632317356.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdisk.lodrat.org/l
Source: BitLockerToGo.exe, 00000009.00000003.1673952082.00000000028CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdisk.lodrat.org/nt.documentE
Source: BitLockerToGo.exe, 00000009.00000003.1660632126.00000000028C1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1647170572.00000000028D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1632317356.00000000028D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1660700445.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1619179591.00000000028D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdisk.lodrat.org/nt.documentElement&&document.documentElement.classList&&docu
Source: BitLockerToGo.exe, 00000009.00000003.1660632126.00000000028C1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1647170572.00000000028D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1660700445.00000000028CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdisk.lodrat.org/webdisk.lodrat.org
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: BitLockerToGo.exe, 00000009.00000002.2108827400.000000000556D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, 3euk6x.9.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.deezer.com/
Source: BitLockerToGo.exe, 00000009.00000003.1804037779.0000000005005000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000005005000.00000004.00000020.00020000.00000000.sdmp, 8y58gl.9.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 0000000B.00000003.1732864087.0000009C002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 0000000B.00000003.1732864087.0000009C002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 0000000B.00000003.1732864087.0000009C002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 0000000B.00000003.1713149844.0000009C00C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1709164390.0000009C00C78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: content.js.15.dr, content_new.js.15.dr	String found in binary or memory: https://www.google.com/chrome
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: BitLockerToGo.exe, 00000009.00000002.2105782432.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1804037779.0000000005005000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000005005000.00000004.00000020.00020000.00000000.sdmp, Web Data.15.dr, ppp8y5.9.dr, 8y58gl.9.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 0000000B.00000003.1734685865.0000009C012C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1734511999.0000009C01340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1741148027.0000009C0135C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1733964962.0000009C01340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1741858666.0000009C0141C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1741099077.0000009C01340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 0000000B.00000003.1741099077.0000009C01340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 0000000B.00000003.1718586350.0000009C003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 0000000B.00000003.1732864087.0000009C002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 0000000B.00000003.1732864087.0000009C002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 0000000B.00000003.1732864087.0000009C002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chromecache_434.13.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_434.13.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_434.13.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: chrome.exe, 0000000B.00000003.1741099077.0000009C01340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 0000000B.00000003.1741065656.0000009C00EE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1734511999.0000009C01340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1741148027.0000009C0135C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1740781727.0000009C01384000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1733964962.0000009C01340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1741858666.0000009C0141C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1741099077.0000009C01340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 0000000B.00000003.1741099077.0000009C01340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.Bvq7OK2_7ZA.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 0000000B.00000003.1741099077.0000009C01340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.S4XVq7ljTQU.L.W.O/m=qmd
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.iheart.com/podcast/
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.instagram.com
Source: BitLockerToGo.exe, 00000009.00000002.2108827400.000000000556D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, 3euk6x.9.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.last.fm/
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.messenger.com
Source: BitLockerToGo.exe, 00000009.00000002.2110494220.000000000576D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: BitLockerToGo.exe, 00000009.00000002.2110494220.000000000576D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: BitLockerToGo.exe, 00000009.00000002.2110494220.000000000576D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: BitLockerToGo.exe, 00000009.00000002.2110494220.000000000576D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000009.00000002.2110494220.000000000576D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 2cc80dabc69f58b6_1.15.dr	String found in binary or memory: https://www.msn.com/web-notification-icon-light.png
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.office.com
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.tiktok.com/
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://www.youtube.com
Source: e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	String found in binary or memory: https://y.music.163.com/m/

Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52421 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52444 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61224
Source: unknown	Network traffic detected: HTTP traffic on port 61279 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 61141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52404
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52432 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61084
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52402
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52403
Source: unknown	Network traffic detected: HTTP traffic on port 61267 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61230
Source: unknown	Network traffic detected: HTTP traffic on port 61291 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61199
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61113
Source: unknown	Network traffic detected: HTTP traffic on port 61274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52417
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52418
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61094
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52419
Source: unknown	Network traffic detected: HTTP traffic on port 52410 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52410
Source: unknown	Network traffic detected: HTTP traffic on port 61264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52418 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52411
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61248
Source: unknown	Network traffic detected: HTTP traffic on port 52389 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52381
Source: unknown	Network traffic detected: HTTP traffic on port 52404 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61246
Source: unknown	Network traffic detected: HTTP traffic on port 61145 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61260
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52420
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52388
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52421
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52424
Source: unknown	Network traffic detected: HTTP traffic on port 52381 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52425
Source: unknown	Network traffic detected: HTTP traffic on port 52438 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52389
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52422
Source: unknown	Network traffic detected: HTTP traffic on port 61269 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52423
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61259
Source: unknown	Network traffic detected: HTTP traffic on port 52424 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52395
Source: unknown	Network traffic detected: HTTP traffic on port 61213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61130
Source: unknown	Network traffic detected: HTTP traffic on port 52395 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61257
Source: unknown	Network traffic detected: HTTP traffic on port 61297 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61272 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52438
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61270
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61272
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52398
Source: unknown	Network traffic detected: HTTP traffic on port 61266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52432
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52436
Source: unknown	Network traffic detected: HTTP traffic on port 52425 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52402 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61141
Source: unknown	Network traffic detected: HTTP traffic on port 61252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61145
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61266
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61267
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61268
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61269
Source: unknown	Network traffic detected: HTTP traffic on port 52436 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61281
Source: unknown	Network traffic detected: HTTP traffic on port 52411 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52419 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61281 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52444
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52445
Source: unknown	Network traffic detected: HTTP traffic on port 61260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52422 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61274
Source: unknown	Network traffic detected: HTTP traffic on port 61257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61279
Source: unknown	Network traffic detected: HTTP traffic on port 61295 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61290
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61291
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61173
Source: unknown	Network traffic detected: HTTP traffic on port 61268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61287 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61284 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52423 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61284
Source: unknown	Network traffic detected: HTTP traffic on port 61290 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61286
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61287
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61201
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61296 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52417 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52388 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61217
Source: unknown	Network traffic detected: HTTP traffic on port 52403 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61295
Source: unknown	Network traffic detected: HTTP traffic on port 61217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61296
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61297
Source: unknown	Network traffic detected: HTTP traffic on port 61121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52445 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61213

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:61084 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.124.230:443 -> 192.168.2.7:61094 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 9_2_0040EAB5 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

9_2_0040EAB5

Source: CYA75gigem.exe, 00000001.00000002.1588430101.000000000092B000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: is unavailable()<>@,;:\"/[]?=,M3.2.0,M11.1.00601021504Z07001st_place_medal26_alphanumeric2nd_place_medal3rd_place_medal40_alphanumeric476837158203125: cannot parse : no frame (sp=<invalid Value>ASCII_Hex_DigitAddDllDirectoryAddThreadMemberAlign 128-BytesAlign 265-BytesAlign 512-BytesBeginGuildPruneCLSIDFromStringCallWindowProcWCreateErrorInfoCreateGuildRoleCreateHardLinkWCreatePopupMenuCreateWindowExWCustomAttributeDeleteGuildRoleDeviceIoControlDialogBoxParamWDllCanUnloadNowDragAcceptFilesDrawThemeTextExDuplicateHandleEFI ApplicationExcludeClipRectFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGdiplusShutdownGetActiveObjectGetActiveWindowGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetDpiForWindowGetEnhMetaFileWGetGuildInvitesGetGuildPreviewGetGuildStickerGetModuleHandleGetMonitorInfoWGetProcessTimesGetRawInputDataGetSecurityInfoGetStartupInfoWGetTextMetricsWGetThreadLocaleGetThreadMemberGot version 2 !Hanifi_RohingyaHitachi SH3 DSPImpersonateSelfImportEntrySizeInsertMenuItemWIsWindowEnabledIsWindowUnicodeIsWindowVisibleIsWow64Process2ListGuildEmojisLoadLibraryExA

memstr_cbe38326-3

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 9_2_00405AD3 memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,CreateProcessA,Sleep,CloseDesktop,

9_2_00405AD3

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.CYA75gigem.exe.a320000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 1.2.CYA75gigem.exe.a2e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 9.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 1.2.CYA75gigem.exe.a300000.5.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 9.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 1.2.CYA75gigem.exe.a300000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 1.2.CYA75gigem.exe.a340000.1.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 1.2.CYA75gigem.exe.a2e0000.3.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 1.2.CYA75gigem.exe.a320000.6.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 1.2.CYA75gigem.exe.a340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 1.2.CYA75gigem.exe.a2c0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 1.2.CYA75gigem.exe.a2c0000.4.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000001.00000002.1592577669.000000000A340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000009.00000002.2101492330.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000001.00000002.1592577669.000000000A2E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000001.00000002.1592577669.000000000A416000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000001.00000002.1592577669.000000000A2C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000001.00000002.1592577669.000000000A300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000001.00000002.1592577669.000000000A320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00404B3F	9_2_00404B3F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00415147	9_2_00415147
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00417D56	9_2_00417D56
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_0040AF7E	9_2_0040AF7E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_004171E1	9_2_004171E1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_004153AF	9_2_004153AF

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: String function: 0040D84A appears 136 times

Source: CYA75gigem.exe, 00000001.00000002.1592577669.000000000A3DC000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs CYA75gigem.exe

Source: CYA75gigem.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: 1.2.CYA75gigem.exe.a320000.6.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 1.2.CYA75gigem.exe.a2e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 9.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 1.2.CYA75gigem.exe.a300000.5.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 9.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 1.2.CYA75gigem.exe.a300000.5.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 1.2.CYA75gigem.exe.a340000.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 1.2.CYA75gigem.exe.a2e0000.3.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 1.2.CYA75gigem.exe.a320000.6.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 1.2.CYA75gigem.exe.a340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 1.2.CYA75gigem.exe.a2c0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 1.2.CYA75gigem.exe.a2c0000.4.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000001.00000002.1592577669.000000000A340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000009.00000002.2101492330.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000001.00000002.1592577669.000000000A2E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000001.00000002.1592577669.000000000A416000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000001.00000002.1592577669.000000000A2C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000001.00000002.1592577669.000000000A300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000001.00000002.1592577669.000000000A320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@70/270@16/16

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 9_2_0040F029 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,

9_2_0040F029

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\E5VN07JX.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4888:120:WilError_03

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user~1\AppData\Local\Temp\74738843-7e91-49fa-8e28-86e679d53f4c.tmp

Jump to behavior

Source: CYA75gigem.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CYA75gigem.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BitLockerToGo.exe, 00000009.00000003.1804037779.0000000004FCA000.00000004.00000020.00020000.00000000.sdmp, ymymyuai5.9.dr, jwb1nycjm.9.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: CYA75gigem.exe	ReversingLabs: Detection: 40%
Source: CYA75gigem.exe	Virustotal: Detection: 48%

Source: CYA75gigem.exe	String found in binary or memory: net/addrselect.go
Source: CYA75gigem.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.6/loadconfig.go
Source: CYA75gigem.exe	String found in binary or memory: github.com/lxn/walk@v0.0.0-20210112085537-c389da54e794/stopwatch.go
Source: CYA75gigem.exe	String found in binary or memory: github.com/lxn/walk@v0.0.0-20210112085537-c389da54e794/stopwatch.go
Source: CYA75gigem.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: unknown	Process created: C:\Users\user\Desktop\CYA75gigem.exe "C:\Users\user\Desktop\CYA75gigem.exe"
Source: C:\Users\user\Desktop\CYA75gigem.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2204,i,1790315144490273545,12717934201771538317,262144 /prefetch:8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2576 --field-trial-handle=2424,i,4433328751228120541,16908853615490472188,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2608 --field-trial-handle=2084,i,1114583297904604921,16776871692402841659,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6628 --field-trial-handle=2084,i,1114583297904604921,16776871692402841659,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7048 --field-trial-handle=2084,i,1114583297904604921,16776871692402841659,262144 /prefetch:8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\jmo89" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6516 --field-trial-handle=2084,i,1114583297904604921,16776871692402841659,262144 /prefetch:8
Source: C:\Users\user\Desktop\CYA75gigem.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\jmo89" & exit	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2204,i,1790315144490273545,12717934201771538317,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2576 --field-trial-handle=2424,i,4433328751228120541,16908853615490472188,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2608 --field-trial-handle=2084,i,1114583297904604921,16776871692402841659,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6628 --field-trial-handle=2084,i,1114583297904604921,16776871692402841659,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7048 --field-trial-handle=2084,i,1114583297904604921,16776871692402841659,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6516 --field-trial-handle=2084,i,1114583297904604921,16776871692402841659,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6516 --field-trial-handle=2084,i,1114583297904604921,16776871692402841659,262144 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\CYA75gigem.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CYA75gigem.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CYA75gigem.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\CYA75gigem.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\CYA75gigem.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: CYA75gigem.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: CYA75gigem.exe

Static file information: File size 9511424 > 1048576

Source: CYA75gigem.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x419400
Source: CYA75gigem.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x3f6600

Source: CYA75gigem.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbA source: CYA75gigem.exe, 00000001.00000002.1592577669.000000000A340000.00000004.00001000.00020000.00000000.sdmp, CYA75gigem.exe, 00000001.00000002.1590446144.000000000A256000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2101492330.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: vdr1.pdb source: CYA75gigem.exe, 00000001.00000002.1592577669.000000000A340000.00000004.00001000.00020000.00000000.sdmp, CYA75gigem.exe, 00000001.00000002.1590446144.000000000A256000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000009.00000002.2101492330.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: CYA75gigem.exe, 00000001.00000002.1592577669.000000000A3DC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: CYA75gigem.exe, 00000001.00000002.1592577669.000000000A3DC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: CYA75gigem.exe, 00000001.00000002.1592577669.000000000A340000.00000004.00001000.00020000.00000000.sdmp, CYA75gigem.exe, 00000001.00000002.1590446144.000000000A256000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000009.00000002.2101492330.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 9_2_0040E886 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

9_2_0040E886

Source: CYA75gigem.exe

Static PE information: section name: .symtab

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

9_2_0040E886

Source: C:\Users\user\Desktop\CYA75gigem.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CYA75gigem.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_9-11553

Source: C:\Windows\SysWOW64\timeout.exe TID: 5572

Thread sleep count: 87 > 30

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00412A5D wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	9_2_00412A5D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00407891 FindFirstFileA,CopyFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindNextFileA,FindClose,	9_2_00407891
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_0040A69C FindFirstFileA,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,	9_2_0040A69C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00408776 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	9_2_00408776
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00413B10 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindNextFileA,FindNextFileA,FindClose,	9_2_00413B10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00411BD2 wsprintfA,FindFirstFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	9_2_00411BD2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_004013DA FindFirstFileA,FindNextFileA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindNextFileA,FindClose,	9_2_004013DA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00406784 ExpandEnvironmentStringsA,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	9_2_00406784
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00411187 wsprintfA,FindFirstFileA,memset,memset,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	9_2_00411187
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00409C78 wsprintfA,FindFirstFileA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	9_2_00409C78
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00408224 FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	9_2_00408224
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_00412539 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	9_2_00412539

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 9_2_00411722 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

9_2_00411722

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 9_2_0040DF8C GetSystemInfo,wsprintfA,

9_2_0040DF8C

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: ppp8y5.9.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: ppp8y5.9.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: ppp8y5.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: ppp8y5.9.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: ppp8y5.9.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: ppp8y5.9.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: ppp8y5.9.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: ppp8y5.9.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: ppp8y5.9.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: ppp8y5.9.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: BitLockerToGo.exe, 00000009.00000003.1660632126.00000000028C1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1647208456.00000000028C1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1632368494.00000000028C1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2101868029.0000000002858000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msedge.exe, 0000000E.00000002.1838743364.000001F800050000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: ppp8y5.9.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: ppp8y5.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: ppp8y5.9.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: ppp8y5.9.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: ppp8y5.9.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: ppp8y5.9.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: CYA75gigem.exe, 00000001.00000002.1589128183.000000000130E000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000E.00000002.1840150713.0000022409842000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ppp8y5.9.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: ppp8y5.9.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: ppp8y5.9.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: ppp8y5.9.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: ppp8y5.9.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: ppp8y5.9.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: ppp8y5.9.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: ppp8y5.9.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: ppp8y5.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: ppp8y5.9.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: ppp8y5.9.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: ppp8y5.9.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: ppp8y5.9.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: ppp8y5.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: ppp8y5.9.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	API call chain: ExitProcess graph end node	graph_9-12152
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	API call chain: ExitProcess graph end node	graph_9-12246
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	API call chain: ExitProcess graph end node	graph_9-11858

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

9_2_0040E886

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 9_2_0040D84A lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrcpyA,lstrcatA,

9_2_0040D84A

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\CYA75gigem.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\CYA75gigem.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_0040F029 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,		9_2_0040F029
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 9_2_0040F0CA CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,		9_2_0040F0CA

Writes to foreign memory regions

Source: C:\Users\user\Desktop\CYA75gigem.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 26F8008	Jump to behavior
Source: C:\Users\user\Desktop\CYA75gigem.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\CYA75gigem.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\CYA75gigem.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 419000	Jump to behavior
Source: C:\Users\user\Desktop\CYA75gigem.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 41D000	Jump to behavior
Source: C:\Users\user\Desktop\CYA75gigem.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 41F000	Jump to behavior
Source: C:\Users\user\Desktop\CYA75gigem.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\CYA75gigem.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 421000	Jump to behavior

Source: C:\Users\user\Desktop\CYA75gigem.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\jmo89" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: CYA75gigem.exe

Binary or memory string: %s(?:\s+(\S+))?, gp->status=, not pointer-byte block (3814697265625: unknown pc Align 2-BytesAlign 4-BytesAlign 8-BytesAnimateWindowAssemblyRefOSAuthorizationBSTR_UserFreeBSTR_UserSizeBaseArena::.*BoolPtrStringBrowserSearchCONNECT_ERRORCache-ControlCertOpenStoreClearCustDataCoTaskMemFreeContent-RangeCreateActCtxWCreateGroupDMCreateMessageCreateRectRgnCreateTypeLibCreateWebhookDeleteMessageDeleteServiceDeleteWebhookDestroyWindowDrawFocusRectEFI ROM imageEFI byte codeEnumPrintersWEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFloat32StringFloat64StringFreeAddrInfoWGC sweep waitGetClassNameWGetClientRectGetDeviceCapsGetDriveTypeWGetGatewayBotGetGuildEmojiGetGuildRolesGetMenuItemIDGetScrollInfoGetSystemMenuGetThemeColorGetWindowLongGetWindowRectGunjala_GondiHanja / KanjiImageList_AddInterfaceImplInvalid GuildInvalid shardKana / HangulLoadTypeLibExMIPS with FPUMapViewOfFileMasaram_GondiMende_KikakuiModifyChannelModifyWebhookModule32NextWNtQueryObjectOMAP From SrcOld_HungarianOleInitializeOpenClipboardOpenThemeDataPdhCloseQueryRate limited.RegDeleteKeyWRegEnumKeyExWRegEnumValueWRegOpenKeyExWRtlGetVersionRtlInitStringRtlMoveMemorySHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSSTREAM_CLOSEDSafeArrayCopySafeArrayLockSetBrushOrgExSetScrollInfoSetWindowLongShellExecuteWShell_TrayWndStandAloneSigStartServiceWStructEndBoolStructEndUintStructHeadIntStructHeadMapStructPtrHeadSysFreeStringThread32FirstUintPtrStringUnknown buildUnknown emojiUnknown errorUnknown guildUnknown lobbyUnknown tokenUsage of %s:

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

9_2_0040DE1C

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\CYA75gigem.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CYA75gigem.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 9_2_00417842 SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

9_2_00417842

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 9_2_00414CDB EntryPoint,lstrlenW,GetWindowsDirectoryW,GetComputerNameW,GetFullPathNameA,GetUserNameW,GetFileType,GetModuleFileNameA,GetTempPathW,

9_2_00414CDB

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 9_2_0040DDBF GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

9_2_0040DDBF

Source: C:\Users\user\Desktop\CYA75gigem.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 1.2.CYA75gigem.exe.a320000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CYA75gigem.exe.a2e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CYA75gigem.exe.a300000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CYA75gigem.exe.a340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CYA75gigem.exe.a2c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1592577669.000000000A340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1660632126.00000000028C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1647208456.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1647170572.00000000028D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2101492330.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1592577669.000000000A2E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1673952082.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1592577669.000000000A2C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1592577669.000000000A300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1592577669.000000000A320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1660700445.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CYA75gigem.exe PID: 6856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7588, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: BitLockerToGo.exe, 00000009.00000002.2105782432.00000000051C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\
Source: BitLockerToGo.exe, 00000009.00000002.2105782432.00000000051C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: BitLockerToGo.exe, 00000009.00000002.2105782432.00000000051C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: BitLockerToGo.exe, 00000009.00000002.2105782432.00000000051C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000009.00000002.2105782432.00000000051C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: BitLockerToGo.exe, 00000009.00000002.2105782432.00000000051C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: BitLockerToGo.exe, 00000009.00000002.2105782432.00000000051C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 5gSVohAoh0ufGxrC.2rs\user\AppData\Roaming\Binance\simple-storage.json
Source: BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: BitLockerToGo.exe, 00000009.00000002.2101868029.000000000289A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: BitLockerToGo.exe, 00000009.00000002.2105782432.00000000051C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: BitLockerToGo.exe, 00000009.00000002.2105782432.00000000051C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: multidoge.wallet
Source: BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: BitLockerToGo.exe, 00000009.00000002.2105782432.00000000051C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\temporary\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\default\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\security_state\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match

File source: Process Memory Space: BitLockerToGo.exe PID: 7588, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 1.2.CYA75gigem.exe.a320000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CYA75gigem.exe.a2e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CYA75gigem.exe.a300000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CYA75gigem.exe.a340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CYA75gigem.exe.a2c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1592577669.000000000A340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1660632126.00000000028C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1647208456.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1647170572.00000000028D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2101492330.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1592577669.000000000A2E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1673952082.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1592577669.000000000A2C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1592577669.000000000A300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1592577669.000000000A320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1660700445.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CYA75gigem.exe PID: 6856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7588, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Create Account	1 Extra Window Memory Injection	1 Obfuscated Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	412 Process Injection	1 DLL Side-Loading	1 Credentials in Registry	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Extra Window Memory Injection	NTDS	35 System Information Discovery	Distributed Component Object Model	11 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Query Registry	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	11 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	412 Process Injection	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	13 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CYA75gigem.exe	41%	ReversingLabs
CYA75gigem.exe	49%	Virustotal		Browse
CYA75gigem.exe	100%	Avira	TR/Crypt.XPACK.Gen

Source	Detection	Scanner	Label
https://webdisk.lodrat.org/i;	100%	Avira URL Cloud	malware
https://webdisk.lodr	0%	Avira URL Cloud	safe
https://msn.comXIDv10sZ	0%	Avira URL Cloud	safe
https://webdisk.lodrat.org/webdisk.lodrat.org	100%	Avira URL Cloud	malware
https://webdisk.lodrat.org/nt.documentE	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
plus.l.google.com	142.250.186.142	true	false	high
a416.dscd.akamai.net	2.22.242.11	true	false	high
onedscolprdeus17.eastus.cloudapp.azure.com	20.42.65.91	true	false	high
t.me	149.154.167.99	true	false	high
webdisk.lodrat.org	88.99.124.230	true	true	unknown
a-0003.a-msedge.net	204.79.197.203	true	false	high
c-msn-pme.trafficmanager.net	13.74.129.1	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false	high
ax-0001.ax-msedge.net	150.171.28.10	true	false	high
play.google.com	142.250.185.110	true	false	high
a-0016.a-msedge.net	204.79.197.219	true	false	high
sb.scorecardresearch.com	18.244.18.32	true	false	high
www.google.com	142.250.186.36	true	false	high
e28578.d.akamaiedge.net	95.101.182.8	true	false	high
googlehosted.l.googleusercontent.com	142.250.185.129	true	false	high
assets.msn.com	unknown	unknown	false	high
r.msftstatic.com	unknown	unknown	false	high
15.164.165.52.in-addr.arpa	unknown	unknown	false	high
c.msn.com	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
apis.google.com	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high
browser.events.data.msn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://c.msn.com/c.gif?rnd=1739522257441&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=ef3d1cec59894898a5ca1011d58fbba8&activityId=ef3d1cec59894898a5ca1011d58fbba8&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=9A4981D3FDDD481BBE8A0876958624B3&MUID=2DC2684C548A6DF12F7B7DDF55E86C57	false	high
https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.f30eb488fb3069c7561f.js	false	high
https://clients2.googleusercontent.com/crx/blobs/ASuc5ohfQPNzGo5SSihcSk6msC8CUKw5id-p0KCEkBKwK2LS4AjdrDP0wa1qjzCTaTWEfyM52ADmUAdPETYA5vgD87UPEj6gyG11hjsvMLHGmzQgJ9F5D8s8Lo0Lbai5BQYAxlKa5esPJXukyaicyq83JwZ0HIWqzrjN/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_86_1_0.crx	false	high
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531	false	high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1739522261698&w=0&anoncknm=app_anon&NoResponseBody=true	false	high
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true	false	high
https://assets.msn.com/bundles/v1/edgeChromium/latest/microsoft.5da1d823f3d7131a6bff.js	false	high
https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true	false	high
https://assets.msn.com/statics/icons/favicon_newtabpage.png	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	BitLockerToGo.exe, 00000009.00000002.2105782432.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1804037779.0000000005005000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000005005000.00000004.00000020.00020000.00000000.sdmp, Web Data.15.dr, ppp8y5.9.dr, 8y58gl.9.dr	false		high
https://duckduckgo.com/ac/?q=	BitLockerToGo.exe, 00000009.00000002.2105782432.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1804037779.0000000005005000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000005005000.00000004.00000020.00020000.00000000.sdmp, Web Data.15.dr, ppp8y5.9.dr, 8y58gl.9.dr	false		high
https://google-ohttp-relay-join.fastly-edge.com/(n	chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v2/tokeninfo	msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ntp.msn.com/0	000003.log2.15.dr	false		high
https://ntp.msn.com/_default	QuotaManager.15.dr	false		high
http://anglebug.com/4633	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7382	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/284462263	msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Zl	chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://webdisk.lodrat.org/i;	BitLockerToGo.exe, 00000009.00000003.1673952082.00000000028CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://google-ohttp-relay-join.fastly-edge.com/9n	chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ntp.msn.cn/edge/ntp	2cc80dabc69f58b6_1.15.dr	false		high
https://publickeyservice.gcp.privacysandboxservices.com	chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/AUTHORS.txt	chrome.exe, 0000000B.00000003.1716979235.0000009C010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716606649.0000009C01078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716731219.0000009C01088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718356616.0000009C00F9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718308209.0000009C00ED4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718707541.0000009C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718826358.0000009C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718331686.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718586350.0000009C003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716809579.0000009C00F38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716774978.0000009C010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718279497.0000009C00C78000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/	manifest.json0.15.dr	false		high
https://publickeyservice.pa.aws.privacysandboxservices.com	chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com	e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	false		high
https://photos.google.com/settings?referrer=CHROME_NTP	chrome.exe, 0000000B.00000003.1715637633.0000009C00FC0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7714	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.instagram.com	e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	false		high
https://photos.google.com?referrer=CHROME_NTP	chrome.exe, 0000000B.00000003.1718707541.0000009C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718826358.0000009C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718586350.0000009C003A4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6248	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ogs.google.com/widget/callout?eom=1	chrome.exe, 0000000B.00000003.1741099077.0000009C01340000.00000004.00000800.00020000.00000000.sdmp	false		high
https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge	e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	false		high
https://outlook.office.com/mail/compose?isExtension=true	e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	false		high
http://anglebug.com/6929	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5281	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://i.y.qq.com/n2/m/index.html	e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	false		high
https://www.deezer.com/	e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	false		high
https://msn.comXIDv10sZ	Cookies.17.dr	false	Avira URL Cloud: safe	unknown
https://issuetracker.google.com/255411748	msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://web.telegram.org/	e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	false		high
https://permanently-removed.invalid/oauth2/v4/token	msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7246	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7369	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7489	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/?q=	chrome.exe, 0000000B.00000003.1713217284.0000009C00BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	chrome.exe, 0000000B.00000003.1713149844.0000009C00C88000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000002.1839259406.000001F80017C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-2.corp.google.com/	manifest.json0.15.dr	false		high
http://polymer.github.io/PATENTS.txt	chrome.exe, 0000000B.00000003.1716979235.0000009C010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716606649.0000009C01078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716731219.0000009C01088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718356616.0000009C00F9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718308209.0000009C00ED4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718707541.0000009C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718826358.0000009C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718331686.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718586350.0000009C003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716809579.0000009C00F38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1716774978.0000009C010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718279497.0000009C00C78000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/b4cha00oomaino5Mozilla/5.0	BitLockerToGo.exe, 00000009.00000002.2101492330.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BitLockerToGo.exe, 00000009.00000002.2105782432.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1804037779.0000000005005000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000005005000.00000004.00000020.00020000.00000000.sdmp, Web Data.15.dr, ppp8y5.9.dr, 8y58gl.9.dr	false		high
https://t.me/b4cha00k	BitLockerToGo.exe, 00000009.00000003.1632368494.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1647208456.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1660632126.000000000289F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/161903006	msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	BitLockerToGo.exe, 00000009.00000003.1804037779.0000000005005000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000005005000.00000004.00000020.00020000.00000000.sdmp, 8y58gl.9.dr	false		high
https://drive-daily-1.corp.google.com/	manifest.json0.15.dr	false		high
https://excel.new?from=EdgeM365Shoreline	e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	false		high
https://drive-daily-5.corp.google.com/	manifest.json0.15.dr	false		high
https://webdisk.lodr	BitLockerToGo.exe, 00000009.00000003.1673952082.00000000028CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://permanently-removed.invalid/chrome/blank.html	msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/kl	chrome.exe, 0000000B.00000003.1746545216.0000009C015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746479661.0000009C015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746756020.0000009C015CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1746629554.0000009C015C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3078	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7553	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5375	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/v1/issuetoken	msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5371	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4722	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/reauth/v1beta/users/	msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	false		high
https://webdisk.lodrat.org/nt.documentE	BitLockerToGo.exe, 00000009.00000003.1673952082.00000000028CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://anglebug.com/7556	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/	msedge.exe, 0000000E.00000002.1839259406.000001F80017C000.00000004.00000800.00020000.00000000.sdmp, manifest.json.15.dr	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	BitLockerToGo.exe, 00000009.00000002.2108827400.000000000556D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2101868029.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000002.2104620414.0000000004F8D000.00000004.00000020.00020000.00000000.sdmp, 3euk6x.9.dr	false		high
https://webdisk.lodrat.org/I;	BitLockerToGo.exe, 00000009.00000003.1647170572.00000000028D0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://srtb.msn.cn/	2cc80dabc69f58b6_1.15.dr	false		high
https://chrome.google.com/webstore/	manifest.json.15.dr	false		high
https://bard.google.com/	e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	false		high
https://assets.msn.cn/resolver/	2cc80dabc69f58b6_1.15.dr	false		high
https://publickeyservice.pa.gcp.privacysandboxservices.com	chrome.exe, 0000000B.00000003.1742474723.0000009C0144C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://html4/loose.dtd	CYA75gigem.exe	false		high
https://browser.events.data.msn.com/	2cc80dabc69f58b6_1.15.dr	false		high
https://permanently-removed.invalid/RotateBoundCookies	msedge.exe, 0000000E.00000003.1835036592.000001F80026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1834880031.000001F800264000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6692	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/258207403	msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://webdisk.lodrat.org/webdisk.lodrat.org	BitLockerToGo.exe, 00000009.00000003.1660632126.00000000028C1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1647170572.00000000028D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000009.00000003.1660700445.00000000028CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://anglebug.com/3502	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3623	msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com	e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	false		high
http://anglebug.com/3625	msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://outlook.live.com/mail/0/	e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	false		high
http://anglebug.com/3624	msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5007	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3862	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ntp.msn.com/edge/ntp	2cc80dabc69f58b6_1.15.dr, 000003.log2.15.dr	false		high
https://assets.msn.com/resolver/	2cc80dabc69f58b6_1.15.dr	false		high
https://chrome.google.com/webstoreLDDiscover	chrome.exe, 0000000B.00000003.1712802741.0000009C004AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708439027.0000009C00CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718391002.0000009C00C98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718160839.0000009C00C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1715124461.0000009C00CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1718131654.0000009C0033C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708377791.0000009C00C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1713107680.0000009C00C78000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1713149844.0000009C00C88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4836	chrome.exe, 0000000B.00000003.1708480775.0000009C00AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1708458821.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.1707345125.0000009C00380000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835659054.000001F80034C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/issues/166475273	msedge.exe, 0000000E.00000003.1835134652.000001F800360000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.css	CYA75gigem.exe	false		high
https://ch.search.yahoo.com/favicon.ico	chrome.exe, 0000000B.00000003.1713217284.0000009C00BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tidal.com/	e0d5c4e9-a3be-4408-aa45-44f0d1a0aa60.tmp.15.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.129	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
2.22.242.11	a416.dscd.akamai.net	European Union	20940	AKAMAI-ASN1EU	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
13.74.129.1	c-msn-pme.trafficmanager.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.219	a-0016.a-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
95.101.182.8	e28578.d.akamaiedge.net	European Union	20940	AKAMAI-ASN1EU	false
142.250.186.36	www.google.com	United States	15169	GOOGLEUS	false
20.42.65.91	onedscolprdeus17.eastus.cloudapp.azure.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
18.244.18.32	sb.scorecardresearch.com	United States	16509	AMAZON-02US	false
142.250.185.110	play.google.com	United States	15169	GOOGLEUS	false
88.99.124.230	webdisk.lodrat.org	Germany	24940	HETZNER-ASDE	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.186.142	plus.l.google.com	United States	15169	GOOGLEUS	false
204.79.197.203	a-0003.a-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.7
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1614874
Start date and time:	2025-02-14 08:23:40 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CYA75gigem.exe renamed because original name is a hash value
Original Sample Name:	c063144d97874cb1e7edf5bdb84c3599.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@70/270@16/16
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 63 Number of non-executed functions: 46
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 142.250.186.163, 74.125.71.84, 142.250.186.78, 142.250.185.206, 142.250.185.99, 142.250.186.74, 142.250.185.202, 142.250.185.74, 142.250.74.202, 142.250.185.106, 172.217.16.202, 142.250.185.234, 142.250.185.170, 216.58.206.42, 142.250.186.42, 142.250.181.234, 216.58.206.74, 142.250.186.138, 142.250.185.138, 172.217.23.106, 142.250.186.106, 13.107.42.16, 204.79.197.239, 13.107.21.239, 13.107.6.158, 172.211.159.152, 88.221.110.179, 88.221.110.195, 184.86.251.27, 184.86.251.22, 184.86.251.19, 184.86.251.24, 184.86.251.20, 184.86.251.30, 184.86.251.28, 184.86.251.21, 184.86.251.16, 2.19.122.9, 2.19.122.15, 2.19.122.11, 2.19.122.16, 2.19.122.5, 2.19.122.13, 2.19.122.14, 2.19.122.12, 2.19.122.6, 4.231.66.184, 2.22.242.82, 2.22.242.121, 23.57.90.81, 23.57.90.70, 2.23.227.208, 2.23.227.215, 199.232.214.172, 13.107.253.45, 4.175.87.197, 52.165.164.15, 4.245.163.56, 2.19.106.160, 94.245.104.56, 20.190.160.67, 150.171.28.10
Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, nav-edge.smartscreen.microsoft.com, slscr.update.microsoft.com, img-s-msn-com.akamaized.net, data-edge.smartscreen.microsoft.com, clientservices.googleapis.com, edgeassetservice.afd.azureedge.net, p-static.bing.trafficmanager.net, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, login.live.com, config-edge-skype.l-0007.l-msedge.net, www.gstatic.com, l-0007.l-msedge.net, www.bing.com, fs.microsoft.com, bingadsedgeextension-prod.trafficmanager.net, ogads-pa.googleapis.com, prod-atm-wds-edge.trafficmanager.net, www-www.bing.com.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, a1834.dscg2.akamai.net, c.bing.com, edgeassetservice.azureedge.net, clients.l.google.com, config.edge.skype.com.trafficmanager.net, time.windows.com, prod-agic-we-4.westeurope.cloudapp.azure.com, redirector.gvt1.com, www.bing.com.edgekey.net, th.bing.com, msedge.b.tlu.dl.delivery.mp.m
Execution Graph export aborted for target CYA75gigem.exe, PID 6856 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.74.129.1	N11R7lRasm.exe	Get hash	malicious	Vidar	Browse
	https://forms.office.com/e/AZqcTu03uu	Get hash	malicious	Unknown	Browse
	https://eur01.safelinks.protection.outlook.com/ap/w-59584e83/?url=https%3A%2F%2Finnerworks621-my.sharepoint.com%2F%3Aw%3A%2Fg%2Fpersonal%2Ffbayoumi_iwexpress_com%2FEV18-ULK3bBFgswwIocxhGgB_RycisFJYnuNE85X0INcoQ%3Fe%3DPJWGhb&data=05%7C02%7Cm.schwarzfaerber%40gutmann.de%7Cba71d958cbce4017fe2b08dd4c1498cf%7Cb8afaafb131d4ce28085e6ff7718d438%7C0%7C0%7C638750373515189602%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=jFoC7e8%2BnChKZDPYgfO8Z0D6BEVH0spDWEnRRVzuauE%3D&reserved=0	Get hash	malicious	Unknown	Browse
	https://innerworks621-my.sharepoint.com/:w:/g/personal/fbayoumi_iwexpress_com/EV18-ULK3bBFgswwIocxhGgB_RycisFJYnuNE85X0INcoQ?rtime=X7A0bhVM3Ug	Get hash	malicious	Unknown	Browse
	bestgirlfriendformylifesheismygirlmyonly.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse
	PI3b9Y973c.exe	Get hash	malicious	Unknown	Browse
	PI3b9Y973c.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Trojan.Agent.U8LJFD.31222.29577.exe	Get hash	malicious	Vidar	Browse
	http://fedx-express.top/	Get hash	malicious	Unknown	Browse
	pothjasefdj.exe	Get hash	malicious	Vidar	Browse
2.22.242.11	https://eur01.safelinks.protection.outlook.com/ap/w-59584e83/?url=https%3A%2F%2Finnerworks621-my.sharepoint.com%2F%3Aw%3A%2Fg%2Fpersonal%2Ffbayoumi_iwexpress_com%2FEV18-ULK3bBFgswwIocxhGgB_RycisFJYnuNE85X0INcoQ%3Fe%3DPJWGhb&data=05%7C02%7Cm.schwarzfaerber%40gutmann.de%7Cba71d958cbce4017fe2b08dd4c1498cf%7Cb8afaafb131d4ce28085e6ff7718d438%7C0%7C0%7C638750373515189602%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=jFoC7e8%2BnChKZDPYgfO8Z0D6BEVH0spDWEnRRVzuauE%3D&reserved=0	Get hash	malicious	Unknown	Browse
	bestgirlfriendformylifesheismygirlmyonly.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse
	PI3b9Y973c.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Trojan.Agent.U8LJFD.31222.29577.exe	Get hash	malicious	Vidar	Browse
	pothjasefdj.exe	Get hash	malicious	Vidar	Browse
	setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	bot2.exe	Get hash	malicious	Python Stealer, Braodo	Browse
	seethebestthingswithbstteamworkgiven.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse
	random.exe	Get hash	malicious	Vidar	Browse
149.154.167.99	http://45.142.208.144.sslip.io/blog/	Get hash	malicious	Unknown	Browse	telegram.org/img/emoji/40/F09F9889.png
	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	Howard.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://woodfordservicecentre.craft.me/iz204wmfgdyEOm	Get hash	malicious	Unknown	Browse	104.21.27.108
	http://result526.top/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	http://telegram.outsmarttookurmoney.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://coinatrx.top/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	https://waaws.icu/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	Howard_patched.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	main.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	qNXDfsU2K7.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	H5S6rm5oQ9.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
a416.dscd.akamai.net	rgIYxoflou.lnk	Get hash	malicious	Unknown	Browse	2.16.164.33
	N11R7lRasm.exe	Get hash	malicious	Vidar	Browse	2.22.242.105
	https://eur01.safelinks.protection.outlook.com/ap/w-59584e83/?url=https%3A%2F%2Finnerworks621-my.sharepoint.com%2F%3Aw%3A%2Fg%2Fpersonal%2Ffbayoumi_iwexpress_com%2FEV18-ULK3bBFgswwIocxhGgB_RycisFJYnuNE85X0INcoQ%3Fe%3DPJWGhb&data=05%7C02%7Cm.schwarzfaerber%40gutmann.de%7Cba71d958cbce4017fe2b08dd4c1498cf%7Cb8afaafb131d4ce28085e6ff7718d438%7C0%7C0%7C638750373515189602%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=jFoC7e8%2BnChKZDPYgfO8Z0D6BEVH0spDWEnRRVzuauE%3D&reserved=0	Get hash	malicious	Unknown	Browse	2.22.242.11
	https://innerworks621-my.sharepoint.com/:w:/g/personal/fbayoumi_iwexpress_com/EV18-ULK3bBFgswwIocxhGgB_RycisFJYnuNE85X0INcoQ?rtime=X7A0bhVM3Ug	Get hash	malicious	Unknown	Browse	2.22.242.105
	bestgirlfriendformylifesheismygirlmyonly.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	2.22.242.11
	PI3b9Y973c.exe	Get hash	malicious	Unknown	Browse	2.22.242.11
	PI3b9Y973c.exe	Get hash	malicious	Unknown	Browse	2.16.164.33
	SecuriteInfo.com.Win32.Trojan.Agent.U8LJFD.31222.29577.exe	Get hash	malicious	Vidar	Browse	2.22.242.11
	pothjasefdj.exe	Get hash	malicious	Vidar	Browse	2.22.242.11
	nbyiksfthaed.exe	Get hash	malicious	Vidar	Browse	2.22.242.105
webdisk.lodrat.org	main.exe	Get hash	malicious	Vidar	Browse	88.99.124.230
a-0003.a-msedge.net	N11R7lRasm.exe	Get hash	malicious	Vidar	Browse	204.79.197.203
	https://eur01.safelinks.protection.outlook.com/ap/w-59584e83/?url=https%3A%2F%2Finnerworks621-my.sharepoint.com%2F%3Aw%3A%2Fg%2Fpersonal%2Ffbayoumi_iwexpress_com%2FEV18-ULK3bBFgswwIocxhGgB_RycisFJYnuNE85X0INcoQ%3Fe%3DPJWGhb&data=05%7C02%7Cm.schwarzfaerber%40gutmann.de%7Cba71d958cbce4017fe2b08dd4c1498cf%7Cb8afaafb131d4ce28085e6ff7718d438%7C0%7C0%7C638750373515189602%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=jFoC7e8%2BnChKZDPYgfO8Z0D6BEVH0spDWEnRRVzuauE%3D&reserved=0	Get hash	malicious	Unknown	Browse	204.79.197.203
	https://innerworks621-my.sharepoint.com/:w:/g/personal/fbayoumi_iwexpress_com/EV18-ULK3bBFgswwIocxhGgB_RycisFJYnuNE85X0INcoQ?rtime=X7A0bhVM3Ug	Get hash	malicious	Unknown	Browse	204.79.197.203
	bestgirlfriendformylifesheismygirlmyonly.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	204.79.197.203
	FCEI-job-notification.doc	Get hash	malicious	Discord Token Stealer	Browse	204.79.197.203
	PI3b9Y973c.exe	Get hash	malicious	Unknown	Browse	204.79.197.203
	PI3b9Y973c.exe	Get hash	malicious	Unknown	Browse	204.79.197.203
	SecuriteInfo.com.Win32.Trojan.Agent.U8LJFD.31222.29577.exe	Get hash	malicious	Vidar	Browse	204.79.197.203
	SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.10350.31223.exe	Get hash	malicious	FormBook	Browse	204.79.197.203
	pothjasefdj.exe	Get hash	malicious	Vidar	Browse	204.79.197.203

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Poundbreach178.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Opsprtning.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	DHL AWB Document_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	MAERSK Shipping Document - Bill of Lading - Packing List - SWB Receipt _PDF.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Limitarian.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Gruss.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Q-M20251302.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Hjertesukkene.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Justificante transferencia bancaria 097185445.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FACTURA SOLICITADA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://news.b-link.fr/d?p00bbciy0cqje600d0000h6y00000000c72w7g7ifgj3dlplexgvlf0000000s000000ip35uou&lk=bllp67adfdc2260aa	Get hash	malicious	Unknown	Browse	13.107.42.14
	SecuriteInfo.com.Heur.25555.7765.xls	Get hash	malicious	Unknown	Browse	13.107.253.45
	Febrero 2025.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	PO-KA2982202115-26.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.44
	SWIFT COPY.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://woodfordservicecentre.craft.me/iz204wmfgdyEOm	Get hash	malicious	Unknown	Browse	191.238.76.193
	res.m68k.elf	Get hash	malicious	Unknown	Browse	21.88.231.242
	res.mips.elf	Get hash	malicious	Unknown	Browse	21.169.52.179
	res.sh4.elf	Get hash	malicious	Unknown	Browse	70.37.79.67
	res.spc.elf	Get hash	malicious	Unknown	Browse	22.11.61.195
AKAMAI-ASN1EU	https://news.b-link.fr/d?p00bbciy0cqje600d0000h6y00000000c72w7g7ifgj3dlplexgvlf0000000s000000ip35uou&lk=bllp67adfdc2260aa	Get hash	malicious	Unknown	Browse	2.16.164.35
	t5vT1k9gg6.exe	Get hash	malicious	Amadey, Healer AV Disabler, LummaC Stealer, PureLog Stealer, RedLine, Xorist, zgRAT	Browse	23.197.127.21
	rgIYxoflou.lnk	Get hash	malicious	Unknown	Browse	2.16.164.33
	http://ringcentral.co	Get hash	malicious	Unknown	Browse	88.221.110.26
	Howard.exe	Get hash	malicious	Vidar	Browse	23.197.127.21
	http://mm-2.uxr919zm.eu.org/	Get hash	malicious	Unknown	Browse	2.21.65.135
	http://liefrung.neu.planen.18-193-117-123.cprapid.com/app/update.php?3	Get hash	malicious	Unknown	Browse	2.22.242.138
	https://bodensee.immo/verify	Get hash	malicious	Unknown	Browse	2.22.242.121
	http://cgcudtuctydcgujtd.d3e0e9479pu9h0.amplifyapp.com/	Get hash	malicious	TechSupportScam	Browse	23.215.18.210
	http://case0125786-handling-help.vercel.app/	Get hash	malicious	Unknown	Browse	23.67.132.99
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://news.b-link.fr/d?p00bbciy0cqje600d0000h6y00000000c72w7g7ifgj3dlplexgvlf0000000s000000ip35uou&lk=bllp67adfdc2260aa	Get hash	malicious	Unknown	Browse	13.107.42.14
	SecuriteInfo.com.Heur.25555.7765.xls	Get hash	malicious	Unknown	Browse	13.107.253.45
	Febrero 2025.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	PO-KA2982202115-26.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.44
	SWIFT COPY.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://woodfordservicecentre.craft.me/iz204wmfgdyEOm	Get hash	malicious	Unknown	Browse	191.238.76.193
	res.m68k.elf	Get hash	malicious	Unknown	Browse	21.88.231.242
	res.mips.elf	Get hash	malicious	Unknown	Browse	21.169.52.179
	res.sh4.elf	Get hash	malicious	Unknown	Browse	70.37.79.67
	res.spc.elf	Get hash	malicious	Unknown	Browse	22.11.61.195

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Poundbreach178.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	88.99.124.230 149.154.167.99
	Opsprtning.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	88.99.124.230 149.154.167.99
	runner.ps1	Get hash	malicious	Unknown	Browse	88.99.124.230 149.154.167.99
	DHL AWB Document_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	88.99.124.230 149.154.167.99
	MAERSK Shipping Document - Bill of Lading - SWB Receipt - Packing List_PDF.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	88.99.124.230 149.154.167.99
	MAERSK Shipping Document - Bill of Lading - Packing List - SWB Receipt _PDF.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	88.99.124.230 149.154.167.99
	Limitarian.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	88.99.124.230 149.154.167.99
	Gruss.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	88.99.124.230 149.154.167.99
	Q-M20251302.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	88.99.124.230 149.154.167.99
	Hjertesukkene.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	88.99.124.230 149.154.167.99

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	9370
Entropy (8bit):	5.514140640374404
Encrypted:	false
SSDEEP:	192:lLnSRkPYbBp6tqUCaXr6V6kHNBw8D3nSl:NeqqUWpPwK0
MD5:	7E44458E0A8A3A7D10875BC3B7AE72D1
SHA1:	E5E6AC8676EE3761DAB13A10EB7573C19F48D297
SHA-256:	21A04E176A9CEBDA60AE6FD82A7495C6E0867ED02B8009A44DDC9863E14D8753
SHA-512:	012ED6CDC0802AA1063EFE841549341CC86EB626A26FC4BDC509598D8E33093296510344A2CC4419B007F6191F3445DA8F0AAE3B1626E54C1EF66DDDF3FA59B1
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696491690);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696491694);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	57639
Entropy (8bit):	6.103644524404108
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7ynBPGWv/sxtwTj7VLyMV/YoskFoz:z/0+zI7yn5v/4KTVeZoskG
MD5:	42E5E3F82ED19413087451F81779C7D4
SHA1:	347421D234E81207E9588A6555A4EC3B6DBBCA15
SHA-256:	7DD16F4AA8B366759E9A5BA416F613F077D47DADEADFCA8CE62524DE1812C0F5
SHA-512:	50457D15BB0824353A12FA45F7FA1B9FD23B5DCA406FA37E71A7637AD265DF47BF3D33C6FEF9DD254B26B9CF9F162D757A882B07CF7183E2DFCA5A1DD631CCF6
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CYA75gigem.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\jmo89\3euk6x

C:\ProgramData\jmo89\5fuk68

C:\ProgramData\jmo89\8y58gl

C:\ProgramData\jmo89\cbimyu

C:\ProgramData\jmo89\eknyus

C:\ProgramData\jmo89\jwb1nycjm

C:\ProgramData\jmo89\mophdt

C:\ProgramData\jmo89\ppp8y5

C:\ProgramData\jmo89\ymymyuai5

Windows Analysis Report
CYA75gigem.exe