Edit tour

Windows Analysis Report
xn3nGSFdRn.exe

Overview

General Information

Sample name:	xn3nGSFdRn.exe renamed because original name is a hash value
Original sample name:	b6bd9bba1a2413d8e3ed5b3743d81961.exe
Analysis ID:	1627452
MD5:	b6bd9bba1a2413d8e3ed5b3743d81961
SHA1:	d109bcc2f82c65aa6ab7b7a46a2b6e35721021c8
SHA256:	1cea85b0fdaa55fa1b59610e986a3ff895e838264d1f9624d3518153f8eec4a4
Tags:	exeuser-abuse_ch
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Monitors registry run keys for changes

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

xn3nGSFdRn.exe (PID: 7088 cmdline: "C:\Users\user\Desktop\xn3nGSFdRn.exe" MD5: B6BD9BBA1A2413D8E3ED5B3743D81961)

chrome.exe (PID: 6928 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 5952 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 --field-trial-handle=2308,i,3555853924540401404,5638919351951329885,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

msedge.exe (PID: 7572 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 7788 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2556 --field-trial-handle=2384,i,10835794379392093070,15074625128958994288,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

cmd.exe (PID: 8628 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\hdj5f" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 8680 cmdline: timeout /t 11 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

msedge.exe (PID: 7800 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 8136 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

identity_helper.exe (PID: 6860 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)

identity_helper.exe (PID: 7716 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)

msedge.exe (PID: 4828 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6984 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 7012 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7024 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 9000 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7216 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
xn3nGSFdRn.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.2198350247.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: xn3nGSFdRn.exe PID: 7088	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: xn3nGSFdRn.exe PID: 7088	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.xn3nGSFdRn.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\xn3nGSFdRn.exe", ParentImage: C:\Users\user\Desktop\xn3nGSFdRn.exe, ParentProcessId: 7088, ParentProcessName: xn3nGSFdRn.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 6928, ProcessName: chrome.exe

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-02T13:09:28.585265+0100	2028765	3	Unknown Traffic	192.168.2.6	49786	116.203.11.236	443	TCP
2025-03-02T13:09:29.886772+0100	2028765	3	Unknown Traffic	192.168.2.6	49797	116.203.11.236	443	TCP
2025-03-02T13:09:31.241145+0100	2028765	3	Unknown Traffic	192.168.2.6	49807	116.203.11.236	443	TCP
2025-03-02T13:09:32.594013+0100	2028765	3	Unknown Traffic	192.168.2.6	49820	116.203.11.236	443	TCP
2025-03-02T13:09:33.951729+0100	2028765	3	Unknown Traffic	192.168.2.6	49829	116.203.11.236	443	TCP
2025-03-02T13:09:35.346685+0100	2028765	3	Unknown Traffic	192.168.2.6	49838	116.203.11.236	443	TCP
2025-03-02T13:09:36.921614+0100	2028765	3	Unknown Traffic	192.168.2.6	49849	116.203.11.236	443	TCP
2025-03-02T13:09:37.950760+0100	2028765	3	Unknown Traffic	192.168.2.6	49859	116.203.11.236	443	TCP
2025-03-02T13:09:38.969952+0100	2028765	3	Unknown Traffic	192.168.2.6	49865	116.203.11.236	443	TCP
2025-03-02T13:09:40.043216+0100	2028765	3	Unknown Traffic	192.168.2.6	49874	116.203.11.236	443	TCP
2025-03-02T13:09:48.125676+0100	2028765	3	Unknown Traffic	192.168.2.6	49950	116.203.11.236	443	TCP
2025-03-02T13:09:49.209633+0100	2028765	3	Unknown Traffic	192.168.2.6	49957	116.203.11.236	443	TCP
2025-03-02T13:09:50.254270+0100	2028765	3	Unknown Traffic	192.168.2.6	49966	116.203.11.236	443	TCP
2025-03-02T13:09:51.260362+0100	2028765	3	Unknown Traffic	192.168.2.6	49975	116.203.11.236	443	TCP
2025-03-02T13:09:53.279586+0100	2028765	3	Unknown Traffic	192.168.2.6	49990	116.203.11.236	443	TCP
2025-03-02T13:09:59.454093+0100	2028765	3	Unknown Traffic	192.168.2.6	57870	116.203.11.236	443	TCP
2025-03-02T13:10:00.581628+0100	2028765	3	Unknown Traffic	192.168.2.6	57878	116.203.11.236	443	TCP
2025-03-02T13:10:01.729091+0100	2028765	3	Unknown Traffic	192.168.2.6	57886	116.203.11.236	443	TCP
2025-03-02T13:10:03.154544+0100	2028765	3	Unknown Traffic	192.168.2.6	57899	116.203.11.236	443	TCP
2025-03-02T13:10:04.144755+0100	2028765	3	Unknown Traffic	192.168.2.6	57904	116.203.11.236	443	TCP
2025-03-02T13:10:05.862954+0100	2028765	3	Unknown Traffic	192.168.2.6	57931	116.203.11.236	443	TCP
2025-03-02T13:10:07.230912+0100	2028765	3	Unknown Traffic	192.168.2.6	57947	116.203.11.236	443	TCP
2025-03-02T13:10:11.500130+0100	2028765	3	Unknown Traffic	192.168.2.6	57950	116.203.11.236	443	TCP
2025-03-02T13:10:13.405372+0100	2028765	3	Unknown Traffic	192.168.2.6	57951	116.203.11.236	443	TCP
2025-03-02T13:10:14.753316+0100	2028765	3	Unknown Traffic	192.168.2.6	57953	116.203.11.236	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-02T13:09:33.260236+0100	2044247	1	Malware Command and Control Activity Detected	116.203.11.236	443	192.168.2.6	49820	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-02T13:09:34.609657+0100	2051831	1	Malware Command and Control Activity Detected	116.203.11.236	443	192.168.2.6	49829	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-02T13:09:33.259656+0100	2049087	1	A Network Trojan was detected	192.168.2.6	49820	116.203.11.236	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-02T13:09:36.096641+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	49838	116.203.11.236	443	TCP
2025-03-02T13:09:37.673346+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	49849	116.203.11.236	443	TCP
2025-03-02T13:09:37.954491+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	49859	116.203.11.236	443	TCP
2025-03-02T13:09:38.973975+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	49865	116.203.11.236	443	TCP
2025-03-02T13:09:40.046468+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	49874	116.203.11.236	443	TCP
2025-03-02T13:09:48.879133+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	49950	116.203.11.236	443	TCP
2025-03-02T13:09:49.974337+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	49957	116.203.11.236	443	TCP
2025-03-02T13:09:50.257727+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	49966	116.203.11.236	443	TCP
2025-03-02T13:09:51.274195+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	49975	116.203.11.236	443	TCP
2025-03-02T13:09:53.282678+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	49990	116.203.11.236	443	TCP
2025-03-02T13:10:00.416062+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	57870	116.203.11.236	443	TCP
2025-03-02T13:10:00.678033+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	57878	116.203.11.236	443	TCP
2025-03-02T13:10:01.758399+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	57886	116.203.11.236	443	TCP
2025-03-02T13:10:03.162744+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	57899	116.203.11.236	443	TCP
2025-03-02T13:10:07.891449+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	57947	116.203.11.236	443	TCP
2025-03-02T13:10:11.503834+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	57950	116.203.11.236	443	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-02T13:09:37.954491+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	49859	116.203.11.236	443	TCP
2025-03-02T13:09:38.973975+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	49865	116.203.11.236	443	TCP
2025-03-02T13:09:40.046468+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	49874	116.203.11.236	443	TCP
2025-03-02T13:09:50.257727+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	49966	116.203.11.236	443	TCP
2025-03-02T13:09:51.274195+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	49975	116.203.11.236	443	TCP
2025-03-02T13:09:53.282678+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	49990	116.203.11.236	443	TCP
2025-03-02T13:10:00.678033+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	57878	116.203.11.236	443	TCP
2025-03-02T13:10:01.758399+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	57886	116.203.11.236	443	TCP
2025-03-02T13:10:03.162744+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	57899	116.203.11.236	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-02T13:09:30.558190+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.6	49797	116.203.11.236	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: xn3nGSFdRn.exe	Virustotal: Detection: 40%			Perma Link
Source: xn3nGSFdRn.exe	ReversingLabs: Detection: 36%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029A6A10 StrStrA,lstrlen,LocalAlloc,CryptUnprotectData,LocalAlloc,LocalFree,lstrlen,		0_3_029A6A10
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029B0830 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree,		0_3_029B0830

Source: xn3nGSFdRn.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.203.11.236:443 -> 192.168.2.6:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49974 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:57954 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:57955 version: TLS 1.2

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029AB6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,	0_3_029AB6B0
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029B5EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,_mbscpy,_splitpath,_mbscpy,strlen,isupper,wsprintfA,_mbscpy,strlen,SHFileOperation,FindClose,	0_3_029B5EB0
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029A7210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,memset,CopyFileA,DeleteFileA,memset,FindClose,	0_3_029A7210
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029B4E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,CopyFileA,FindClose,	0_3_029B4E70
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029B3580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindClose,	0_3_029B3580
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029A97B0 FindFirstFileA,FindNextFileA,strlen,	0_3_029A97B0
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029B3FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,FindClose,	0_3_029B3FD0
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029A13F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,	0_3_029A13F0
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029A8360 FindFirstFileA,CopyFileA,FindNextFileA,strlen,CopyFileA,FindClose,	0_3_029A8360
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029A8C90 lstrcpy,lstrcat,FindFirstFileA,FindNextFileA,strlen,lstrcpy,memset,lstrcpy,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpy,lstrcpy,CopyFileA,FindClose,FindClose,DeleteFileA,	0_3_029A8C90
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029AACD0 wsprintfA,FindFirstFileA,strlen,lstrlen,DeleteFileA,CopyFileA,FindClose,	0_3_029AACD0
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029B4950 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrlen,lstrlen,	0_3_029B4950

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Code function: 0_3_029B3AF0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrlen,

0_3_029B3AF0

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 8MB later: 31MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.6:49820 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.6:49797 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:49849 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:49838 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:49874 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:49874 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:49957 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 116.203.11.236:443 -> 192.168.2.6:49829
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:49859 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:49859 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:49865 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:49865 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:49966 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:49966 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:49975 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:49975 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:49990 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:49990 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 116.203.11.236:443 -> 192.168.2.6:49820
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:49950 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:57870 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:57878 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:57878 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:57899 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:57899 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:57886 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:57886 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:57947 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:57950 -> 116.203.11.236:443

Source: global traffic

TCP traffic: 192.168.2.6:57831 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 116.203.11.236Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----0hl68q9h4o8g4ekxt0rqHost: 116.203.11.236Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----d2ny5p8q9rqimyusjeu3Host: 116.203.11.236Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----6fkfkxtjec2v3e3wtr1vHost: 116.203.11.236Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----7ymgl6fk6pzcjectjmopHost: 116.203.11.236Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----uai5x4w47gv3eus0hdtjHost: 116.203.11.236Content-Length: 5601Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----lx4ozm7yc2nozmozuaieHost: 116.203.11.236Content-Length: 489Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----t26pphlfc2ngvaaieusrHost: 116.203.11.236Content-Length: 213453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----7ymgl6fk6pzcjectjmopHost: 116.203.11.236Content-Length: 55081Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----aiw4ekno8q168q168yc2Host: 116.203.11.236Content-Length: 142457Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----lno8glfu3ohlf3wt2d26Host: 116.203.11.236Content-Length: 505Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----6xbs2dtrqieuaimgdjmgHost: 116.203.11.236Content-Length: 493Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----qieknozmozu37qqqiwl6Host: 116.203.11.236Content-Length: 207993Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----aiwba1dbsjm7yus0zcj5Host: 116.203.11.236Content-Length: 68733Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----va1vkfu3ekf3e37900zmHost: 116.203.11.236Content-Length: 262605Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----mym7ymohlxbieuaimop8Host: 116.203.11.236Content-Length: 3165Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2n7900rimglf37g4ozuaHost: 116.203.11.236Content-Length: 393697Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----c26ppph47qq1v3ohv3wtHost: 116.203.11.236Content-Length: 131557Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----srq16pzmy5ppzukxln7qHost: 116.203.11.236Content-Length: 6990993Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----iec26fcb1vs2v3ozusr9Host: 116.203.11.236Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----vk6xlx4o8yukf3o8glnyHost: 116.203.11.236Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----26xbs2dtrqieuaimgdjmHost: 116.203.11.236Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----db1djeu3wbsrqiw4wlx4Host: 116.203.11.236Content-Length: 98217Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----1v3ekxb16p8qqq90r168Host: 116.203.11.236Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----bsjm7qq9zua1n7yua16fHost: 116.203.11.236Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 23.219.82.59 23.219.82.59
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 108.139.47.92 108.139.47.92

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49797 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49820 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49838 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49786 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49865 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49807 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49829 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49859 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49874 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49849 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49950 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49957 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49966 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49975 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49990 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57870 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57878 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57886 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57899 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57904 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57931 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57947 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57950 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57951 -> 116.203.11.236:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57953 -> 116.203.11.236:443

Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.11.236

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Code function: 0_3_029A2690 lstrlen,StrCmpCA,InternetOpenA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,GetProcessHeap,RtlAllocateHeap,memcpy,lstrlen,memcpy,lstrlen,memcpy,lstrlen,HttpSendRequestA,Sleep,HttpQueryInfoA,InternetReadFile,InternetReadFile,StrCmpCA,InternetCloseHandle,InternetCloseHandle,

0_3_029A2690

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 116.203.11.236Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8NP2y291iiPDmfAN0GV3dvCuqlYA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEIucrNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.af337c502c230a9902a8.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.4sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.55", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-full-version: "117.0.2045.55"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7067FDD7D0334684819D50EE1CFA2262.RefC=2025-03-02T12:09:57Z; USRLOC=; MUID=3C470BCB1C0769AC3E061E681D006839; MUIDB=3C470BCB1C0769AC3E061E681D006839; _EDGE_S=F=1&SID=241E424EB7FD6DDD3A1357EDB6D66C3D; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.96ac23719317b1928681.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.35sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.55", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 350sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-full-version: "117.0.2045.55"sec-ch-dpr: 1ect: 3gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7067FDD7D0334684819D50EE1CFA2262.RefC=2025-03-02T12:09:57Z; USRLOC=; MUID=3C470BCB1C0769AC3E061E681D006839; MUIDB=3C470BCB1C0769AC3E061E681D006839; _EDGE_S=F=1&SID=241E424EB7FD6DDD3A1357EDB6D66C3D; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.bd02dd0f5f9b69ef8b17.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.4fa8815283fe3d88a934.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.bb241b5cf88a9a76514e.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.e283502f48dd51b29357.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/ASuc5ohcoRYyASTWkAI21BvR0f-Aos7pzgW3GtD8ImYoX-O9Pl77join3GT-5wpD1vT_nG6xpJ0eds7JOZacv0OYNfBAee3mKSnMDx3-YDnz3J7UxfHM_wfhsyHz9Z8rajAAxlKa5T9frrLlN0KHGfJRu7Y7NseNtZ_M/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=3C470BCB1C0769AC3E061E681D006839; _EDGE_S=F=1&SID=241E424EB7FD6DDD3A1357EDB6D66C3D; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1740917402427&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=7067fdd7d0334684819d50ee1cfa2262&activityId=7067fdd7d0334684819d50ee1cfa2262&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=3C470BCB1C0769AC3E061E681D006839; _EDGE_S=F=1&SID=241E424EB7FD6DDD3A1357EDB6D66C3D; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b?rn=1740917402428&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3C470BCB1C0769AC3E061E681D006839&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b2?rn=1740917402428&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3C470BCB1C0769AC3E061E681D006839&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1E6633f9cc00da00b2e192c1740917403; XID=1E6633f9cc00da00b2e192c1740917403
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1740917402427&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=7067fdd7d0334684819d50ee1cfa2262&activityId=7067fdd7d0334684819d50ee1cfa2262&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=513804BEE1D446CB959C5DF274062C47&MUID=3C470BCB1C0769AC3E061E681D006839 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=3C470BCB1C0769AC3E061E681D006839; _EDGE_S=F=1&SID=241E424EB7FD6DDD3A1357EDB6D66C3D; _EDGE_V=1; SM=T
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.55sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.55", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-full-version: "117.0.2045.55"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7067FDD7D0334684819D50EE1CFA2262.RefC=2025-03-02T12:09:57Z; USRLOC=; MUID=3C470BCB1C0769AC3E061E681D006839; MUIDB=3C470BCB1C0769AC3E061E681D006839; _EDGE_S=F=1&SID=241E424EB7FD6DDD3A1357EDB6D66C3D; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=4ef07677-e719-49a0-af3d-d78cbee2d0ee; ai_session=uBDEGIBNJA/t4JqPHgvVax\|1740917402422\|1740917402422; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7067FDD7D0334684819D50EE1CFA2262.RefC=2025-03-02T12:09:57Z
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":9,"imageId":"AA12sf7A","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7067FDD7D0334684819D50EE1CFA2262.RefC=2025-03-02T12:09:57Z; USRLOC=; MUID=3C470BCB1C0769AC3E061E681D006839; MUIDB=3C470BCB1C0769AC3E061E681D006839; _EDGE_S=F=1&SID=241E424EB7FD6DDD3A1357EDB6D66C3D; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=4ef07677-e719-49a0-af3d-d78cbee2d0ee; ai_session=uBDEGIBNJA/t4JqPHgvVax\|1740917402422\|1740917402422; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7067FDD7D0334684819D50EE1CFA2262.RefC=2025-03-02T12:09:57Z

Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: 000003.log0.9.dr	String found in binary or memory: "www.facebook.com": "{\"Tier1\": [1103, 6061], \"Tier2\": [5445, 1780, 8220]}", equals www.facebook.com (Facebook)
Source: 000003.log0.9.dr	String found in binary or memory: "www.linkedin.com": "{\"Tier1\": [1103, 214, 6061], \"Tier2\": [2771, 9515, 1780, 1303, 1099, 6081, 5581, 9396]}", equals www.linkedin.com (Linkedin)
Source: 000003.log0.9.dr	String found in binary or memory: "www.youtube.com": "{\"Tier1\": [983, 6061, 1103], \"Tier2\": [2413, 8118, 1720, 5007]}", equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000003.2460508518.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2460812306.0000530800FA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2460893302.0000530800F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000003.00000003.2460508518.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2460812306.0000530800FA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2460893302.0000530800F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----0hl68q9h4o8g4ekxt0rqHost: 116.203.11.236Content-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

HTTP traffic detected: HTTP/1.1 503 Service UnavailableServer: AkamaiGHostMime-Version: 1.0Content-Type: text/htmlContent-Length: 280Expires: Sun, 02 Mar 2025 12:10:58 GMTDate: Sun, 02 Mar 2025 12:10:58 GMTConnection: closePMUSER_FORMAT_QS: X-CDN-TraceId: 0.e40d7b5c.1740917398.47a84130Access-Control-Allow-Headers: *Access-Control-Allow-Credentials: falseAccess-Control-Allow-Methods: GET, OPTIONS, POSTAccess-Control-Allow-Origin: *

Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2587596536.0000109C003A4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2587596536.0000109C003A4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2587596536.0000109C003A4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2587596536.0000109C003A4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: xn3nGSFdRn.exe, 00000000.00000003.2330243239.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2343633367.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2357115704.00000000007E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.
Source: xn3nGSFdRn.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: xn3nGSFdRn.exe	String found in binary or memory: http://crystalrich.com/internetoff
Source: xn3nGSFdRn.exe	String found in binary or memory: http://crystalrich.com/internetoff/open
Source: xn3nGSFdRn.exe	String found in binary or memory: http://crystalrich.com/internetoff/version.txtU
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000003.00000003.2462603114.0000530801064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463390907.0000530800F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463494071.0000530801094000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2462989016.0000530801074000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: xn3nGSFdRn.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: chrome.exe, 00000003.00000003.2462603114.0000530801064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479378445.0000530800E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464167207.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464878367.000053080120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464736316.000053080117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464101455.00005308004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464137444.0000530800F40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463341116.00005308010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464232178.0000530800FA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463390907.0000530800F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463494071.0000530801094000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2462989016.0000530801074000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464514152.000053080040C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000003.00000003.2462603114.0000530801064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479378445.0000530800E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464167207.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464878367.000053080120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464736316.000053080117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464101455.00005308004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464137444.0000530800F40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463341116.00005308010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464232178.0000530800FA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463390907.0000530800F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463494071.0000530801094000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2462989016.0000530801074000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464514152.000053080040C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000003.00000003.2462603114.0000530801064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479378445.0000530800E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464167207.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464878367.000053080120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464736316.000053080117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464101455.00005308004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464137444.0000530800F40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463341116.00005308010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464232178.0000530800FA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463390907.0000530800F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463494071.0000530801094000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2462989016.0000530801074000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464514152.000053080040C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000003.00000003.2462603114.0000530801064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479378445.0000530800E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464167207.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464878367.000053080120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464736316.000053080117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464101455.00005308004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464137444.0000530800F40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463341116.00005308010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464232178.0000530800FA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463390907.0000530800F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463494071.0000530801094000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2462989016.0000530801074000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464514152.000053080040C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: xn3nGSFdRn.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: xn3nGSFdRn.exe	String found in binary or memory: http://s.symcd.com06
Source: xn3nGSFdRn.exe	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: xn3nGSFdRn.exe	String found in binary or memory: http://s2.symcb.com0
Source: xn3nGSFdRn.exe	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: xn3nGSFdRn.exe	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: xn3nGSFdRn.exe	String found in binary or memory: http://sv.symcd.com0&
Source: xn3nGSFdRn.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: xn3nGSFdRn.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: xn3nGSFdRn.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: xn3nGSFdRn.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: xn3nGSFdRn.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: xn3nGSFdRn.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: chromecache_422.5.dr	String found in binary or memory: http://www.broofa.com
Source: xn3nGSFdRn.exe	String found in binary or memory: http://www.indyproject.org/
Source: xn3nGSFdRn.exe	String found in binary or memory: http://www.safelyremove.com
Source: xn3nGSFdRn.exe	String found in binary or memory: http://www.symauth.com/cps0(
Source: xn3nGSFdRn.exe	String found in binary or memory: http://www.symauth.com/rpa00
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2343633367.00000000007D4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2357115704.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2793965583.00000000028A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236
Source: xn3nGSFdRn.exe, 00000000.00000003.2343633367.00000000007D4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2357115704.00000000007DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236/
Source: xn3nGSFdRn.exe, 00000000.00000003.2330243239.00000000007C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236/0
Source: xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236/1
Source: xn3nGSFdRn.exe, 00000000.00000003.2357115704.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236/2
Source: xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236/=
Source: xn3nGSFdRn.exe, 00000000.00000003.2370681216.00000000007D9000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2357115704.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236/Certification
Source: xn3nGSFdRn.exe, 00000000.00000003.2343846298.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000002.2795380335.0000000000798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236/D
Source: xn3nGSFdRn.exe, 00000000.00000003.2343633367.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2357115704.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2370681216.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236/E
Source: xn3nGSFdRn.exe, 00000000.00000003.2357115704.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2370681216.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236/L
Source: xn3nGSFdRn.exe, 00000000.00000003.2357115704.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2370681216.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236/Y
Source: xn3nGSFdRn.exe, 00000000.00000003.2343633367.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2357115704.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236/a
Source: xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2370681216.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236/f
Source: xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236/h
Source: xn3nGSFdRn.exe, 00000000.00000003.2343846298.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236/rosoft
Source: xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2370681216.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236/s
Source: xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2370681216.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236/z
Source: xn3nGSFdRn.exe, 00000000.00000003.2793851390.00000000029C2000.00000004.00001000.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2793965583.00000000028A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236hello
Source: xn3nGSFdRn.exe, 00000000.00000003.2793965583.00000000028A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://116.203.11.236hellohttps://t.me/l793oyir7amMozilla/5.0
Source: xn3nGSFdRn.exe, 00000000.00000002.2798765413.0000000003C73000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2509558704.0000530800C5C000.00000004.00000800.00020000.00000000.sdmp, qiecj5.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000003.00000003.2455709235.0000530800454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457462923.0000530800454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464514152.0000530800454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2461004603.0000530800454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
Source: chrome.exe, 00000003.00000003.2467663238.00005308002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 00000003.00000003.2467663238.00005308002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 00000003.00000003.2467663238.00005308002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chromecache_425.5.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_425.5.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000003.00000003.2479591365.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479794157.00005308012E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480300104.000053080141C000.00000004.00000800.00020000.00000000.sdmp, chromecache_425.5.dr, chromecache_422.5.dr	String found in binary or memory: https://apis.google.com
Source: msedge.exe, 00000007.00000002.2693235096.000001AB54059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: 2cc80dabc69f58b6_1.9.dr	String found in binary or memory: https://assets.msn.cn/resolver/
Source: be499a2c-cb04-47a3-bc66-a28394fc6c70.tmp.10.dr	String found in binary or memory: https://assets.msn.com
Source: 2cc80dabc69f58b6_1.9.dr	String found in binary or memory: https://assets.msn.com/resolver/
Source: 2cc80dabc69f58b6_1.9.dr	String found in binary or memory: https://bit.ly/wb-precache
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000080B000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000002.2795380335.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, 5x47q9.0.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000080B000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000002.2795380335.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, 5x47q9.0.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: 2cc80dabc69f58b6_1.9.dr	String found in binary or memory: https://browser.events.data.msn.cn/
Source: 2cc80dabc69f58b6_1.9.dr	String found in binary or memory: https://browser.events.data.msn.com/
Source: Reporting and NEL.10.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: 2cc80dabc69f58b6_1.9.dr	String found in binary or memory: https://c.msn.com/
Source: chrome.exe, 00000003.00000003.2509558704.0000530800C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: xn3nGSFdRn.exe, 00000000.00000002.2798765413.0000000003C73000.00000004.00000020.00020000.00000000.sdmp, qiecj5.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: offscreendocument_main.js.9.dr, service_worker_bin_prod.js.9.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mathjax/
Source: xn3nGSFdRn.exe, 00000000.00000002.2798765413.0000000003C73000.00000004.00000020.00020000.00000000.sdmp, qiecj5.0.dr, Web Data.9.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: xn3nGSFdRn.exe, 00000000.00000002.2798765413.0000000003C73000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2455709235.0000530800454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457462923.0000530800454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464514152.0000530800454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2461004603.0000530800454000.00000004.00000800.00020000.00000000.sdmp, qiecj5.0.dr, Web Data.9.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000003.00000003.2461525178.0000530800D54000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000002.2695879945.0000109C00020000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: manifest.json0.9.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: chrome.exe, 00000003.00000003.2509558704.0000530800C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000003.00000003.2457882348.0000530800D54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2468215819.0000530800D2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463933050.000053080033C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2460020999.00005308004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457918412.0000530800D2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2462741205.0000530800D2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2460054118.0000530800D24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2461525178.0000530800D54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000003.00000003.2486287710.00001A200080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2447010281.00001A2000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000003.00000003.2486287710.00001A200080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2447010281.00001A2000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000003.00000003.2447525003.00001A2000684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000003.00000003.2486287710.00001A200080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2447010281.00001A2000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/https://google-ohttp-relay-query.fastly-edge.com/
Source: msedge.exe, 00000007.00000002.2695879945.0000109C00020000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.9.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: be499a2c-cb04-47a3-bc66-a28394fc6c70.tmp.10.dr	String found in binary or memory: https://clients2.google.com
Source: chrome.exe, 00000003.00000003.2443333631.00004078002E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2443286060.00004078002D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000003.00000003.2509558704.0000530800C5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2451827362.00005308004D0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000002.2695879945.0000109C00020000.00000004.00000800.00020000.00000000.sdmp, manifest.json.9.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: be499a2c-cb04-47a3-bc66-a28394fc6c70.tmp.10.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: chromecache_425.5.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_425.5.dr	String found in binary or memory: https://content.googleapis.com
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000080B000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000002.2795380335.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, 5x47q9.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000080B000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000002.2795380335.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, 5x47q9.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: xn3nGSFdRn.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: xn3nGSFdRn.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: xn3nGSFdRn.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: Reporting and NEL.10.dr, 2cc80dabc69f58b6_0.9.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: manifest.json.9.dr	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000003.00000003.2487464403.0000530801624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2487419274.000053080161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chromecache_425.5.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: manifest.json.9.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json.9.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json.9.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json.9.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json.9.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json.9.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json.9.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json.9.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json.9.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json.9.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000003.00000003.2464514152.000053080040C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: manifest.json.9.dr	String found in binary or memory: https://drive.google.com/
Source: xn3nGSFdRn.exe, 00000000.00000002.2798765413.0000000003C73000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2509558704.0000530800C5C000.00000004.00000800.00020000.00000000.sdmp, qiecj5.0.dr, Web Data.9.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: xn3nGSFdRn.exe, 00000000.00000002.2798765413.0000000003C73000.00000004.00000020.00020000.00000000.sdmp, qiecj5.0.dr, Web Data.9.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: xn3nGSFdRn.exe, 00000000.00000002.2798765413.0000000003C73000.00000004.00000020.00020000.00000000.sdmp, qiecj5.0.dr, Web Data.9.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.log0.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/addressbar_uu_files.en-gb/1.0.2/asset?sv=2017-07-29&sr
Source: 000003.log0.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log0.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 000003.log.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: HubApps Icons.9.dr, 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: HubApps Icons.9.dr, 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: HubApps Icons.9.dr, 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: HubApps Icons.9.dr, 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: 000003.log0.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: HubApps Icons.9.dr, 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: HubApps Icons.9.dr, 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: HubApps Icons.9.dr, 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: HubApps Icons.9.dr, 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: 000003.log0.9.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/signal_triggers/1.13.3/asset?sv=2017-07-29&sr=c&sig=Nt
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: chromecache_422.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_422.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_422.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_422.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/%r
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/(q
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/(r
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com//r
Source: chrome.exe, 00000003.00000003.2486287710.00001A200080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2447010281.00001A2000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/9r
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Cs
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Fs
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Fv
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Ht
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Ms
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Mv
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Ps
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Pv
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Rw
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Uq
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Ws
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Wv
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Zs
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Zv
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/as
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/av
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/ds
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/dv
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/et
Source: chrome.exe, 00000003.00000003.2447525003.00001A2000684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/gj
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/ht
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/ks
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/kv
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/ns
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/nv
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/rt
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/us
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/uv
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/xs
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/xv
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/yt
Source: chrome.exe, 00000003.00000003.2447525003.00001A2000684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000003.00000003.2486287710.00001A200080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2447010281.00001A2000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000003.00000003.2447525003.00001A2000684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000003.00000003.2447525003.00001A2000684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000003.00000003.2447525003.00001A2000684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000003.00000003.2447794333.00001A20006E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 00000003.00000003.2486287710.00001A200080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2447010281.00001A2000390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: msedge.exe, 00000007.00000002.2699790102.0000109C003AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: 2cc80dabc69f58b6_1.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/
Source: 2cc80dabc69f58b6_1.9.dr	String found in binary or memory: https://img-s.msn.cn/tenant/amp/entityid/
Source: 5x47q9.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000003.00000003.2485113879.0000530801A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000003.00000003.2485171323.0000530801A20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2485085644.0000530801A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2485113879.0000530801A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000003.00000003.2486287710.00001A200080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2447010281.00001A2000390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000003.00000003.2485171323.0000530801A20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2485085644.0000530801A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2485113879.0000530801A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardS
Source: chrome.exe, 00000003.00000003.2486287710.00001A200080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2447010281.00001A2000390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000003.00000003.2447010281.00001A2000390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000003.00000003.2480830362.0000530801484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480788859.00005308013BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479239644.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480502716.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479591365.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479794157.00005308012E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000003.00000003.2464878367.000053080120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464736316.000053080117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464514152.000053080040C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000003.00000003.2464878367.000053080120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464736316.000053080117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464514152.000053080040C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000003.00000003.2447864655.00001A20006EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464514152.000053080040C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000003.00000003.2447010281.00001A2000390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 00000003.00000003.2480830362.0000530801484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480788859.00005308013BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479239644.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480502716.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479591365.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479794157.00005308012E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: msedge.exe, 00000007.00000002.2699790102.0000109C003AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 00000007.00000002.2699790102.0000109C003AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: Cookies.10.dr	String found in binary or memory: https://msn.comXID/
Source: Cookies.10.dr	String found in binary or memory: https://msn.comXIDv10E
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://music.apple.com
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 00000003.00000003.2461571366.0000530800FD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2461468999.0000530800E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: 2cc80dabc69f58b6_1.9.dr	String found in binary or memory: https://ntp.msn.cn/edge/ntp
Source: 000003.log8.9.dr, 2cc80dabc69f58b6_0.9.dr	String found in binary or memory: https://ntp.msn.com
Source: 000003.log2.9.dr, 000003.log5.9.dr	String found in binary or memory: https://ntp.msn.com/
Source: 000003.log2.9.dr	String found in binary or memory: https://ntp.msn.com/0
Source: QuotaManager.9.dr	String found in binary or memory: https://ntp.msn.com/_default
Source: 000003.log2.9.dr, 2cc80dabc69f58b6_1.9.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp
Source: 2cc80dabc69f58b6_1.9.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: Session_13385390996815797.9.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: QuotaManager.9.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
Source: msedge.exe, 00000007.00000002.2699790102.0000109C003AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 00000003.00000003.2479591365.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479794157.00005308012E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480300104.000053080141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000003.00000003.2506961454.00005308012BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyn
Source: chrome.exe, 00000003.00000003.2481425560.00005308002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000003.00000003.2479591365.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479794157.00005308012E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480300104.000053080141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000003.00000003.2479591365.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479794157.00005308012E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480300104.000053080141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://open.spotify.com
Source: chrome.exe, 00000003.00000003.2461643913.0000530800A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000003.00000003.2461643913.0000530800A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000003.00000003.2461643913.0000530800A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000003.00000003.2461643913.0000530800A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000003.00000003.2461643913.0000530800A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000003.00000003.2461643913.0000530800A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000003.00000003.2461643913.0000530800A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000003.00000003.2461643913.0000530800A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://outlook.live.com/mail/0/
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://outlook.office.com/mail/0/
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chrome.exe, 00000003.00000003.2461571366.0000530800FD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2461468999.0000530800E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000003.00000003.2464878367.000053080120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464736316.000053080117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464514152.000053080040C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chromecache_422.5.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_425.5.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_425.5.dr	String found in binary or memory: https://plus.googleapis.com
Source: chrome.exe, 00000003.00000003.2461571366.0000530800FD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2461468999.0000530800E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: 2cc80dabc69f58b6_1.9.dr	String found in binary or memory: https://sb.scorecardresearch.com/
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: 2cc80dabc69f58b6_1.9.dr	String found in binary or memory: https://srtb.msn.cn/
Source: 2cc80dabc69f58b6_1.9.dr	String found in binary or memory: https://srtb.msn.com/
Source: chrome.exe, 00000003.00000003.2467663238.00005308002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 00000003.00000003.2480830362.0000530801484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480788859.00005308013BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479239644.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480502716.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479591365.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479794157.00005308012E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: xn3nGSFdRn.exe, 00000000.00000003.2793851390.00000000029C2000.00000004.00001000.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2793965583.00000000028A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199829660832
Source: xn3nGSFdRn.exe, 00000000.00000003.2793965583.00000000028A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199829660832ir7amMozilla/5.0
Source: xn3nGSFdRn.exe, 00000000.00000002.2802043743.00000000042BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: xn3nGSFdRn.exe, 00000000.00000002.2802043743.00000000042BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: xn3nGSFdRn.exe, 00000000.00000003.2793851390.00000000029C2000.00000004.00001000.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2793965583.00000000028A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/l793oy
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.9.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.9.dr	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.9.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: chromecache_425.5.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000080B000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000002.2795380335.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, 5x47q9.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://www.deezer.com/
Source: xn3nGSFdRn.exe, 00000000.00000002.2798765413.0000000003C73000.00000004.00000020.00020000.00000000.sdmp, qiecj5.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000003.00000003.2509558704.0000530800C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000003.00000003.2509558704.0000530800C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000003.00000003.2509558704.0000530800C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000003.00000003.2479661112.00005308012BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2467663238.00005308002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000003.00000003.2479661112.00005308012BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2467663238.00005308002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000003.00000003.2467663238.00005308002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000003.00000003.2461525178.0000530800D54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2458952072.00005308004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: content_new.js.9.dr, content.js.9.dr	String found in binary or memory: https://www.google.com/chrome
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: xn3nGSFdRn.exe, 00000000.00000002.2798765413.0000000003C73000.00000004.00000020.00020000.00000000.sdmp, qiecj5.0.dr, Web Data.9.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000003.00000003.2480830362.0000530801484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480788859.00005308013BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479239644.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480502716.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479591365.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479794157.00005308012E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000003.00000003.2479794157.00005308012E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480300104.000053080141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000003.00000003.2464514152.000053080040C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: be499a2c-cb04-47a3-bc66-a28394fc6c70.tmp.10.dr	String found in binary or memory: https://www.googleapis.com
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chromecache_425.5.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_425.5.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000003.00000003.2467663238.00005308002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000003.00000003.2467663238.00005308002A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chromecache_422.5.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_422.5.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_422.5.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: chrome.exe, 00000003.00000003.2479591365.00005308013A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000003.00000003.2480332065.0000530801064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480830362.0000530801484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480788859.00005308013BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479239644.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480502716.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479591365.00005308013A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000003.00000003.2479591365.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479794157.00005308012E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480300104.000053080141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.ewNYOTtoM3M.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000003.00000003.2479591365.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479794157.00005308012E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480300104.000053080141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.D8RxnyMyyQs.L.W.O/m=qmd
Source: xn3nGSFdRn.exe, 00000000.00000002.2802043743.00000000042BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: xn3nGSFdRn.exe, 00000000.00000002.2802043743.00000000042BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: xn3nGSFdRn.exe, 00000000.00000002.2802043743.00000000042BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 2cc80dabc69f58b6_1.9.dr	String found in binary or memory: https://www.msn.com/web-notification-icon-light.png
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://www.office.com
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: 1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000080B000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000002.2795380335.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, 5x47q9.0.dr	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57929
Source: unknown	Network traffic detected: HTTP traffic on port 57957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57886
Source: unknown	Network traffic detected: HTTP traffic on port 57940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57885
Source: unknown	Network traffic detected: HTTP traffic on port 57886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57888
Source: unknown	Network traffic detected: HTTP traffic on port 57920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57920
Source: unknown	Network traffic detected: HTTP traffic on port 57860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57892
Source: unknown	Network traffic detected: HTTP traffic on port 57857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57890
Source: unknown	Network traffic detected: HTTP traffic on port 57937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 57931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57939
Source: unknown	Network traffic detected: HTTP traffic on port 57889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57934
Source: unknown	Network traffic detected: HTTP traffic on port 57960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57935
Source: unknown	Network traffic detected: HTTP traffic on port 57868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57930
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57931
Source: unknown	Network traffic detected: HTTP traffic on port 57919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 57892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 57911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57949
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57948
Source: unknown	Network traffic detected: HTTP traffic on port 57959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57945
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57940
Source: unknown	Network traffic detected: HTTP traffic on port 57888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57942
Source: unknown	Network traffic detected: HTTP traffic on port 57885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57950
Source: unknown	Network traffic detected: HTTP traffic on port 57939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 57891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 57897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 57954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57959
Source: unknown	Network traffic detected: HTTP traffic on port 57948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57951
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57960
Source: unknown	Network traffic detected: HTTP traffic on port 57880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 57934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 57930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 57953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 57841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 57929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57858
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57860
Source: unknown	Network traffic detected: HTTP traffic on port 57882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57861
Source: unknown	Network traffic detected: HTTP traffic on port 57942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57904
Source: unknown	Network traffic detected: HTTP traffic on port 57949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57868
Source: unknown	Network traffic detected: HTTP traffic on port 57961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57902
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57865
Source: unknown	Network traffic detected: HTTP traffic on port 57859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57870
Source: unknown	Network traffic detected: HTTP traffic on port 57941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 57958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57911
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57910
Source: unknown	Network traffic detected: HTTP traffic on port 57902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57881
Source: unknown	Network traffic detected: HTTP traffic on port 57944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57880
Source: unknown	Network traffic detected: HTTP traffic on port 57890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 57839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57898 -> 443

Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.203.11.236:443 -> 192.168.2.6:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49974 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:57954 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:57955 version: TLS 1.2

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Code function: 0_3_029B0A90 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,malloc,StrCmpCW,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,ReleaseDC,CloseWindow,

0_3_029B0A90

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Code function: 0_3_029A6480 memcpy,OpenDesktopA,CreateDesktopA,lstrcpy,CreateProcessA,Sleep,CloseDesktop,

0_3_029A6480

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_023E066E NtProtectVirtualMemory,	0_3_023E066E
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_023E10E8 NtTerminateThread,	0_3_023E10E8
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_023E0CD8 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_3_023E0CD8
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_023E0B72 NtGetContextThread,NtSetContextThread,NtResumeThread,	0_3_023E0B72
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_2_02382229 NtAllocateVirtualMemory,	0_2_02382229
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_2_0238227C NtFreeVirtualMemory,	0_2_0238227C
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_2_023822BA NtProtectVirtualMemory,	0_2_023822BA

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029A4A20	0_3_029A4A20
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029B8630	0_3_029B8630
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029B93D0	0_3_029B93D0
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029BA7D0	0_3_029BA7D0
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029BB300	0_3_029BB300
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029BC100	0_3_029BC100
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029BB770	0_3_029BB770
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_2_0238081F	0_2_0238081F

Source: xn3nGSFdRn.exe

Static PE information: invalid certificate

Source: xn3nGSFdRn.exe

Static PE information: Resource name: RT_STRING type: PDP-11 separate I&D executable not stripped

Source: xn3nGSFdRn.exe, 00000000.00000000.2198350247.0000000000418000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs xn3nGSFdRn.exe
Source: xn3nGSFdRn.exe, 00000000.00000002.2798765413.0000000003CB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs xn3nGSFdRn.exe
Source: xn3nGSFdRn.exe	Binary or memory string: OriginalFilename vs xn3nGSFdRn.exe

Source: xn3nGSFdRn.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: xn3nGSFdRn.exe

Binary string: \Device\Harddisk%d\Partition%dU

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@72/274@26/24

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Code function: 0_3_029B0230 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,

0_3_029B0230

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\SJY6AJ39.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8636:120:WilError_03

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\f07791ae-b431-4133-b80f-ccb20d90d8db.tmp

Jump to behavior

Source: Yara match	File source: xn3nGSFdRn.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xn3nGSFdRn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2198350247.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: qieknozmo.0.dr, t26pphlfc.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: xn3nGSFdRn.exe	Virustotal: Detection: 40%
Source: xn3nGSFdRn.exe	ReversingLabs: Detection: 36%

Source: xn3nGSFdRn.exe	String found in binary or memory: NATS-SEFI-ADD
Source: xn3nGSFdRn.exe	String found in binary or memory: NATS-DANO-ADD
Source: xn3nGSFdRn.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: xn3nGSFdRn.exe	String found in binary or memory: jp-ocr-b-add
Source: xn3nGSFdRn.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: xn3nGSFdRn.exe	String found in binary or memory: jp-ocr-hand-add
Source: xn3nGSFdRn.exe	String found in binary or memory: ISO_6937-2-add

Source: unknown	Process created: C:\Users\user\Desktop\xn3nGSFdRn.exe "C:\Users\user\Desktop\xn3nGSFdRn.exe"
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 --field-trial-handle=2308,i,3555853924540401404,5638919351951329885,262144 /prefetch:8
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2556 --field-trial-handle=2384,i,10835794379392093070,15074625128958994288,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6984 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7024 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:8
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\hdj5f" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7216 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:8
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\hdj5f" & exit	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 --field-trial-handle=2308,i,3555853924540401404,5638919351951329885,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2556 --field-trial-handle=2384,i,10835794379392093070,15074625128958994288,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6984 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7024 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7216 --field-trial-handle=2088,i,4596690359085736585,18348921353520750298,262144 /prefetch:8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: xn3nGSFdRn.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: xn3nGSFdRn.exe

Static file information: File size 3290904 > 1048576

Source: xn3nGSFdRn.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x283600

Source: xn3nGSFdRn.exe

Static PE information: More than 200 imports for user32.dll

Source: xn3nGSFdRn.exe

Static PE information: section name: .didata

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\SysWOW64\timeout.exe TID: 8684

Thread sleep count: 99 > 30

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029AB6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,	0_3_029AB6B0
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029B5EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,_mbscpy,_splitpath,_mbscpy,strlen,isupper,wsprintfA,_mbscpy,strlen,SHFileOperation,FindClose,	0_3_029B5EB0
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029A7210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,memset,CopyFileA,DeleteFileA,memset,FindClose,	0_3_029A7210
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029B4E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,CopyFileA,FindClose,	0_3_029B4E70
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029B3580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindClose,	0_3_029B3580
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029A97B0 FindFirstFileA,FindNextFileA,strlen,	0_3_029A97B0
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029B3FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,FindClose,	0_3_029B3FD0
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029A13F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,	0_3_029A13F0
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029A8360 FindFirstFileA,CopyFileA,FindNextFileA,strlen,CopyFileA,FindClose,	0_3_029A8360
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029A8C90 lstrcpy,lstrcat,FindFirstFileA,FindNextFileA,strlen,lstrcpy,memset,lstrcpy,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpy,lstrcpy,CopyFileA,FindClose,FindClose,DeleteFileA,	0_3_029A8C90
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029AACD0 wsprintfA,FindFirstFileA,strlen,lstrlen,DeleteFileA,CopyFileA,FindClose,	0_3_029AACD0
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_3_029B4950 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrlen,lstrlen,	0_3_029B4950

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Code function: 0_3_029B3AF0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrlen,

0_3_029B3AF0

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Code function: 0_3_029AFDD0 GetSystemInfo,wsprintfA,

0_3_029AFDD0

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: Web Data.9.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Web Data.9.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: Web Data.9.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Web Data.9.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: Web Data.9.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Web Data.9.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Web Data.9.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000074E000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2343846298.00000000007B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msedge.exe, 00000007.00000003.2580722230.0000109C0033C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: Web Data.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Web Data.9.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Web Data.9.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: Web Data.9.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Web Data.9.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: Web Data.9.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: msedge.exe, 00000007.00000002.2679706697.000001AB4EC53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Web Data.9.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: Web Data.9.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: Web Data.9.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Web Data.9.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Web Data.9.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: Web Data.9.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: Web Data.9.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Web Data.9.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Web Data.9.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Web Data.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Web Data.9.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Web Data.9.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Web Data.9.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2343846298.00000000007B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW&2
Source: Web Data.9.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: Web Data.9.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: Web Data.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Web Data.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Web Data.9.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Code function: 0_3_023E01A3 LdrLoadDll,

0_3_023E01A3

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_2_0238081F mov edx, dword ptr fs:[00000030h]	0_2_0238081F
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_2_02380DDF mov eax, dword ptr fs:[00000030h]	0_2_02380DDF
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_2_0238142E mov eax, dword ptr fs:[00000030h]	0_2_0238142E
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_2_0238142F mov eax, dword ptr fs:[00000030h]	0_2_0238142F
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_2_02381E1D mov eax, dword ptr fs:[00000030h]	0_2_02381E1D
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Code function: 0_2_0238118F mov eax, dword ptr fs:[00000030h]	0_2_0238118F

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

0_3_029A2690

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe protection: readonly

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Code function: 0_3_029B1310 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,

0_3_029B1310

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\hdj5f" & exit			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11

Source: xn3nGSFdRn.exe

Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Code function: LocalAlloc,GetLocaleInfoA,GetLocaleInfoA,LocalFree,

0_3_029AFC20

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Code function: 0_3_029BBAA0 GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_3_029BBAA0

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Code function: 0_3_029B6F80 memset,GetModuleFileNameA,ShellExecuteEx,memset,lstrlenW,GetWindowsDirectoryW,GetComputerNameW,GetFullPathNameA,GetUserNameW,GetFileType,GetModuleFileNameA,GetTempPathW,

0_3_029B6F80

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Code function: 0_3_029AFBC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_3_029AFBC0

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: xn3nGSFdRn.exe PID: 7088, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000080B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000080B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000080B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000080B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000080B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.00000000007BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.00000000007BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.00000000007BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.00000000007BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3 Wallet
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000080B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000080B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: multidoge.wallet
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.00000000007BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.00000000007BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: xn3nGSFdRn.exe, 00000000.00000002.2795380335.000000000080B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\security_state\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\xn3nGSFdRn.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match

File source: Process Memory Space: xn3nGSFdRn.exe PID: 7088, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\xn3nGSFdRn.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: xn3nGSFdRn.exe PID: 7088, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Create Account	212 Process Injection	1 Masquerading	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	1 Credentials in Registry	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	212 Process Injection	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	4 Data from Local System	4 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Extra Window Memory Injection	LSA Secrets	13 Process Discovery	SSH	Keylogging	5 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	4 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	35 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
xn3nGSFdRn.exe	41%	Virustotal		Browse
xn3nGSFdRn.exe	37%	ReversingLabs	Win32.Spyware.Vidar

Source	Detection	Scanner	Label
https://116.203.11.236/1	0%	Avira URL Cloud	safe
http://crystalrich.com/internetoff/version.txtU	0%	Avira URL Cloud	safe
https://116.203.11.236/=	0%	Avira URL Cloud	safe
https://116.203.11.236/E	0%	Avira URL Cloud	safe
https://116.203.11.236/2	0%	Avira URL Cloud	safe
https://116.203.11.236/D	0%	Avira URL Cloud	safe
https://116.203.11.236/0	0%	Avira URL Cloud	safe
https://116.203.11.236/s	0%	Avira URL Cloud	safe
https://116.203.11.236/z	0%	Avira URL Cloud	safe
https://116.203.11.236/h	0%	Avira URL Cloud	safe
https://116.203.11.236/a	0%	Avira URL Cloud	safe
https://116.203.11.236/f	0%	Avira URL Cloud	safe
https://116.203.11.236/Y	0%	Avira URL Cloud	safe
https://116.203.11.236/L	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	162.159.61.3	true	false	high
plus.l.google.com	142.250.185.238	true	false	high
play.google.com	172.217.16.206	true	false	high
a416.dscd.akamai.net	2.19.11.120	true	false	high
a-0003.a-msedge.net	204.79.197.203	true	false	high
c-msn-pme.trafficmanager.net	13.74.129.1	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
sb.scorecardresearch.com	18.244.18.122	true	false	high
www.google.com	216.58.212.132	true	false	high
e28578.d.akamaiedge.net	95.101.182.74	true	false	high
ax-0001.ax-msedge.net	150.171.28.10	true	false	high
googlehosted.l.googleusercontent.com	172.217.18.1	true	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
assets.msn.com	unknown	unknown	false	high
c.msn.com	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high
apis.google.com	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1740917405950&w=0&anoncknm=app_anon&NoResponseBody=true	false	high
https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.bd02dd0f5f9b69ef8b17.js	false	high
https://deff.nelreports.net/api/report?cat=msn	false	high
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531	false	high
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true	false	high
https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true	false	high
https://assets.msn.com/statics/icons/favicon_newtabpage.png	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	xn3nGSFdRn.exe, 00000000.00000002.2798765413.0000000003C73000.00000004.00000020.00020000.00000000.sdmp, qiecj5.0.dr, Web Data.9.dr	false		high
https://duckduckgo.com/ac/?q=	xn3nGSFdRn.exe, 00000000.00000002.2798765413.0000000003C73000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2509558704.0000530800C5C000.00000004.00000800.00020000.00000000.sdmp, qiecj5.0.dr, Web Data.9.dr	false		high
https://permanently-removed.invalid/oauth2/v2/tokeninfo	msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ntp.msn.com/0	000003.log2.9.dr	false		high
https://116.203.11.236/2	xn3nGSFdRn.exe, 00000000.00000003.2357115704.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ntp.msn.com/_default	QuotaManager.9.dr	false		high
http://anglebug.com/4633	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://116.203.11.236/1	xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://116.203.11.236/0	xn3nGSFdRn.exe, 00000000.00000003.2330243239.00000000007C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anglebug.com/7382	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/284462263	msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://116.203.11.236/=	xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ntp.msn.cn/edge/ntp	2cc80dabc69f58b6_1.9.dr	false		high
http://www.indyproject.org/	xn3nGSFdRn.exe	false		high
https://google-ohttp-relay-join.fastly-edge.com/(q	chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crystalrich.com/internetoff/version.txtU	xn3nGSFdRn.exe	false	Avira URL Cloud: safe	unknown
https://116.203.11.236/E	xn3nGSFdRn.exe, 00000000.00000003.2343633367.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2357115704.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2370681216.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google-ohttp-relay-join.fastly-edge.com/(r	chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://116.203.11.236/D	xn3nGSFdRn.exe, 00000000.00000003.2343846298.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000002.2795380335.0000000000798000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://publickeyservice.gcp.privacysandboxservices.com	chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/AUTHORS.txt	chrome.exe, 00000003.00000003.2462603114.0000530801064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479378445.0000530800E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464167207.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464878367.000053080120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464736316.000053080117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464101455.00005308004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464137444.0000530800F40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463341116.00005308010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464232178.0000530800FA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463390907.0000530800F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463494071.0000530801094000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2462989016.0000530801074000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464514152.000053080040C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/	manifest.json.9.dr	false		high
https://publickeyservice.pa.aws.privacysandboxservices.com	chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://photos.google.com/settings?referrer=CHROME_NTP	chrome.exe, 00000003.00000003.2461571366.0000530800FD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2461468999.0000530800E68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7714	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://photos.google.com?referrer=CHROME_NTP	chrome.exe, 00000003.00000003.2464878367.000053080120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464736316.000053080117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464514152.000053080040C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/yt	chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6248	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ogs.google.com/widget/callout?eom=1	chrome.exe, 00000003.00000003.2479591365.00005308013A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479794157.00005308012E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2480300104.000053080141C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge	1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	false		high
https://outlook.office.com/mail/compose?isExtension=true	1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	false		high
http://anglebug.com/6929	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5281	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.deezer.com/	1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	false		high
https://google-ohttp-relay-join.fastly-edge.com/Ht	chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/255411748	msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v4/token	msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7246	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7369	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://116.203.11.236/h	xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anglebug.com/7489	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	chrome.exe, 00000003.00000003.2461525178.0000530800D54000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000002.2695879945.0000109C00020000.00000004.00000800.00020000.00000000.sdmp	false		high
https://116.203.11.236/s	xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2370681216.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/mathjax/	offscreendocument_main.js.9.dr, service_worker_bin_prod.js.9.dr	false		high
https://drive-daily-2.corp.google.com/	manifest.json.9.dr	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	5x47q9.0.dr	false		high
http://polymer.github.io/PATENTS.txt	chrome.exe, 00000003.00000003.2462603114.0000530801064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2479378445.0000530800E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464167207.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464878367.000053080120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464736316.000053080117C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464101455.00005308004A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464137444.0000530800F40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463341116.00005308010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464232178.0000530800FA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463390907.0000530800F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2463494071.0000530801094000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2462989016.0000530801074000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2464514152.000053080040C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview	chrome.exe, 00000003.00000003.2487464403.0000530801624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2487419274.000053080161C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.ico	chrome.exe, 00000003.00000003.2509558704.0000530800C5C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://unitedstates1.ss.wd.microsoft.us/	edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.9.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	xn3nGSFdRn.exe, 00000000.00000002.2798765413.0000000003C73000.00000004.00000020.00020000.00000000.sdmp, qiecj5.0.dr, Web Data.9.dr	false		high
https://116.203.11.236/z	xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2370681216.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://issuetracker.google.com/161903006	msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	xn3nGSFdRn.exe, 00000000.00000002.2798765413.0000000003C73000.00000004.00000020.00020000.00000000.sdmp, qiecj5.0.dr	false		high
http://www.symauth.com/cps0(	xn3nGSFdRn.exe	false		high
https://drive-daily-1.corp.google.com/	manifest.json.9.dr	false		high
https://excel.new?from=EdgeM365Shoreline	1e6bebc3-b6c4-4413-8e2f-ac5090919e32.tmp.9.dr	false		high
https://drive-daily-5.corp.google.com/	manifest.json.9.dr	false		high
https://plus.google.com	chromecache_425.5.dr	false		high
https://permanently-removed.invalid/chrome/blank.html	msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3078	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7553	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5375	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://116.203.11.236/L	xn3nGSFdRn.exe, 00000000.00000003.2357115704.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2370681216.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bzib.nelreports.net/api/report?cat=bingbusiness	Reporting and NEL.10.dr	false		high
https://permanently-removed.invalid/v1/issuetoken	msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5371	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4722	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	xn3nGSFdRn.exe	false		high
https://google-ohttp-relay-join.fastly-edge.com/9r	chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Zs	chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/reauth/v1beta/users/	msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199829660832	xn3nGSFdRn.exe, 00000000.00000003.2793851390.00000000029C2000.00000004.00001000.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2793965583.00000000028A1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/l793oy	xn3nGSFdRn.exe, 00000000.00000003.2793851390.00000000029C2000.00000004.00001000.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2793965583.00000000028A1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Zv	chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7556	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/	msedge.exe, 00000007.00000002.2695879945.0000109C00020000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.9.dr	false		high
https://drive-preprod.corp.google.com/	manifest.json.9.dr	false		high
https://srtb.msn.cn/	2cc80dabc69f58b6_1.9.dr	false		high
https://116.203.11.236/Y	xn3nGSFdRn.exe, 00000000.00000003.2357115704.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2370681216.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore/	manifest.json0.9.dr	false		high
https://google-ohttp-relay-join.fastly-edge.com/ks	chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://116.203.11.236/f	xn3nGSFdRn.exe, 00000000.00000003.2384182384.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2370681216.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.cn/resolver/	2cc80dabc69f58b6_1.9.dr	false		high
https://google-ohttp-relay-join.fastly-edge.com/kv	chrome.exe, 00000003.00000003.2487604213.000053080165C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.gcp.privacysandboxservices.com	chrome.exe, 00000003.00000003.2484647371.00005308014BC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://116.203.11.236/a	xn3nGSFdRn.exe, 00000000.00000003.2343633367.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, xn3nGSFdRn.exe, 00000000.00000003.2357115704.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://browser.events.data.msn.com/	2cc80dabc69f58b6_1.9.dr	false		high
https://permanently-removed.invalid/RotateBoundCookies	msedge.exe, 00000007.00000003.2583772428.0000109C00280000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583241832.0000109C00278000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2583316912.0000109C0027C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6692	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/258207403	msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3502	chrome.exe, 00000003.00000003.2455537354.0000530800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457090825.0000530800A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.2457059448.0000530800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3623	msedge.exe, 00000007.00000003.2584148903.0000109C00380000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.200.0.21	unknown	United States	20940	AKAMAI-ASN1EU	false
23.49.251.8	unknown	United States	16625	AKAMAI-ASUS	false
23.219.82.59	unknown	United States	20940	AKAMAI-ASN1EU	false
23.43.85.43	unknown	United States	3257	GTT-BACKBONEGTTDE	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
108.139.47.92	unknown	United States	16509	AMAZON-02US	false
13.74.129.1	c-msn-pme.trafficmanager.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.219	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
116.203.11.236	unknown	Germany	24940	HETZNER-ASDE	true
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
216.58.212.132	www.google.com	United States	15169	GOOGLEUS	false
52.231.230.148	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.217.16.206	play.google.com	United States	15169	GOOGLEUS	false
18.244.18.122	sb.scorecardresearch.com	United States	16509	AMAZON-02US	false
142.250.185.238	plus.l.google.com	United States	15169	GOOGLEUS	false
172.217.18.1	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
23.43.85.36	unknown	United States	3257	GTT-BACKBONEGTTDE	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
2.19.11.120	a416.dscd.akamai.net	European Union	719	ELISA-ASHelsinkiFinlandEU	false
52.168.117.168	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.203	a-0003.a-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
95.101.182.74	e28578.d.akamaiedge.net	European Union	20940	AKAMAI-ASN1EU	false

Private

IP
192.168.2.6
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1627452
Start date and time:	2025-03-02 13:08:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xn3nGSFdRn.exe renamed because original name is a hash value
Original Sample Name:	b6bd9bba1a2413d8e3ed5b3743d81961.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@72/274@26/24
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 76 Number of non-executed functions: 44
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.99, 142.250.185.110, 173.194.76.84, 142.250.181.238, 142.250.185.131, 172.217.23.106, 172.217.18.106, 142.250.185.138, 142.250.185.106, 142.250.186.106, 142.250.185.170, 142.250.186.42, 172.217.16.202, 216.58.206.42, 142.250.185.202, 142.250.185.74, 142.250.186.74, 216.58.212.170, 142.250.185.234, 216.58.206.74, 142.250.181.234, 142.250.184.238, 142.250.186.138, 142.250.186.170, 172.217.18.10, 142.250.184.202, 172.217.16.138, 142.250.74.202, 142.250.184.234, 142.251.13.95, 13.107.42.16, 13.107.21.239, 204.79.197.239, 142.250.185.206, 13.107.6.158, 20.191.45.158, 20.93.72.182, 88.221.110.179, 88.221.110.195, 23.15.178.147, 23.15.178.200, 23.15.178.226, 23.15.178.179, 23.15.178.234, 104.126.37.160, 104.126.37.185, 104.126.37.161, 104.126.37.186, 104.126.37.171, 104.126.37.170, 104.126.37.163, 104.126.37.178, 104.126.37.176, 142.251.32.99, 142.251.40.163, 142.250.64.99, 13.107.246.60, 20.12.23.50, 23.199.214.10, 94.245.104.56, 23.200.0.6, 150.171.28.10, 13.10
Excluded domains from analysis (whitelisted): nav-edge.smartscreen.microsoft.com, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, data-edge.smartscreen.microsoft.com, img-s-msn-com.akamaized.net, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, clientservices.googleapis.com, clients2.google.com, e86303.dscx.akamaiedge.net, redirector.gvt1.com, www.bing.com.edgekey.net, config-edge-skype.l-0007.l-msedge.net, th.bing.com, msedge.b.tlu.dl.delivery.mp.microsoft.com, www.gstatic.com, l-0007.l-msedge.net, config.edge.skype.com, prod-agic-ne-1.northeurope.cloudapp.azure.com, optimizationguide-pa.googleapis.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, client.wns.windows.com, fs.microsoft.com, accounts.google.com, bingadsedgeextension-prod.trafficmanager.net, th.bing.com.edgekey.net, otelrules.azureedge.net, api.edgeoffer.microsoft.com, ogads-pa.googleapis.com, p-th.bing.com.trafficmanager.net, b-0005.b-msedge.net, prod-atm-wds-edge.trafficmanager.net,
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.61.3	windows.ps1	Get hash	malicious	PureLog Stealer, Vidar	Browse
	Partnership Proposal + New Opportunity for more successful closing.pdf	Get hash	malicious	HTMLPhisher, Invisible JS	Browse
	0ajhlLnYRI.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse
	ynBVHwu6gx.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse
	https://report-dto51bfgo7f.pages.dev/	Get hash	malicious	Unknown	Browse
	Phish!MSR' in file 'US_DOA_Tender_2023.pdf'	Get hash	malicious	Unknown	Browse
	50-58-CSAgreement and Addendum Wednesday February 2025.pdf	Get hash	malicious	HTMLPhisher	Browse
	Tanveer Sethi_Voice-REC-481680954386772.html	Get hash	malicious	HTMLPhisher	Browse
	New Missed Call Notification for jim.huber 2252025 84809 PM.msg	Get hash	malicious	Unknown	Browse
	dwpk5JGAxF.exe	Get hash	malicious	Vidar	Browse
108.139.47.92	build.exe	Get hash	malicious	Vidar	Browse
	Xw9oZv75Ze.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar	Browse
	N11R7lRasm.exe	Get hash	malicious	Vidar	Browse
	wYfLzVg.exe	Get hash	malicious	Unknown	Browse
	bot2.exe	Get hash	malicious	Python Stealer, Braodo	Browse
	jmkykhjksefkyt.exe	Get hash	malicious	Vidar	Browse
	Handler.exe	Get hash	malicious	DanaBot, Vidar	Browse
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse
	trZG6pItZj.exe	Get hash	malicious	Vidar	Browse
23.200.0.21	T0x859fNfn.exe	Get hash	malicious	Vidar	Browse
23.200.0.21	https://laser-gravur.cc/uploads/go.php?0g6dc	Get hash	malicious	Unknown	Browse
23.49.251.8	uwmC39FNho.exe	Get hash	malicious	Remcos	Browse
23.49.251.8	pM3fQBuTLy.exe	Get hash	malicious	Vidar	Browse
23.219.82.59	N11R7lRasm.exe	Get hash	malicious	Vidar	Browse
	https://eur01.safelinks.protection.outlook.com/ap/w-59584e83/?url=https%3A%2F%2Finnerworks621-my.sharepoint.com%2F%3Aw%3A%2Fg%2Fpersonal%2Ffbayoumi_iwexpress_com%2FEV18-ULK3bBFgswwIocxhGgB_RycisFJYnuNE85X0INcoQ%3Fe%3DPJWGhb&data=05%7C02%7Cm.schwarzfaerber%40gutmann.de%7Cba71d958cbce4017fe2b08dd4c1498cf%7Cb8afaafb131d4ce28085e6ff7718d438%7C0%7C0%7C638750373515189602%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=jFoC7e8%2BnChKZDPYgfO8Z0D6BEVH0spDWEnRRVzuauE%3D&reserved=0	Get hash	malicious	Unknown	Browse
	PI3b9Y973c.exe	Get hash	malicious	Unknown	Browse
	NRKCZ1PSDM.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	CLOlOswCpi.msi	Get hash	malicious	Unknown	Browse
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse
	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse
	T0x859fNfn.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	windows.ps1	Get hash	malicious	PureLog Stealer, Vidar	Browse	172.64.41.3
	VRChat_ERP_Setup 1.0.0.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	0ajhlLnYRI.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse	162.159.61.3
	ynBVHwu6gx.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse	162.159.61.3
	https://www.asiafont.com/asfont/am_dl.php?font=win_FontTong3	Get hash	malicious	Unknown	Browse	172.64.41.3
	Tanveer Sethi_Voice-REC-481680954386772.html	Get hash	malicious	HTMLPhisher	Browse	162.159.61.3
	New Missed Call Notification for jim.huber 2252025 84809 PM.msg	Get hash	malicious	Unknown	Browse	162.159.61.3
	dwpk5JGAxF.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	F2024065877 (1).html	Get hash	malicious	Unknown	Browse	172.64.41.3
	Tokenova.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
a416.dscd.akamai.net	windows.ps1	Get hash	malicious	PureLog Stealer, Vidar	Browse	2.22.242.11
	0ajhlLnYRI.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse	104.124.11.32
	ynBVHwu6gx.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse	2.22.242.105
	VtrZVhhVGV.msi	Get hash	malicious	RedLine	Browse	2.19.11.100
	New Missed Call Notification for jim.huber 2252025 84809 PM.msg	Get hash	malicious	Unknown	Browse	2.19.11.120
	dwpk5JGAxF.exe	Get hash	malicious	Vidar	Browse	2.22.242.105
	F2024065877 (1).html	Get hash	malicious	Unknown	Browse	2.19.11.100
	Tokenova.exe	Get hash	malicious	Vidar	Browse	2.16.164.104
	New Sharefile - peRd9Y.svg	Get hash	malicious	Phisher	Browse	2.22.242.105
a-0003.a-msedge.net	windows.ps1	Get hash	malicious	PureLog Stealer, Vidar	Browse	204.79.197.203
	1ZXaFij.exe	Get hash	malicious	Xmrig	Browse	204.79.197.203
	0ajhlLnYRI.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse	204.79.197.203
	ynBVHwu6gx.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse	204.79.197.203
	VtrZVhhVGV.msi	Get hash	malicious	RedLine	Browse	204.79.197.203
	new order pdf.exe	Get hash	malicious	FormBook	Browse	204.79.197.203
	dwpk5JGAxF.exe	Get hash	malicious	Vidar	Browse	204.79.197.203
	Tokenova.exe	Get hash	malicious	Vidar	Browse	204.79.197.203
	crypted.exe	Get hash	malicious	FormBook	Browse	204.79.197.203

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	windows.ps1	Get hash	malicious	PureLog Stealer, Vidar	Browse	104.70.121.177
	cbr.x86.elf	Get hash	malicious	Mirai	Browse	104.80.9.199
	http://136.0.141.238:8040/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest&t=NordeaS%C3%A4kerhet&c=NordeaS%C3%A4kerhet&c=NordeaS%C3%A4kerhet&c=NordeaS%C3%A4kerhet&c=NordeaS%C3%A4kerhet&c=&c=&c=&c=	Get hash	malicious	ScreenConnect Tool	Browse	95.101.79.17
	random.exe	Get hash	malicious	Amadey, Credential Flusher, GCleaner, LummaC Stealer, Stealc	Browse	23.67.133.187
	GHpWbrQ.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	23.197.127.21
	E3WGlpL.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	setup.exe	Get hash	malicious	LummaC	Browse	23.197.127.21
	owari.ppc.elf	Get hash	malicious	Unknown	Browse	104.97.147.116
	owari.spc.elf	Get hash	malicious	Unknown	Browse	104.97.147.128
	https://scribehow.com/page/Request_for_Proposal_RFP__qJcfOklYQRy3AAQjXCM51w	Get hash	malicious	Invisible JS	Browse	2.22.61.137
AKAMAI-ASN1EU	windows.ps1	Get hash	malicious	PureLog Stealer, Vidar	Browse	104.70.121.177
	cbr.x86.elf	Get hash	malicious	Mirai	Browse	104.80.9.199
	http://136.0.141.238:8040/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest&t=NordeaS%C3%A4kerhet&c=NordeaS%C3%A4kerhet&c=NordeaS%C3%A4kerhet&c=NordeaS%C3%A4kerhet&c=NordeaS%C3%A4kerhet&c=&c=&c=&c=	Get hash	malicious	ScreenConnect Tool	Browse	95.101.79.17
	random.exe	Get hash	malicious	Amadey, Credential Flusher, GCleaner, LummaC Stealer, Stealc	Browse	23.67.133.187
	GHpWbrQ.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	23.197.127.21
	E3WGlpL.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	setup.exe	Get hash	malicious	LummaC	Browse	23.197.127.21
	owari.ppc.elf	Get hash	malicious	Unknown	Browse	104.97.147.116
	owari.spc.elf	Get hash	malicious	Unknown	Browse	104.97.147.128
	https://scribehow.com/page/Request_for_Proposal_RFP__qJcfOklYQRy3AAQjXCM51w	Get hash	malicious	Invisible JS	Browse	2.22.61.137
AKAMAI-ASUS	windows.ps1	Get hash	malicious	PureLog Stealer, Vidar	Browse	23.223.209.207
	D5biXrj4Yc.ps1	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	posh_injected_payload.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	cbr.ppc.elf	Get hash	malicious	Mirai	Browse	23.44.181.40
	cbr.spc.elf	Get hash	malicious	Mirai	Browse	96.25.164.162
	cbr.x86.elf	Get hash	malicious	Mirai	Browse	173.223.114.182
	http://SMOKEDFINEFOOD.CO.UK	Get hash	malicious	HTMLPhisher	Browse	2.19.224.184
	http://136.0.141.238:8040/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest&t=NordeaS%C3%A4kerhet&c=NordeaS%C3%A4kerhet&c=NordeaS%C3%A4kerhet&c=NordeaS%C3%A4kerhet&c=NordeaS%C3%A4kerhet&c=&c=&c=&c=	Get hash	malicious	ScreenConnect Tool	Browse	23.60.203.209
	w26DFTmyjC.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	owari.arm7.elf	Get hash	malicious	Mirai	Browse	23.214.68.236
GTT-BACKBONEGTTDE	windows.ps1	Get hash	malicious	PureLog Stealer, Vidar	Browse	23.43.85.17
	owari.mips.elf	Get hash	malicious	Unknown	Browse	212.74.31.0
	res.arm5.elf	Get hash	malicious	Mirai	Browse	213.251.29.150
	ynBVHwu6gx.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse	23.43.85.23
	res.arm7.elf	Get hash	malicious	Mirai	Browse	46.33.94.229
	spc.elf	Get hash	malicious	Unknown	Browse	204.93.45.102
	F2024065877 (1).html	Get hash	malicious	Unknown	Browse	23.56.210.49
	nabspc.elf	Get hash	malicious	Unknown	Browse	77.67.45.225
	x86.elf	Get hash	malicious	Unknown	Browse	198.60.91.62

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.Trojan.Dropper.23420.16924.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	40.115.3.253 40.113.103.199
	Idrddohxnh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	40.115.3.253 40.113.103.199
	windows.ps1	Get hash	malicious	PureLog Stealer, Vidar	Browse	40.115.3.253 40.113.103.199
	posh_injected_payload.exe	Get hash	malicious	LummaC Stealer	Browse	40.115.3.253 40.113.103.199
	SilverClient.exe	Get hash	malicious	AsyncRAT, SilverRat	Browse	40.115.3.253 40.113.103.199
	XM60ArhAHY.exe	Get hash	malicious	Quasar	Browse	40.115.3.253 40.113.103.199
	sms-sender.exe	Get hash	malicious	ScreenConnect Tool	Browse	40.115.3.253 40.113.103.199
	sms-sender.exe	Get hash	malicious	ScreenConnect Tool	Browse	40.115.3.253 40.113.103.199
	installer.exe	Get hash	malicious	XWorm	Browse	40.115.3.253 40.113.103.199
	CalcVaults.exe	Get hash	malicious	Unknown	Browse	40.115.3.253 40.113.103.199
51c64c77e60f3980eea90869b68c58a8	soft.exe	Get hash	malicious	GCleaner, LummaC Stealer, Socks5Systemz	Browse	116.203.11.236
	9uWGaRcOv8.exe	Get hash	malicious	Socks5Systemz	Browse	116.203.11.236
	9uWGaRcOv8.exe	Get hash	malicious	Socks5Systemz	Browse	116.203.11.236
	file.exe	Get hash	malicious	Socks5Systemz	Browse	116.203.11.236
	file.exe	Get hash	malicious	Socks5Systemz	Browse	116.203.11.236
	yMwA2Hcj3Q.dll	Get hash	malicious	CobaltStrike, Metasploit	Browse	116.203.11.236
	server.exe	Get hash	malicious	Ursnif	Browse	116.203.11.236
	silk.exe	Get hash	malicious	Socks5Systemz	Browse	116.203.11.236
	silk.exe	Get hash	malicious	Socks5Systemz	Browse	116.203.11.236
	ok2W3lr6k5.exe	Get hash	malicious	Amadey, GCleaner, Healer AV Disabler, LummaC Stealer, Vidar	Browse	116.203.11.236

Process:	C:\Users\user\Desktop\xn3nGSFdRn.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	10237
Entropy (8bit):	5.498288591230544
Encrypted:	false
SSDEEP:	192:/nTFTRRFYbBp6SLZNMGaXU6qU4rzy+/3/OYiNBw8D7Sl:LreDFNMroyrdw60
MD5:	0F58C61DE9618A1B53735181E43EE166
SHA1:	CC45931CF12AF92935A84C2A015786CC810AEC3A
SHA-256:	AE9C3109DD23F391DC58C564080932100F55C8E674176D7911D54FB0D3417AE0
SHA-512:	DEA527C22D4AA607B00FBBCC1CDD9C6B69E92EC3B1B14649A086E87258AAD5C280BFB2835C165176E8759F575AA39D1B58E25CB40F60C7E88D94243A874B71BE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696486832);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696486836);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44898
Entropy (8bit):	6.096149563342967
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kWWbi1zNtGLONGdYPm++KJDSgzMMd6qD47u3+CioC:+/Ps+wsI7yn3OSKtSmd6qE7lFoC
MD5:	91ACFEF181CAA050CC1A5BFAC8B75C7B
SHA1:	5DAC8AD85BE200AA266378F29A28A7682ADA14CF
SHA-256:	81E3EEB79106E6B9AE747D73950E86213B07B2EBA19E01353833829D23675D4A
SHA-512:	E0D359FDA592391B8445F170E7D19393BDCEAF959497EA715B82A0EC3F739B996D2C966F8F62D0B6B06D90913B514CF96307D30ACCD894FCEAD8C76BC8484032
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2412)
Category:	downloaded
Size (bytes):	171845
Entropy (8bit):	5.5552243130268115
Encrypted:	false
SSDEEP:	3072:VYjt0GQnb64a3OwOYrNwWYqJFBE+RTSPnrhBltXDiNlvMBpS1nPeq+F+fkSkj5kx:VYjt0fb64a3OwOYrNwWhJFBE+R2PrhBA
MD5:	7F19D9586787C1D1C2D28873A51EF066
SHA1:	8134C350DAC1DC64704EE91CDDACBFDBE9409D15
SHA-256:	2D88BC9C86BDC338E32B9AC32B5193CD79DED498775946A31B22FB5C0B2641CA
SHA-512:	4B2439B1BDB090C247E535DC6A126831171CACB8585A9A2869E8F634A249DA2BAEA6E1A5C4FBF70097AECA64D915DA7818CB2933E8DCA6044AB6150D61CE1A7E
Malicious:	false
URL:	"https://www.gstatic.com/og/_/js/k=og.qtm.en_US.ewNYOTtoM3M.2019.O/rt=j/m=q_dnp,qmd,qcwid,qapid,qald,qads,q_dg/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/rs=AA2YrTtNk2aZJ51QiD8lNS04_Z_47poXsg"
Preview:	this.gbar_=this.gbar_\|\|{};(function(_){var window=this;.try{._.Qi=function(a){if(4&a)return 2048&a?2048:4096&a?4096:0};_.Ri=class extends _.P{constructor(a){super(a)}};.}catch(e){_._DumpException(e)}.try{.var Si,Vi,Wi,Yi,Zi,bj;Si=function(){return typeof BigInt==="function"};Vi=function(a){const b=a>>>0;_.Ti=b;_.Ui=(a-b)/4294967296>>>0};Wi=function(a,b){b=~b;a?a=~a+1:b+=1;return[a,b]};_.Xi=function(a){if(a<0){Vi(-a);const [b,c]=Wi(_.Ti,_.Ui);_.Ti=b>>>0;_.Ui=c>>>0}else Vi(a)};Yi=function(a){a=String(a);return"0000000".slice(a.length)+a};.Zi=function(a,b){b>>>=0;a>>>=0;if(b<=2097151)var c=""+(4294967296b+a);else Si()?c=""+(BigInt(b)<<BigInt(32)\|BigInt(a)):(c=(a>>>24\|b<<8)&16777215,b=b>>16&65535,a=(a&16777215)+c6777216+b6710656,c+=b8147497,b*=2,a>=1E7&&(c+=a/1E7>>>0,a%=1E7),c>=1E7&&(b+=c/1E7>>>0,c%=1E7),c=b+Yi(c)+Yi(a));return c};_.$i=function(a,b){if(b&2147483648)if(Si())a=""+(BigInt(b\|0)<<BigInt(32)\|BigInt(a>>>0));else{const [c,d]=Wi(a,b);a="-"+Zi(c,d)}else a=Zi(a,b);return a};._.aj

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.572881146330989
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	xn3nGSFdRn.exe
File size:	3'290'904 bytes
MD5:	b6bd9bba1a2413d8e3ed5b3743d81961
SHA1:	d109bcc2f82c65aa6ab7b7a46a2b6e35721021c8
SHA256:	1cea85b0fdaa55fa1b59610e986a3ff895e838264d1f9624d3518153f8eec4a4
SHA512:	de9fa003a14622de5e11e4b3d5fe4e03359d6eeb92e94f8d47e8d51e60cb29bfa4dda8336d82cb1c4b5398bee6760862ee2fce83c0a4ed9ce4467528108c01fd
SSDEEP:	49152:/KI4dn/japkSAUHxLZKAHyc4pR0H1pluJhMCyTiFyL14X6t/M:/H4t/UZKASc4pwplAJyNZM
TLSH:	96E57C12B284503BD2771A3B4C779749693FBA602A65DD0B2EA40E4C8F3CB85ED36717
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Entrypoint:	0x6872b0
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x57456802 [Wed May 25 08:53:22 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	e441bc7ba7742d87ae394074bc124d33

Signature Valid:	false
Signature Issuer:	CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	21/05/2016 20:00:00 02/02/2017 18:59:59
Subject Chain	CN=Crystal Rich Ltd, O=Crystal Rich Ltd, L=Saint Petersburg, S=Saint Petersburg, C=RU
Version:	3
Thumbprint MD5:	702BF195D69FE70CFE308E376CB2972D
Thumbprint SHA-1:	A1CE8EAF4EE9F14BA0B5AD05DDF0F1035A9AA869
Thumbprint SHA-256:	8AAF855D1D1FEEB42966DE2C8ED90A6D841F0B18935637506F55E5F61831D8F6
Serial:	26C8011E27F667CF5FD468DCB4AC16BE

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29e000	0x45ac	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2da000	0x53000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x320400	0x3318	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a6000	0x334f0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2a5000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x29ece4	0xa78	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2a3000	0x85e	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x283510	0x283600	7cbebde5a88aba2eb45955d22a2ad336	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x285000	0x233c	0x2400	84955e3782623efad70b059ded947909	False	0.5174696180555556	data	6.084455144211807	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x288000	0xec54	0xee00	44825783bbc537586cabf24d16c28e00	False	0.5255055147058824	data	5.847872059073766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x297000	0x60b4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x29e000	0x45ac	0x4600	1ca86fc2335a4062c370f65e8ff99926	False	0.3111049107142857	data	5.315653794085777	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x2a3000	0x85e	0xa00	baac6e428e0395e2deaa9c184b1a1121	False	0.315625	data	3.644660311524356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x2a4000	0x54	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x2a5000	0x18	0x200	df35b59f47eecfcc76eb9166542974c2	False	0.05078125	data	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2a6000	0x334f0	0x33600	e7cb36912784993f9093cee630057649	False	0.5579427083333334	data	6.700734976711624	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x2da000	0x53000	0x53000	a670c7b2a655aca2d620164992b5bf18	False	0.6312417639307228	data	6.648887310061927	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x2db640	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x2db774	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x2db8a8	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x2db9dc	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x2dbb10	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x2dbc44	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x2dbd78	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x2dbeac	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x2dc07c	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x2dc260	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x2dc430	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x2dc600	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x2dc7d0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x2dc9a0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x2dcb70	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x2dcd40	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x2dcf10	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_ICON	0x2dd0e0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.6297974413646056
RT_ICON	0x2ddf88	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.8000902527075813
RT_ICON	0x2de830	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.8143063583815029
RT_ICON	0x2ded98	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.6275933609958506
RT_ICON	0x2e1340	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.6887898686679175
RT_ICON	0x2e23e8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.8439716312056738
RT_ICON	0x2e2850	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8475177304964538
RT_ICON	0x2e2cb8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8351063829787234
RT_STRING	0x2e3120	0x330	AmigaOS bitmap font "a", fc_YSize 26880, 18432 elements, 2nd "g", 3rd "t"			0.39828431372549017
RT_STRING	0x2e3450	0x244	data			0.44310344827586207
RT_STRING	0x2e3694	0x404	data			0.372568093385214
RT_STRING	0x2e3a98	0xd28	PDP-11 separate I&D executable not stripped			0.25415676959619954
RT_STRING	0x2e47c0	0xc38	data			0.2618286445012788
RT_STRING	0x2e53f8	0xad0	data			0.31972543352601157
RT_STRING	0x2e5ec8	0x818	data			0.3137065637065637
RT_STRING	0x2e66e0	0x820	data			0.2721153846153846
RT_STRING	0x2e6f00	0x434	data			0.42193308550185876
RT_STRING	0x2e7334	0x480	data			0.3993055555555556
RT_STRING	0x2e77b4	0x2f8	data			0.425
RT_STRING	0x2e7aac	0x460	data			0.39732142857142855
RT_STRING	0x2e7f0c	0x3a0	data			0.44612068965517243
RT_STRING	0x2e82ac	0x3d8	data			0.3628048780487805
RT_STRING	0x2e8684	0x2f0	data			0.4162234042553192
RT_STRING	0x2e8974	0x460	data			0.4
RT_STRING	0x2e8dd4	0xbc0	data			0.2666223404255319
RT_STRING	0x2e9994	0x5f4	data			0.36548556430446194
RT_STRING	0x2e9f88	0x824	data			0.10508637236084453
RT_STRING	0x2ea7ac	0x860	data			0.14738805970149255
RT_STRING	0x2eb00c	0x874	data			0.15295748613678373
RT_STRING	0x2eb880	0x7c0	data			0.16129032258064516
RT_STRING	0x2ec040	0x990	data			0.11519607843137254
RT_STRING	0x2ec9d0	0x9b4	data			0.12198067632850242
RT_STRING	0x2ed384	0x324	data			0.3407960199004975
RT_STRING	0x2ed6a8	0x10c	StarOffice Gallery theme S, 1459635456 objects, 1st P			0.6492537313432836
RT_STRING	0x2ed7b4	0x124	data			0.6438356164383562
RT_STRING	0x2ed8d8	0x1f8	data			0.373015873015873
RT_STRING	0x2edad0	0x22c	data			0.48741007194244607
RT_STRING	0x2edcfc	0x218	data			0.39552238805970147
RT_STRING	0x2edf14	0x20c	data			0.43702290076335876
RT_STRING	0x2ee120	0x16c	data			0.5659340659340659
RT_STRING	0x2ee28c	0x37c	data			0.41591928251121074
RT_STRING	0x2ee608	0x390	data			0.42105263157894735
RT_STRING	0x2ee998	0x42c	data			0.3333333333333333
RT_STRING	0x2eedc4	0x2d0	data			0.4166666666666667
RT_STRING	0x2ef094	0x468	StarOffice Gallery theme l, 1677731072 objects, 1st l			0.3900709219858156
RT_STRING	0x2ef4fc	0xa0	data			0.7125
RT_STRING	0x2ef59c	0xe4	data			0.6359649122807017
RT_STRING	0x2ef680	0x2bc	data			0.4328571428571429
RT_STRING	0x2ef93c	0x2b4	data			0.4638728323699422
RT_STRING	0x2efbf0	0x408	data			0.3817829457364341
RT_STRING	0x2efff8	0x374	data			0.39705882352941174
RT_STRING	0x2f036c	0x47c	data			0.2874564459930314
RT_STRING	0x2f07e8	0x330	data			0.4264705882352941
RT_STRING	0x2f0b18	0x608	data			0.3490932642487047
RT_STRING	0x2f1120	0x4a8	data			0.3498322147651007
RT_STRING	0x2f15c8	0x374	data			0.3563348416289593
RT_STRING	0x2f193c	0x404	data			0.377431906614786
RT_STRING	0x2f1d40	0x1ec	data			0.3983739837398374
RT_STRING	0x2f1f2c	0xc4	data			0.6428571428571429
RT_STRING	0x2f1ff0	0x120	data			0.6319444444444444
RT_STRING	0x2f2110	0x35c	data			0.4174418604651163
RT_STRING	0x2f246c	0x498	data			0.3052721088435374
RT_STRING	0x2f2904	0x368	data			0.3795871559633027
RT_STRING	0x2f2c6c	0x2c8	data			0.4353932584269663
RT_RCDATA	0x2f2f34	0x10	data			1.5
RT_RCDATA	0x2f2f44	0x10fc	data			0.5048298068077277
RT_RCDATA	0x2f4040	0x2	data	English	United States	5.0
RT_RCDATA	0x2f4044	0x55a8	Delphi compiled form 'TAppSettingsForm'			0.2733491426486684
RT_RCDATA	0x2f95ec	0x73ab	Delphi compiled form 'TfrmAbout'			0.9786903515585424
RT_RCDATA	0x300998	0x366d	Delphi compiled form 'TfrmCheckNewVersion'			0.956147276250628
RT_RCDATA	0x304008	0x941f	Delphi compiled form 'TfrmCRMessageBox'			0.3239273187584061
RT_RCDATA	0x30d428	0x5cc	Delphi compiled form 'TInternetLeftBox'			0.4339622641509434
RT_RCDATA	0x30d9f4	0x32ad	Delphi compiled form 'TMainForm'			0.9066522778077546
RT_RCDATA	0x310ca4	0x13b5	Delphi compiled form 'TVerifyPasswordForm'			0.9706640237859266
RT_GROUP_CURSOR	0x31205c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x312070	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x312084	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x312098	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3120ac	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3120c0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3120d4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x3120e8	0x5a	data	English	United States	0.7
RT_GROUP_ICON	0x312144	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x312158	0x14	data	English	United States	1.25
RT_VERSION	0x31216c	0x30c	data	English	United States	0.4551282051282051
RT_MANIFEST	0x312478	0x2ca	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5028011204481793

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	MessageBoxA, CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, lstrcpynW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, SetCurrentDirectoryW, GetCurrentDirectoryW, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, DeleteFileW, CreateFileW, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	SetClassLongW, GetClassLongW, SetWindowLongW, GetWindowLongW, CreateWindowExW, WindowFromPoint, WaitMessage, ValidateRect, UpdateWindow, UnregisterHotKey, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCaretPos, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterHotKey, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, IsCharAlphaNumericW, IsCharAlphaW, InvalidateRect, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateCaret, CreateAcceleratorTableW, CountClipboardFormats, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, CharLowerBuffA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
msimg32.dll	GradientFill, AlphaBlend
gdi32.dll	UnrealizeObject, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyPolyline, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExtCreatePen, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	lstrlenA, lstrlenW, lstrcmpW, WriteFile, WideCharToMultiByte, WaitNamedPipeW, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerLanguageNameW, UnmapViewOfFile, TryEnterCriticalSection, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, SearchPathW, ResumeThread, ResetEvent, RemoveDirectoryW, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, QueryDosDeviceW, IsDebuggerPresent, OpenProcess, MulDiv, MoveFileW, MapViewOfFile, LockResource, LocalFree, LoadResource, LoadLibraryExW, LoadLibraryW, LeaveCriticalSection, IsValidLocale, IsBadReadPtr, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVolumeInformationW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetThreadContext, GetTempPathW, GetTempFileNameW, GetSystemInfo, GetSystemDirectoryW, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesExW, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryW, GetComputerNameW, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, InterlockedExchangeAdd, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FlushInstructionCache, FindResourceW, FindFirstFileW, FindClose, FileTimeToLocalFileTime, ExpandEnvironmentStringsW, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, CreateThread, CreateMutexW, CreateFileMappingW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringA, CompareStringW, CloseHandle, CallNamedPipeW
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW, InitializeSecurityDescriptor, AdjustTokenPrivileges
kernel32.dll	Sleep
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
msvcrt.dll	memset, memcpy
shell32.dll	ShellExecuteExW, ShellExecuteW, Shell_NotifyIconW, SHAppBarMessage, FindExecutableW
shell32.dll	SHChangeNotifyRegister, SHChangeNotifyDeregister, SHChangeNotification_Unlock, SHGetSpecialFolderPathW, SHGetPathFromIDListW, SHGetDesktopFolder
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW
kernel32.dll	GetVersionExW
shell32.dll	SHChangeNotification_Lock
kernel32.dll	FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, SetVolumeMountPointW, DeleteVolumeMountPointW, GetVolumeNameForVolumeMountPointW
CfgMgr32.dll	CM_Get_DevNode_Status
SetupApi.dll	CM_Get_Parent, CM_Locate_DevNodeW, SetupDiGetDeviceRegistryPropertyW, CM_Get_Device_ID_ExW, CM_Request_Device_Eject_ExW, SetupDiCallClassInstaller, SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiEnumDeviceInterfaces, SetupDiGetDeviceInstallParamsW, SetupDiSetClassInstallParamsW, SetupDiGetDeviceInstanceIdW, SetupDiGetDeviceInterfaceDetailW, SetupDiGetClassDevsW
iphlpapi.dll	NotifyAddrChange, GetInterfaceInfo, GetIfEntry
msimg32.dll	GradientFill
kernel32.dll	MulDiv

Description	Data
CompanyName	Crystal Rich Ltd
FileDescription	InternetOff - turn off your internet to avoid distractions
FileVersion	3.0.1.68
InternalName	InternetOff
LegalCopyright	Copyright 2016 by Crystal Rich Ltd
ProductName	InternetOff
ProductVersion	3.0.1.68
Translation	0x0409 0x04b0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xn3nGSFdRn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\hdj5f\5x47q9

C:\ProgramData\hdj5f\m7ymoh

C:\ProgramData\hdj5f\ph47qi

C:\ProgramData\hdj5f\qiecj5

C:\ProgramData\hdj5f\qieknozmo

C:\ProgramData\hdj5f\rimoh4

C:\ProgramData\hdj5f\t26pphlfc

C:\ProgramData\hdj5f\tjw47y

C:\ProgramData\hdj5f\vsr1dj

Windows Analysis Report
xn3nGSFdRn.exe