Edit tour

Windows Analysis Report
ESVoO7ywn5.exe

Overview

General Information

Sample name:	ESVoO7ywn5.exe renamed because original name is a hash value
Original sample name:	7ff72f21d83d3abdc706781fb3224111.exe
Analysis ID:	1628973
MD5:	7ff72f21d83d3abdc706781fb3224111
SHA1:	3bfbe059b8e491bde4919fb29afa84d4ea1c0fa8
SHA256:	0c54843666a464f185c97a7693a91eb328827a900717e414357b897bd2630fea
Tags:	exeuser-abuse_ch
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Monitors registry run keys for changes

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ESVoO7ywn5.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\ESVoO7ywn5.exe" MD5: 7FF72F21D83D3ABDC706781FB3224111)

BitLockerToGo.exe (PID: 7980 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

chrome.exe (PID: 6384 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 6936 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 --field-trial-handle=2156,i,1131510046767708764,2246000416851658240,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

msedge.exe (PID: 5696 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5632 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2456 --field-trial-handle=2412,i,9274776203736152754,605761456401538253,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 4036 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6372 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2644 --field-trial-handle=2460,i,1138376815955586151,5217051833138542039,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3028 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7376 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2332,i,2532517917331351372,14812221957189302912,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6076 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6548 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2616 --field-trial-handle=2412,i,16560664075412926242,1091205746907078500,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7592 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6332 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2240 --field-trial-handle=2044,i,15981325911887861837,13651116499266714493,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6748 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2520 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1224,i,17455348826925458802,6377544182770007866,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7208 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3088 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=2100,i,13483832867504272092,8759147376075008789,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1792 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7864 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2536 --field-trial-handle=2016,i,8861881736564387129,5534421032980024966,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6452 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6628 --field-trial-handle=2016,i,8861881736564387129,5534421032980024966,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7752 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6820 --field-trial-handle=2016,i,8861881736564387129,5534421032980024966,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199829660832", "Botnet": "ir7am"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1711447108.000000000A3E4000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1e2ca:$str01: MachineID: 0x1d553:$str02: Work Dir: In memory 0x1e301:$str03: [Hardware] 0x1e2b3:$str04: VideoCard: 0x1dcb5:$str05: [Processes] 0x1dcc1:$str06: [Software] 0x1d5d0:$str07: information.txt 0x1e036:$str08: %s\* 0x1e083:$str08: %s\* 0x1d806:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1db9f:$str12: UseMasterPassword 0x1e30d:$str13: Soft: WinSCP 0x1ddeb:$str14: <Pass encoding="base64"> 0x1e2f0:$str15: Soft: FileZilla 0x1d5c2:$str16: passwords.txt 0x1dbca:$str17: build_id 0x1dc79:$str18: file_data
00000000.00000002.1711628200.000000000A544000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000003.1523614063.000000000A42C000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1e2ca:$str01: MachineID: 0x1d553:$str02: Work Dir: In memory 0x1e301:$str03: [Hardware] 0x1e2b3:$str04: VideoCard: 0x1dcb5:$str05: [Processes] 0x1dcc1:$str06: [Software] 0x1d5d0:$str07: information.txt 0x1e036:$str08: %s\* 0x1e083:$str08: %s\* 0x1d806:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1db9f:$str12: UseMasterPassword 0x1e30d:$str13: Soft: WinSCP 0x1ddeb:$str14: <Pass encoding="base64"> 0x1e2f0:$str15: Soft: FileZilla 0x1d5c2:$str16: passwords.txt 0x1dbca:$str17: build_id 0x1dc79:$str18: file_data
00000000.00000003.1523614063.000000000A450000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1e2ca:$str01: MachineID: 0x1d553:$str02: Work Dir: In memory 0x1e301:$str03: [Hardware] 0x1e2b3:$str04: VideoCard: 0x1dcb5:$str05: [Processes] 0x1dcc1:$str06: [Software] 0x1d5d0:$str07: information.txt 0x1e036:$str08: %s\* 0x1e083:$str08: %s\* 0x1d806:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1db9f:$str12: UseMasterPassword 0x1e30d:$str13: Soft: WinSCP 0x1ddeb:$str14: <Pass encoding="base64"> 0x1e2f0:$str15: Soft: FileZilla 0x1d5c2:$str16: passwords.txt 0x1dbca:$str17: build_id 0x1dc79:$str18: file_data
00000000.00000002.1711447108.000000000A408000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1d553:$str02: Work Dir: In memory 0x1dcb5:$str05: [Processes] 0x1dcc1:$str06: [Software] 0x1d5d0:$str07: information.txt 0x1d806:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1db9f:$str12: UseMasterPassword 0x1ddeb:$str14: <Pass encoding="base64"> 0x1d5c2:$str16: passwords.txt 0x1dbca:$str17: build_id 0x1dc79:$str18: file_data
00000000.00000002.1711567168.000000000A450000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1e2ca:$str01: MachineID: 0x1d553:$str02: Work Dir: In memory 0x1e301:$str03: [Hardware] 0x1e2b3:$str04: VideoCard: 0x1dcb5:$str05: [Processes] 0x1dcc1:$str06: [Software] 0x1d5d0:$str07: information.txt 0x1e036:$str08: %s\* 0x1e083:$str08: %s\* 0x1d806:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1db9f:$str12: UseMasterPassword 0x1e30d:$str13: Soft: WinSCP 0x1ddeb:$str14: <Pass encoding="base64"> 0x1e2f0:$str15: Soft: FileZilla 0x1d5c2:$str16: passwords.txt 0x1dbca:$str17: build_id 0x1dc79:$str18: file_data
00000000.00000002.1711567168.000000000A42C000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1e2ca:$str01: MachineID: 0x1d553:$str02: Work Dir: In memory 0x1e301:$str03: [Hardware] 0x1e2b3:$str04: VideoCard: 0x1dcb5:$str05: [Processes] 0x1dcc1:$str06: [Software] 0x1d5d0:$str07: information.txt 0x1e036:$str08: %s\* 0x1e083:$str08: %s\* 0x1d806:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1db9f:$str12: UseMasterPassword 0x1e30d:$str13: Soft: WinSCP 0x1ddeb:$str14: <Pass encoding="base64"> 0x1e2f0:$str15: Soft: FileZilla 0x1d5c2:$str16: passwords.txt 0x1dbca:$str17: build_id 0x1dc79:$str18: file_data
00000004.00000002.2563279231.0000000000947000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 7980	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 7980	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.ESVoO7ywn5.exe.a450000.1.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1e2ca:$str01: MachineID: 0x1d553:$str02: Work Dir: In memory 0x1e301:$str03: [Hardware] 0x1e2b3:$str04: VideoCard: 0x1dcb5:$str05: [Processes] 0x1dcc1:$str06: [Software] 0x1d5d0:$str07: information.txt 0x1e036:$str08: %s\* 0x1e083:$str08: %s\* 0x1d806:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1db9f:$str12: UseMasterPassword 0x1e30d:$str13: Soft: WinSCP 0x1ddeb:$str14: <Pass encoding="base64"> 0x1e2f0:$str15: Soft: FileZilla 0x1d5c2:$str16: passwords.txt 0x1dbca:$str17: build_id 0x1dc79:$str18: file_data
0.2.ESVoO7ywn5.exe.a450000.4.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1e2ca:$str01: MachineID: 0x1d553:$str02: Work Dir: In memory 0x1e301:$str03: [Hardware] 0x1e2b3:$str04: VideoCard: 0x1dcb5:$str05: [Processes] 0x1dcc1:$str06: [Software] 0x1d5d0:$str07: information.txt 0x1e036:$str08: %s\* 0x1e083:$str08: %s\* 0x1d806:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1db9f:$str12: UseMasterPassword 0x1e30d:$str13: Soft: WinSCP 0x1ddeb:$str14: <Pass encoding="base64"> 0x1e2f0:$str15: Soft: FileZilla 0x1d5c2:$str16: passwords.txt 0x1dbca:$str17: build_id 0x1dc79:$str18: file_data
0.2.ESVoO7ywn5.exe.a3e4000.2.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1e2ca:$str01: MachineID: 0x1d553:$str02: Work Dir: In memory 0x1e301:$str03: [Hardware] 0x1e2b3:$str04: VideoCard: 0x1dcb5:$str05: [Processes] 0x1dcc1:$str06: [Software] 0x1d5d0:$str07: information.txt 0x1e036:$str08: %s\* 0x1e083:$str08: %s\* 0x1d806:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1db9f:$str12: UseMasterPassword 0x1e30d:$str13: Soft: WinSCP 0x1ddeb:$str14: <Pass encoding="base64"> 0x1e2f0:$str15: Soft: FileZilla 0x1d5c2:$str16: passwords.txt 0x1dbca:$str17: build_id 0x1dc79:$str18: file_data
0.2.ESVoO7ywn5.exe.a408000.3.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1d553:$str02: Work Dir: In memory 0x1dcb5:$str05: [Processes] 0x1dcc1:$str06: [Software] 0x1d5d0:$str07: information.txt 0x1d806:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1db9f:$str12: UseMasterPassword 0x1ddeb:$str14: <Pass encoding="base64"> 0x1d5c2:$str16: passwords.txt 0x1dbca:$str17: build_id 0x1dc79:$str18: file_data
0.2.ESVoO7ywn5.exe.a42c000.5.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1e2ca:$str01: MachineID: 0x1d553:$str02: Work Dir: In memory 0x1e301:$str03: [Hardware] 0x1e2b3:$str04: VideoCard: 0x1dcb5:$str05: [Processes] 0x1dcc1:$str06: [Software] 0x1d5d0:$str07: information.txt 0x1e036:$str08: %s\* 0x1e083:$str08: %s\* 0x1d806:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1db9f:$str12: UseMasterPassword 0x1e30d:$str13: Soft: WinSCP 0x1ddeb:$str14: <Pass encoding="base64"> 0x1e2f0:$str15: Soft: FileZilla 0x1d5c2:$str16: passwords.txt 0x1dbca:$str17: build_id 0x1dc79:$str18: file_data
4.2.BitLockerToGo.exe.700000.0.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1e2ca:$str01: MachineID: 0x1d553:$str02: Work Dir: In memory 0x1e301:$str03: [Hardware] 0x1e2b3:$str04: VideoCard: 0x1dcb5:$str05: [Processes] 0x1dcc1:$str06: [Software] 0x1d5d0:$str07: information.txt 0x1e036:$str08: %s\* 0x1e083:$str08: %s\* 0x1d806:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1db9f:$str12: UseMasterPassword 0x1e30d:$str13: Soft: WinSCP 0x1ddeb:$str14: <Pass encoding="base64"> 0x1e2f0:$str15: Soft: FileZilla 0x1d5c2:$str16: passwords.txt 0x1dbca:$str17: build_id 0x1dc79:$str18: file_data
0.3.ESVoO7ywn5.exe.a42c000.2.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1e2ca:$str01: MachineID: 0x1d553:$str02: Work Dir: In memory 0x1e301:$str03: [Hardware] 0x1e2b3:$str04: VideoCard: 0x1dcb5:$str05: [Processes] 0x1dcc1:$str06: [Software] 0x1d5d0:$str07: information.txt 0x1e036:$str08: %s\* 0x1e083:$str08: %s\* 0x1d806:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1db9f:$str12: UseMasterPassword 0x1e30d:$str13: Soft: WinSCP 0x1ddeb:$str14: <Pass encoding="base64"> 0x1e2f0:$str15: Soft: FileZilla 0x1d5c2:$str16: passwords.txt 0x1dbca:$str17: build_id 0x1dc79:$str18: file_data
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe", ParentImage: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, ParentProcessId: 7980, ParentProcessName: BitLockerToGo.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 6384, ProcessName: chrome.exe

Suricata Signatures

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T10:17:08.669911+0100	2044247	1	Malware Command and Control Activity Detected	95.217.27.252	443	192.168.2.7	49963	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T10:17:10.125104+0100	2051831	1	Malware Command and Control Activity Detected	95.217.27.252	443	192.168.2.7	49973	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T10:17:08.669697+0100	2049087	1	A Network Trojan was detected	192.168.2.7	49963	95.217.27.252	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T10:17:11.638481+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49974	95.217.27.252	443	TCP
2025-03-04T10:17:13.050994+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49975	95.217.27.252	443	TCP
2025-03-04T10:17:13.227118+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49976	95.217.27.252	443	TCP
2025-03-04T10:17:14.270732+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49978	95.217.27.252	443	TCP
2025-03-04T10:17:16.341912+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49979	95.217.27.252	443	TCP
2025-03-04T10:17:25.550967+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	50000	95.217.27.252	443	TCP
2025-03-04T10:17:26.635294+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	50003	95.217.27.252	443	TCP
2025-03-04T10:17:27.899943+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	50004	95.217.27.252	443	TCP
2025-03-04T10:17:28.942669+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	50005	95.217.27.252	443	TCP
2025-03-04T10:17:30.724339+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	50006	95.217.27.252	443	TCP
2025-03-04T10:18:10.351248+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	50049	95.217.27.252	443	TCP
2025-03-04T10:18:12.445897+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	50067	95.217.27.252	443	TCP
2025-03-04T10:18:13.674912+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	50071	95.217.27.252	443	TCP
2025-03-04T10:18:15.625993+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	50090	95.217.27.252	443	TCP
2025-03-04T10:18:20.157281+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	50102	95.217.27.252	443	TCP
2025-03-04T10:18:24.569650+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	50113	95.217.27.252	443	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T10:17:13.227118+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	49976	95.217.27.252	443	TCP
2025-03-04T10:17:14.270732+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	49978	95.217.27.252	443	TCP
2025-03-04T10:17:16.341912+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	49979	95.217.27.252	443	TCP
2025-03-04T10:17:27.899943+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	50004	95.217.27.252	443	TCP
2025-03-04T10:17:28.942669+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	50005	95.217.27.252	443	TCP
2025-03-04T10:17:30.724339+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	50006	95.217.27.252	443	TCP
2025-03-04T10:18:12.445897+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	50067	95.217.27.252	443	TCP
2025-03-04T10:18:13.674912+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	50071	95.217.27.252	443	TCP
2025-03-04T10:18:15.625993+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	50090	95.217.27.252	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T10:17:05.779157+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.7	49941	95.217.27.252	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ESVoO7ywn5.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://d.mx.goldenloafuae.com/#	Avira URL Cloud: Label: malware
Source: https://d.mx.goldenloafuae.com/ource	Avira URL Cloud: Label: malware
Source: https://d.mx.goldenloafuae.com/J	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.ESVoO7ywn5.exe.a3e4000.2.unpack

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199829660832", "Botnet": "ir7am"}

Multi AV Scanner detection for submitted file

Source: ESVoO7ywn5.exe	Virustotal: Detection: 48%			Perma Link
Source: ESVoO7ywn5.exe	ReversingLabs: Detection: 44%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00710830 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree,	4_2_00710830
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00706A10 StrStrA,lstrlenA,LocalAlloc,CryptUnprotectData,LocalAlloc,LocalFree,lstrlenA,	4_2_00706A10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0070A150 BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,	4_2_0070A150
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00706CF0 LocalAlloc,BCryptDecrypt,	4_2_00706CF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0070A560 StrCmpCA,BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	4_2_0070A560
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00706940 BCryptCloseAlgorithmProvider,BCryptDestroyKey,	4_2_00706940
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00706980 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	4_2_00706980

Source: ESVoO7ywn5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.7:49930 version: TLS 1.2

Source: ESVoO7ywn5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: ESVoO7ywn5.exe, 00000000.00000002.1711447108.000000000A380000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: ESVoO7ywn5.exe, 00000000.00000002.1711447108.000000000A380000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +Inf-1.0-Inf-inf...:.3dm.INF.Inf.NAN.NaN.aab.aam.aas.abc.ace.afl.aif.aim.aip.alz.ani.aos.apk.aps.arc.arj.art.asf.asm.asp.asx.avi.avs.bat.bin.bmp.boo.boz.bsh.bz2.c++.cab.cat.cco.cdf.cer.cha.cmd.com.cpp.cpt.crl.crt.crx.csh.css.csv.cxx.dar.dcr.deb.def.der.dif.dir.dmg.doc.dot.drw.dvi.dwf.dwg.dxf.dxr.elc.eml.env.eps.etx.evy.exe.f77.f90.fdf.fif.fli.flo.flv.flw.flx.fmf.for.fpx.frl.gif.gsd.gsm.gsp.gss.hdf.hgl.hlb.hlp.hpg.hqx.hta.htc.htm.htt.htx.ice.ico.ics.icz.idc.ief.igs.ima.inf.ins.isu.ivr.ivy.jam.jav.jcm.jpe.jpg.jps.jut.kar.key.kfo.kml.kmz.kon.kpr.kpt.ksh.ksp.kth.kwd.kwt.lam.lha.lhx.lma.log.lsp.lst.lsx.ltx.lzh.lzx.m1v.m2a.m2v.m3u.man.map.mar.mbd.mc$.mcd.mcf.mcp.mht.mid.mif.mjf.mjs.mme.mod.mov.mp2.mp3.mp4.mpa.mpc.mpe.mpg.mpp.mpt.mpv.mpx.mrc.mzz.nan.nap.ncm.nif.nix.nsc.nvd.oda.odb.odc.odf.odg.odi.odm.odp.ods.odt.oex.oga.ogg.ogv.omc.otc.otf.otg.oth.oti.otm.otp.ots.ott.p10.p12.p7a.p7c.p7m.p7r.p7s.pas.pbm.pcl.pct.pcx.pdb.pdf.pgm.pic.pkg.pko.plx.pm4.pm5.png.pnm.pot.pov.ppa.ppm.pps.ppt.ppz.pre.prt.psd.pvu.pwz.pyc.qcp.qd3.qif.qtc.qti.ram.rar.ras.rgb.rmi.rmm.rmp.rng.rnx.rpm.rtf.rtx.s3m.s7z.sbk.scm.sdp.sdr.sea.set.sgm.sid.sit.skd.skm.skp.skt.smi.snd.sol.spc.spl.spr.spx.src.ssi.ssm.sst.stl.stp.svf.svg.svr.swf.tar.tbk.tcl.tex.tgz.tif.tsi.tsp.tsv.txt.uil.uni.unv.uri.uue.vcd.vcf.vcs.vda.vdo.vew.viv.vmd.vmf.voc.vos.vox.vqe.vqf.vql.vrt.vsd.vst.vsw.w60.w61.w6w.wav.wb1.web.wiz.wk1.wmf.wml.wp5.wp6.wpd.wq1.wri.wrl.wrz.wsc.wtk.xbm.xdr.xgz.xif.xla.xlb.xlc.xld.xlk.xll.xlm.xls.xlt.xlv.xlw.xml.xmz.xpi.xpm.xsr.xwd.xyz.zip.zoo.zsh/qps0.0000000405044006600x%x108010th10 source: ESVoO7ywn5.exe

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00714E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,	4_2_00714E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00707210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	4_2_00707210
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0070B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,	4_2_0070B6B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00708360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose,	4_2_00708360
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_007013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,	4_2_007013F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00713FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	4_2_00713FD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_007097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	4_2_007097B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00713580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose,	4_2_00713580
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0070ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose,	4_2_0070ACD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00715EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose,	4_2_00715EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00708C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn,	4_2_00708C90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00709560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	4_2_00709560
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00714950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	4_2_00714950

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_00713AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

4_2_00713AF0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 12MB later: 30MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.7:49941 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.7:49963 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49975 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49974 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49978 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49978 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 95.217.27.252:443 -> 192.168.2.7:49973
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49979 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49979 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49976 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49976 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.217.27.252:443 -> 192.168.2.7:49963
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:50005 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:50005 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:50000 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:50004 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:50004 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:50003 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:50049 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:50006 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:50071 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:50071 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:50006 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:50090 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:50090 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:50067 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:50067 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:50102 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:50113 -> 95.217.27.252:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199829660832

Source: global traffic

HTTP traffic detected: GET /l793oy HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 2.22.242.105 2.22.242.105
Source: Joe Sandbox View	IP Address: 18.244.18.27 18.244.18.27

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.200.0.29

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_00703850 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

4_2_00703850

Source: global traffic	HTTP traffic detected: GET /l793oy HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0Host: d.mx.goldenloafuae.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlqHLAQiFoM0BCNy9zQEIj8rNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlqHLAQiFoM0BCNy9zQEIj8rNAQi5ys0BCKLRzQEIitPNAQik1s0BCPTWzQEIp9jNAQj5wNQVGPXJzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8NP2y291iiPDmfAN0GV3dvCuqlYA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlqHLAQiFoM0BCLnKzQEIitPNARj1yc0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.b4dceb3fb90c199d68cd.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.55sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=90E161A33BB2496883B1403088975B1A.RefC=2025-03-04T09:18:05Z; USRLOC=; MUID=30D5C3B1176D6E282EB5D614160F6F07; MUIDB=30D5C3B1176D6E282EB5D614160F6F07; _EDGE_S=F=1&SID=08EE3099D21A60DE10BE253CD31961CE; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.d3ac3ec818a0cdf01df5.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.55sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=90E161A33BB2496883B1403088975B1A.RefC=2025-03-04T09:18:05Z; USRLOC=; MUID=30D5C3B1176D6E282EB5D614160F6F07; MUIDB=30D5C3B1176D6E282EB5D614160F6F07; _EDGE_S=F=1&SID=08EE3099D21A60DE10BE253CD31961CE; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.5d0f28115e15fcff20c5.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.4fa8815283fe3d88a934.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.ccf37a049089f68490a9.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.3fa26ba080d24cc97170.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/ASuc5ohcoRYyASTWkAI21BvR0f-Aos7pzgW3GtD8ImYoX-O9Pl77join3GT-5wpD1vT_nG6xpJ0eds7JOZacv0OYNfBAee3mKSnMDx3-YDnz3J7UxfHM_wfhsyHz9Z8rajAAxlKa5T9frrLlN0KHGfJRu7Y7NseNtZ_M/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.4fa8815283fe3d88a934.js HTTP/1.1Host: assets2.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=30D5C3B1176D6E282EB5D614160F6F07; _EDGE_S=F=1&SID=08EE3099D21A60DE10BE253CD31961CE; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1741084693414&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=90e161a33bb2496883b1403088975b1a&activityId=90e161a33bb2496883b1403088975b1a&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=30D5C3B1176D6E282EB5D614160F6F07; _EDGE_S=F=1&SID=08EE3099D21A60DE10BE253CD31961CE; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b?rn=1741084693415&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=30D5C3B1176D6E282EB5D614160F6F07&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b2?rn=1741084693415&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=30D5C3B1176D6E282EB5D614160F6F07&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1571c1395dce54818288c261741079893; XID=1571c1395dce54818288c261741079893
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 3.8sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 250sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=90E161A33BB2496883B1403088975B1A.RefC=2025-03-04T09:18:05Z; USRLOC=; MUID=30D5C3B1176D6E282EB5D614160F6F07; MUIDB=30D5C3B1176D6E282EB5D614160F6F07; _EDGE_S=F=1&SID=08EE3099D21A60DE10BE253CD31961CE; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=7b2ac27d-1b2f-4ed9-bf87-53451f5be6f6; ai_session=WZSN5TIUHYcSFiYEe8fD+0\|1741084693410\|1741084693410; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=90E161A33BB2496883B1403088975B1A.RefC=2025-03-04T09:18:05Z
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":17,"imageId":"BB1msyCB","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=90E161A33BB2496883B1403088975B1A.RefC=2025-03-04T09:18:05Z; USRLOC=; MUID=30D5C3B1176D6E282EB5D614160F6F07; MUIDB=30D5C3B1176D6E282EB5D614160F6F07; _EDGE_S=F=1&SID=08EE3099D21A60DE10BE253CD31961CE; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=7b2ac27d-1b2f-4ed9-bf87-53451f5be6f6; ai_session=WZSN5TIUHYcSFiYEe8fD+0\|1741084693410\|1741084693410; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=90E161A33BB2496883B1403088975B1A.RefC=2025-03-04T09:18:05Z
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1741084693414&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=90e161a33bb2496883b1403088975b1a&activityId=90e161a33bb2496883b1403088975b1a&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=40A4A3E727974932BAAEE795911D536F&MUID=30D5C3B1176D6E282EB5D614160F6F07 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=30D5C3B1176D6E282EB5D614160F6F07; _EDGE_S=F=1&SID=08EE3099D21A60DE10BE253CD31961CE; _EDGE_V=1; SM=T

Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000006.00000003.1884098848.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1884708633.00000F3400F94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1884436945.00000F340100C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000006.00000003.1884098848.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1884708633.00000F3400F94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1884436945.00000F340100C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000006.00000002.1955379639.00000F34002D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: d.mx.goldenloafuae.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2d2nyc2nozmo8qq168q9User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0Host: d.mx.goldenloafuae.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955910687.00000F3400460000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000006.00000002.1958945377.00000F3400BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078l
Source: chrome.exe, 00000006.00000002.1957123685.00000F3400770000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206n
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584il
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955910687.00000F3400460000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/35864
Source: msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958945377.00000F3400BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970te
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2050496381.000015C000378000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2150838293.0000367002644000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2330500733.000012C402668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061p
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1954198495.00000F340001C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000006.00000002.1954198495.00000F340001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535e2
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2050496381.000015C000378000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2150838293.0000367002644000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2330500733.000012C402668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881k
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2050496381.000015C000378000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2150838293.0000367002644000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2330500733.000012C402668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906b
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906f
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/60484
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000006.00000002.1957123685.00000F3400770000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878hwJ
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406:
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2050496381.000015C000378000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2150838293.0000367002644000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2330500733.000012C402668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488r
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229e
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: ESVoO7ywn5.exe	String found in binary or memory: http://beego.me/docs/advantage/monitor.md
Source: ESVoO7ywn5.exe	String found in binary or memory: http://beego.me/docs/module/toolbox.md
Source: chrome.exe, 00000006.00000002.1955506502.00000F3400318000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000006.00000002.1956712207.00000F3400688000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000006.00000002.1954406884.00000F3400082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000006.00000003.1890693931.00000F3401078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1891706797.00000F34010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1890790749.00000F3401088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1891544769.00000F3400F94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: chrome.exe, 00000006.00000003.1890693931.00000F3401078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900807610.00000F340040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900475931.00000F340100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955411533.00000F3400303000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1901376428.00000F3401264000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900192084.00000F340071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1891706797.00000F34010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1901108442.00000F340120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1890903349.00000F34010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1899960459.00000F3400C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1890790749.00000F3401088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900236429.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1891544769.00000F3400F94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000006.00000003.1890693931.00000F3401078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900807610.00000F340040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900475931.00000F340100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955411533.00000F3400303000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1901376428.00000F3401264000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900192084.00000F340071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1891706797.00000F34010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1901108442.00000F340120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1890903349.00000F34010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1899960459.00000F3400C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1890790749.00000F3401088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900236429.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1891544769.00000F3400F94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000006.00000003.1890693931.00000F3401078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900807610.00000F340040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900475931.00000F340100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955411533.00000F3400303000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1901376428.00000F3401264000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900192084.00000F340071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1891706797.00000F34010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1901108442.00000F340120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1890903349.00000F34010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1899960459.00000F3400C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1890790749.00000F3401088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900236429.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1891544769.00000F3400F94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000006.00000003.1890693931.00000F3401078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900807610.00000F340040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900475931.00000F340100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955411533.00000F3400303000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1901376428.00000F3401264000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900192084.00000F340071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1891706797.00000F34010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1901108442.00000F340120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1890903349.00000F34010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1899960459.00000F3400C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1890790749.00000F3401088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900236429.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1891544769.00000F3400F94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 00000006.00000002.1957684511.00000F34008A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1960360355.00000F3400E90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: chrome.exe, 00000006.00000002.1958035513.00000F3400950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000006.00000002.1958323592.00000F3400A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: chromecache_281.10.dr	String found in binary or memory: http://www.broofa.com
Source: chrome.exe, 00000006.00000002.1958356822.00000F3400A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: BitLockerToGo.exe, 00000004.00000002.2568817392.000000000536F000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1959079080.00000F3400C24000.00000004.00000800.00020000.00000000.sdmp, w4e3eu.4.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000006.00000002.1954467350.00000F340009F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958945377.00000F3400BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955998536.00000F34004D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955910687.00000F3400460000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000006.00000002.1958945377.00000F3400BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1954198495.00000F340001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000006.00000002.1955058730.00000F34001E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000006.00000002.1955058730.00000F34001E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000006.00000002.1955058730.00000F34001E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000006.00000002.1955058730.00000F34001E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000006.00000003.1898915758.00000F34002AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 00000006.00000003.1898915758.00000F34002AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 00000006.00000003.1898915758.00000F34002AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000006.00000002.1954365915.00000F3400050000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000006.00000002.1954365915.00000F3400050000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000006.00000002.1954365915.00000F3400050000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000006.00000002.1954467350.00000F340009F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chromecache_284.10.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_284.10.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000006.00000003.1878932457.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000006.00000002.1958945377.00000F3400BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955998536.00000F34004D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com4
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162i
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369co.
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369w
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000006.00000002.1959174354.00000F3400C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879366831.00000F3400DE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879327234.00000F34003A8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2048327574.000015C00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2148901108.00003670025D4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227008859.00005C1C0046C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000006.00000003.1919685972.00000F3401754000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1912126675.00000F340180C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1913013868.00000F3401344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1912176166.00000F3401324000.00000004.00000800.00020000.00000000.sdmp, chromecache_281.10.dr, chromecache_284.10.dr	String found in binary or memory: https://apis.google.com
Source: chrome.exe, 00000006.00000002.1960718189.00000F3400F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1956984307.00000F3400748000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1960503915.00000F3400ED0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes
Source: msedge.exe, 00000017.00000002.2387866393.000001C72493C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: msedge.exe, 0000000F.00000002.2154155885.000001EFD5900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com0
Source: msedge.exe, 0000000B.00000002.2056180043.00000237B58F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com3
Source: msedge.exe, 00000013.00000002.2236047947.00000232E433C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comse
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1821889545.000000000099F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1821816970.0000000000998000.00000004.00000020.00020000.00000000.sdmp, 8q1nyc.4.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1821889545.000000000099F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1821816970.0000000000998000.00000004.00000020.00020000.00000000.sdmp, 8q1nyc.4.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: chrome.exe, 00000006.00000002.1956124534.00000F340052F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957161069.00000F3400788000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911760023.00000F3401030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1922072858.00000F340100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1961126160.00000F3401030000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000006.00000002.1959079080.00000F3400C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: BitLockerToGo.exe, 00000004.00000002.2568817392.000000000536F000.00000004.00000020.00020000.00000000.sdmp, w4e3eu.4.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: service_worker_bin_prod.js.25.dr, offscreendocument_main.js.25.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mathjax/
Source: chrome.exe, 00000006.00000003.1938622291.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1913149308.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1878932457.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958982239.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1935645051.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900778473.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911010278.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000006.00000003.1938622291.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1913149308.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1878932457.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958982239.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1935645051.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900778473.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911010278.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: BitLockerToGo.exe, 00000004.00000002.2568817392.000000000536F000.00000004.00000020.00020000.00000000.sdmp, Web Data.25.dr, w4e3eu.4.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 00000006.00000002.1958945377.00000F3400BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000006.00000002.1958945377.00000F3400BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000006.00000002.1958945377.00000F3400BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: BitLockerToGo.exe, 00000004.00000002.2568817392.000000000536F000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955910687.00000F3400460000.00000004.00000800.00020000.00000000.sdmp, Web Data.25.dr, w4e3eu.4.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000006.00000003.1879292800.00000F3400C90000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000002.2060091883.000015C00017C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.2156546273.000036700237C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.2245671825.00005C1C0016C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000002.2392116622.000012C40237C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: manifest.json.25.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: chrome.exe, 00000006.00000002.1956834534.00000F34006D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore206E5
Source: msedge.exe, 0000000F.00000002.2156546273.000036700237C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore6p
Source: chrome.exe, 00000006.00000002.1961434604.00000F340118C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958229522.00000F34009E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958356822.00000F3400A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000006.00000002.1961434604.00000F340118C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en10
Source: chrome.exe, 00000006.00000003.1901474290.00000F3400364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1901509620.00000F3400C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1881411679.00000F3400DD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879253825.00000F3400C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1882585143.00000F3400CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1905640495.00000F3400CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1879292800.00000F3400C90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000006.00000002.1956834534.00000F34006D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstorekuOEgDdc=
Source: chrome.exe, 00000006.00000003.1869804738.00005E88006B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1915779759.00005E880080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1869150431.00005E8800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000006.00000003.1869804738.00005E88006B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1915779759.00005E880080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1869150431.00005E8800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000006.00000002.1981313609.00005E880078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000006.00000002.1981313609.00005E880078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1869727583.00005E8800684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1915779759.00005E880080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1869150431.00005E8800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000006.00000002.1955506502.00000F3400318000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000006.00000002.1955506502.00000F3400318000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000006.00000002.1954198495.00000F340001C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000002.2060091883.000015C00017C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.2156546273.000036700237C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.2245671825.00005C1C0016C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000002.2392116622.000012C40237C000.00000004.00000800.00020000.00000000.sdmp, manifest.json.25.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000006.00000002.1960621774.00000F3400F00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000006.00000002.1960621774.00000F3400F00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/I1MDMwMy0xODAwMjAuNjM4MDAwEggIABADGHUgAA==#
Source: chrome.exe, 00000006.00000002.1955058730.00000F34001E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000006.00000002.1955058730.00000F34001E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/_
Source: chrome.exe, 00000006.00000003.1865556477.000070F8002E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1865534074.000070F8002D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000006.00000002.1958945377.00000F3400BCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955058730.00000F34001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1878932457.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1956306873.00000F3400589000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1956863490.00000F34006E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1874608589.00000F34004F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1956984307.00000F3400748000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1954365915.00000F3400050000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900778473.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000002.2059117803.000015C000040000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.2155728571.0000367002240000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.2244597658.00005C1C00040000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000002.2390602384.000012C402240000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.25.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000006.00000002.1958035513.00000F3400950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000006.00000002.1958035513.00000F3400950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000006.00000002.1957161069.00000F3400788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chromecache_284.10.dr	String found in binary or memory: https://clients6.google.com
Source: chrome.exe, 00000006.00000002.1956712207.00000F3400688000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chromecache_284.10.dr	String found in binary or memory: https://content.googleapis.com
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1821889545.000000000099F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1821816970.0000000000998000.00000004.00000020.00020000.00000000.sdmp, 8q1nyc.4.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1821889545.000000000099F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1821816970.0000000000998000.00000004.00000020.00020000.00000000.sdmp, 8q1nyc.4.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: chrome.exe, 00000006.00000002.1958466214.00000F3400A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: BitLockerToGo.exe, 00000004.00000003.1718787546.0000000000987000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1718812911.0000000000942000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.mx.goldenloafuae.com
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.mx.goldenloafuae.com/
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.mx.goldenloafuae.com/#
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.mx.goldenloafuae.com/7I
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.mx.goldenloafuae.com/J
Source: BitLockerToGo.exe, 00000004.00000002.2566577986.0000000005170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.mx.goldenloafuae.com/URRENT
Source: BitLockerToGo.exe, 00000004.00000002.2566577986.0000000005170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.mx.goldenloafuae.com/denloafuae.com/
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.mx.goldenloafuae.com/f
Source: BitLockerToGo.exe, 00000004.00000002.2566577986.0000000005170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.mx.goldenloafuae.com/ntdesk
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.mx.goldenloafuae.com/ource
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.mx.goldenloafuae.com/p
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.mx.goldenloafuae.com/w
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.mx.goldenloafuae.comK
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.mx.goldenloafuae.comc
Source: 2cc80dabc69f58b6_0.25.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: ESVoO7ywn5.exe	String found in binary or memory: https://developers.google.com/protocol-buffers/docs/reference/go/faq#namespace-conflict
Source: manifest.json0.25.dr	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 00000006.00000002.1955961604.00000F34004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000006.00000002.1957471684.00000F340081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957506933.00000F340083C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1956083546.00000F3400504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1959079080.00000F3400C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000006.00000002.1957471684.00000F340081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1960621774.00000F3400F00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957506933.00000F340083C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1956083546.00000F3400504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000006.00000002.1957471684.00000F340081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1960621774.00000F3400F00000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957506933.00000F340083C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1956083546.00000F3400504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000006.00000002.1955961604.00000F34004BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000006.00000002.1956124534.00000F340052F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957161069.00000F3400788000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911760023.00000F3401030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1922072858.00000F340100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1961126160.00000F3401030000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955379639.00000F34002D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000006.00000002.1956124534.00000F340052F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957161069.00000F3400788000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911760023.00000F3401030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1922072858.00000F340100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1961126160.00000F3401030000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chromecache_284.10.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: manifest.json0.25.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json0.25.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json0.25.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json0.25.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json0.25.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json0.25.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json0.25.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json0.25.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json0.25.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json0.25.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000006.00000003.1901108442.00000F340120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: manifest.json0.25.dr	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955506502.00000F3400318000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000006.00000003.1938622291.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1913149308.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958070676.00000F340096C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1878932457.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958982239.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1935645051.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900778473.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911010278.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000006.00000002.1958070676.00000F340096C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: BitLockerToGo.exe, 00000004.00000002.2568817392.000000000536F000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1959079080.00000F3400C24000.00000004.00000800.00020000.00000000.sdmp, Web Data.25.dr, w4e3eu.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000004.00000002.2568817392.000000000536F000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1938622291.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1913149308.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1878932457.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958982239.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1935645051.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900778473.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911010278.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, Web Data.25.dr, w4e3eu.4.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000006.00000003.1938622291.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1913149308.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1878932457.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958982239.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1935645051.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1900778473.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911010278.00000F3400BF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: BitLockerToGo.exe, 00000004.00000002.2568817392.000000000536F000.00000004.00000020.00020000.00000000.sdmp, Web Data.25.dr, w4e3eu.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.log3.25.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log3.25.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 000003.log2.25.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: 000003.log3.25.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: chromecache_281.10.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_281.10.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_281.10.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_281.10.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: ESVoO7ywn5.exe	String found in binary or memory: https://golang.org/doc/faq#nil_errortls:
Source: chrome.exe, 00000006.00000003.1869727583.00005E8800684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1915779759.00005E880080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1869150431.00005E8800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000006.00000003.1869727583.00005E8800684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/gj
Source: chrome.exe, 00000006.00000003.1869727583.00005E8800684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1915779759.00005E880080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1869150431.00005E8800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000006.00000003.1869727583.00005E8800684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000006.00000003.1869727583.00005E8800684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000006.00000003.1870048525.00005E88006E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1915044017.00000F3401B80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 00000006.00000003.1915779759.00005E880080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1869150431.00005E8800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: msedge.exe, 00000013.00000002.2246432345.00005C1C002B4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000002.2392754603.000012C4024B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000006.00000002.1955058730.00000F34001E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000006.00000002.1956780441.00000F34006BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: 8q1nyc.4.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 00000017.00000003.2327611147.000012C402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: msedge.exe, 00000013.00000003.2227829745.00005C1C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000006.00000002.1957471684.00000F340081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957506933.00000F340083C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1956083546.00000F3400504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1959079080.00000F3400C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000006.00000002.1957471684.00000F340081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957506933.00000F340083C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1956083546.00000F3400504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1959079080.00000F3400C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000006.00000003.1869150431.00005E8800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000006.00000003.1914458077.00000F3401AD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000006.00000003.1915779759.00005E880080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1869150431.00005E8800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000006.00000003.1915779759.00005E880080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1869150431.00005E8800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000006.00000002.1981187378.00005E8800770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000006.00000003.1869150431.00005E8800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000006.00000002.1955910687.00000F3400460000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000006.00000003.1900807610.00000F340040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1901376428.00000F3401264000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1901108442.00000F340120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000006.00000003.1900807610.00000F340040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1901376428.00000F3401264000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1901108442.00000F340120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000006.00000003.1870048525.00005E88006E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000006.00000003.1869150431.00005E8800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000006.00000002.1981313609.00005E880078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000006.00000002.1981313609.00005E880078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: chrome.exe, 00000006.00000002.1981159415.00005E8800744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000006.00000002.1955910687.00000F3400460000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955506502.00000F3400318000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: msedge.exe, 00000013.00000002.2246432345.00005C1C002B4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000002.2392754603.000012C4024B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 00000013.00000002.2246432345.00005C1C002B4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000002.2392754603.000012C4024B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: chrome.exe, 00000006.00000002.1956124534.00000F340052F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957161069.00000F3400788000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911760023.00000F3401030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1922072858.00000F340100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1961126160.00000F3401030000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000006.00000002.1956053845.00000F34004EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957193955.00000F340079C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000006.00000002.1957193955.00000F340079C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacyM
Source: chrome.exe, 00000006.00000002.1956053845.00000F34004EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacyf
Source: chrome.exe, 00000006.00000002.1956893624.00000F34006F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957193955.00000F340079C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000006.00000003.1919107929.00000F34016C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1919249515.00000F34016CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1919136315.00000F34016C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1919077113.00000F34016B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 00000006.00000002.1956053845.00000F34004EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957193955.00000F340079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1960687018.00000F3400F1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000006.00000002.1958229522.00000F34009E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958293784.00000F3400A13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: 000003.log8.25.dr	String found in binary or memory: https://ntp.msn.com
Source: 000003.log0.25.dr, 000003.log7.25.dr	String found in binary or memory: https://ntp.msn.com/
Source: 000003.log0.25.dr	String found in binary or memory: https://ntp.msn.com/0
Source: QuotaManager.25.dr	String found in binary or memory: https://ntp.msn.com/_default
Source: Session_13385558286248681.25.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: QuotaManager-journal.25.dr, QuotaManager.25.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
Source: QuotaManager-journal.25.dr, QuotaManager.25.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default/
Source: 2cc80dabc69f58b6_0.25.dr	String found in binary or memory: https://ntp.msn.comService-Worker-Allowed:
Source: chrome.exe, 00000006.00000002.1955058730.00000F34001E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: msedge.exe, 00000013.00000002.2246432345.00005C1C002B4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000002.2392754603.000012C4024B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 00000006.00000003.1919685972.00000F3401754000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1912126675.00000F340180C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1913013868.00000F3401344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1912176166.00000F3401324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000006.00000003.1940576622.00000F3400FBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyn
Source: chrome.exe, 00000006.00000003.1913452980.00000F34002AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000006.00000003.1919685972.00000F3401754000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1912126675.00000F340180C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1913013868.00000F3401344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1912176166.00000F3401324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000006.00000003.1919685972.00000F3401754000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1912126675.00000F340180C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1913013868.00000F3401344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1912176166.00000F3401324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000006.00000002.1956083546.00000F3400504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000006.00000003.1874608589.00000F34004F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: msedge.exe, 0000000B.00000003.2048153546.000015C00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047820933.000015C000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047922039.000015C000268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138271291.0000367002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138482555.0000367002474000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2224571109.00005C1C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2326801965.000012C402474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 0000000B.00000003.2048153546.000015C00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047820933.000015C000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047922039.000015C000268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138271291.0000367002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138482555.0000367002474000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2224571109.00005C1C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2326801965.000012C402474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 0000000F.00000003.2138271291.0000367002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138482555.0000367002474000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2224571109.00005C1C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2326801965.000012C402474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxAB
Source: msedge.exe, 0000000B.00000003.2048153546.000015C00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047820933.000015C000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047922039.000015C000268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 0000000B.00000003.2048153546.000015C00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047820933.000015C000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047922039.000015C000268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138271291.0000367002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138482555.0000367002474000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2224571109.00005C1C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2326801965.000012C402474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 0000000B.00000003.2048153546.000015C00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047820933.000015C000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047922039.000015C000268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138271291.0000367002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138482555.0000367002474000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2224571109.00005C1C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2326801965.000012C402474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 0000000B.00000003.2048153546.000015C00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047820933.000015C000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047922039.000015C000268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138271291.0000367002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138482555.0000367002474000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2224571109.00005C1C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2326801965.000012C402474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 0000000B.00000003.2048153546.000015C00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047820933.000015C000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047922039.000015C000268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138271291.0000367002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138482555.0000367002474000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2224571109.00005C1C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2326801965.000012C402474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 0000000B.00000003.2048153546.000015C00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047820933.000015C000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047922039.000015C000268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138271291.0000367002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138482555.0000367002474000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2224571109.00005C1C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2326801965.000012C402474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 0000000B.00000003.2048153546.000015C00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047820933.000015C000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047922039.000015C000268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138271291.0000367002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138482555.0000367002474000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2224571109.00005C1C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2326801965.000012C402474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 0000000B.00000003.2048153546.000015C00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047820933.000015C000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047922039.000015C000268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138271291.0000367002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138482555.0000367002474000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2224571109.00005C1C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2326801965.000012C402474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 0000000B.00000003.2048153546.000015C00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047820933.000015C000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047922039.000015C000268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138271291.0000367002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138482555.0000367002474000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2224571109.00005C1C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2326801965.000012C402474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 0000000B.00000003.2048153546.000015C00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047820933.000015C000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047922039.000015C000268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138271291.0000367002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138482555.0000367002474000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2224571109.00005C1C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2326801965.000012C402474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 0000000B.00000003.2048153546.000015C00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047820933.000015C000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047922039.000015C000268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138271291.0000367002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138482555.0000367002474000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2224571109.00005C1C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2326801965.000012C402474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 0000000B.00000003.2048153546.000015C00026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047820933.000015C000264000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.2047922039.000015C000268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138271291.0000367002470000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.2138482555.0000367002474000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000013.00000003.2224571109.00005C1C00270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000017.00000003.2326801965.000012C402474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chrome.exe, 00000006.00000002.1958229522.00000F34009E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958293784.00000F3400A13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000006.00000003.1900807610.00000F340040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1901376428.00000F3401264000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1901108442.00000F340120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chromecache_281.10.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_284.10.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_284.10.dr	String found in binary or memory: https://plus.googleapis.com
Source: chrome.exe, 00000006.00000002.1958229522.00000F34009E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958293784.00000F3400A13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000006.00000002.1954467350.00000F340009F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000006.00000003.1874608589.00000F34004F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: chrome.exe, 00000006.00000002.1957123685.00000F3400770000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1954526607.00000F34000C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 00000006.00000002.1957471684.00000F340081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957506933.00000F340083C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1956083546.00000F3400504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1959079080.00000F3400C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000006.00000002.1957471684.00000F340081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957506933.00000F340083C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1956083546.00000F3400504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1959079080.00000F3400C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000006.00000003.1900807610.00000F3400454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 00000006.00000002.1955910687.00000F3400460000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: ESVoO7ywn5.exe, 00000000.00000002.1711447108.000000000A3E4000.00000004.00001000.00020000.00000000.sdmp, ESVoO7ywn5.exe, 00000000.00000003.1523614063.000000000A426000.00000004.00001000.00020000.00000000.sdmp, ESVoO7ywn5.exe, 00000000.00000003.1523545269.000000000A48E000.00000004.00001000.00020000.00000000.sdmp, ESVoO7ywn5.exe, 00000000.00000002.1708224903.000000000A120000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2562204232.0000000000722000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199829660832
Source: BitLockerToGo.exe, 00000004.00000002.2562204232.0000000000722000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199829660832ir7amMozilla/5.0
Source: BitLockerToGo.exe, 00000004.00000002.2575600602.0000000005AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000004.00000002.2575600602.0000000005AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/W
Source: BitLockerToGo.exe, 00000004.00000003.1718812911.0000000000949000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2562204232.0000000000722000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1718864060.000000000094B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000918000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000933000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1718787546.0000000000987000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/l793oy
Source: BitLockerToGo.exe, 00000004.00000002.2562204232.0000000000722000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/l793oyir7amMozilla/5.0
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/l793oyl
Source: chrome.exe, 00000006.00000002.1958356822.00000F3400A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000006.00000002.1955058730.00000F34001E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.25.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.25.dr	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.25.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: BitLockerToGo.exe, 00000004.00000003.1718864060.000000000094B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000918000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000933000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1718787546.0000000000987000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: chromecache_284.10.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1821889545.000000000099F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1821816970.0000000000998000.00000004.00000020.00020000.00000000.sdmp, 8q1nyc.4.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: BitLockerToGo.exe, 00000004.00000002.2568817392.000000000536F000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958945377.00000F3400BCC000.00000004.00000800.00020000.00000000.sdmp, w4e3eu.4.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000006.00000002.1959079080.00000F3400C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000006.00000002.1959079080.00000F3400C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000006.00000002.1959079080.00000F3400C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000006.00000003.1898915758.00000F34002AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000006.00000003.1900807610.00000F3400454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000006.00000003.1900807610.00000F3400454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000006.00000003.1879292800.00000F3400C90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958293784.00000F3400A13000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1956984307.00000F3400748000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958396847.00000F3400A58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000006.00000002.1957600788.00000F3400860000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958945377.00000F3400BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000006.00000002.1960621774.00000F3400F00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000006.00000002.1960621774.00000F3400F00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2-
Source: chrome.exe, 00000006.00000002.1958691542.00000F3400B34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 00000006.00000002.1958691542.00000F3400B34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos4
Source: content_new.js.25.dr, content.js.25.dr	String found in binary or memory: https://www.google.com/chrome
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: chrome.exe, 00000006.00000002.1960935724.00000F3400FC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957684511.00000F34008A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955058730.00000F34001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958106364.00000F340099C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000006.00000002.1960935724.00000F3400FC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957684511.00000F34008A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955058730.00000F34001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1958106364.00000F340099C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: BitLockerToGo.exe, 00000004.00000002.2568817392.000000000536F000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1956124534.00000F340052F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1957161069.00000F3400788000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1956423696.00000F34005BC000.00000004.00000800.00020000.00000000.sdmp, Web Data.25.dr, w4e3eu.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000006.00000002.1955910687.00000F3400460000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000006.00000002.1955910687.00000F3400460000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000006.00000003.1901108442.00000F340120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000006.00000002.1956083546.00000F3400504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000006.00000002.1958396847.00000F3400A58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000006.00000003.1874608589.00000F34004F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1954198495.00000F340001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 00000006.00000003.1874608589.00000F34004F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: chrome.exe, 00000006.00000003.1874608589.00000F34004F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: chromecache_284.10.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_284.10.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chrome.exe, 00000006.00000003.1919107929.00000F34016C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1919249515.00000F34016CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1919136315.00000F34016C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1919077113.00000F34016B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000006.00000003.1913960699.00000F3401434000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1911854611.00000F3401430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000006.00000003.1874608589.00000F34004F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: chrome.exe, 00000006.00000003.1874608589.00000F34004F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000006.00000003.1878932457.00000F3400BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955123064.00000F340020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000006.00000003.1900807610.00000F3400454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000006.00000003.1900807610.00000F3400454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 00000006.00000002.1959279787.00000F3400CBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chromecache_281.10.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_281.10.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_281.10.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: chrome.exe, 00000006.00000003.1913013868.00000F3401344000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000006.00000002.1963652876.00000F340176C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1912759935.00000F340171C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1912544420.00000F3401078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1912575897.00000F3401764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1912797591.00000F3401738000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1913013868.00000F3401344000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000006.00000003.1919685972.00000F3401754000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1954650630.00000F340010C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1912126675.00000F340180C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1913013868.00000F3401344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1912176166.00000F3401324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.ewNYOTtoM3M.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000006.00000003.1919685972.00000F3401754000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1912126675.00000F340180C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1913013868.00000F3401344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1912176166.00000F3401324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.D8RxnyMyyQs.L.W.O/m=qmd
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1821889545.000000000099F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1821816970.0000000000998000.00000004.00000020.00020000.00000000.sdmp, 8q1nyc.4.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: BitLockerToGo.exe, 00000004.00000002.2575600602.0000000005AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: BitLockerToGo.exe, 00000004.00000002.2575600602.0000000005AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: BitLockerToGo.exe, 00000004.00000002.2575600602.0000000005AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: BitLockerToGo.exe, 00000004.00000002.2575600602.0000000005AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000004.00000002.2575600602.0000000005AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000006.00000002.1957018615.00000F3400764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1955379639.00000F34002D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50088 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 50101 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.7:49930 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_00710A90 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,malloc,StrCmpCW,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

4_2_00710A90

Source: ESVoO7ywn5.exe, 00000000.00000002.1694100014.0000000000F61000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: %d elided lines()<>@,;:\"/[]?=,M3.2.0,M11.1.00601021504Z070032-Bit Required476837158203125: cannot parse : no frame (sp=; SameSite=None<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAddDllDirectoryAgressibeWsTrimAlign 128-BytesAlign 265-BytesAlign 512-BytesBelarusian (be)CLSIDFromStringCallWindowProcWCardinality(%d)ClientAuthType(ContainingOneofCreateErrorInfoCreateHardLinkWCreatePopupMenuCreateWindowExWCustomAttributeDeviceIoControlDiacriticalDot;DialogBoxParamWDllCanUnloadNowDoubleRightTee;DownLeftVector;DragAcceptFilesDrawThemeTextExDuplicateHandleEFI ApplicationExcludeClipRectExecutableImageExtensionRangesFailed to find Failed to load Filter FunctionFindNextVolumeWFindVolumeCloseFlushViewOfFileGateway TimeoutGdiplusShutdownGetActiveObjectGetActiveWindowGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetDpiForWindowGetEnhMetaFileWGetModuleHandleGetMonitorInfoWGetProcessTimesGetRawInputDataGetSecurityInfoGetStartupInfoWGetTextMetricsWGetThreadLocaleGot version 2 !GreaterGreater;Hanifi_RohingyaHitachi SH3 DSPHorizontalLine;Idempotency-KeyImpersonateSelfImportEntrySizeIndonesian (id)InsertMenuItemWInvisibleComma;InvisibleTimes;IsWindowEnabledIsWindowUnicodeIsWindowVisibleIsWow64Process2LeftDownVector;LeftRightArrow;Leftrightarrow;Length RequiredLessSlantEqual;Lithuanian (lt)LoadLibraryExA

memstr_8b49e0d7-8

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_00706480 memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,CreateProcessA,Sleep,CloseDesktop,

4_2_00706480

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.3.ESVoO7ywn5.exe.a450000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.ESVoO7ywn5.exe.a450000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.ESVoO7ywn5.exe.a3e4000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.ESVoO7ywn5.exe.a408000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.ESVoO7ywn5.exe.a42c000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 4.2.BitLockerToGo.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.3.ESVoO7ywn5.exe.a42c000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000002.1711447108.000000000A3E4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000002.1711628200.000000000A544000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1523614063.000000000A42C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000003.1523614063.000000000A450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000002.1711447108.000000000A408000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000002.1711567168.000000000A450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000002.1711567168.000000000A42C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00704A20	4_2_00704A20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00718630	4_2_00718630
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0071B770	4_2_0071B770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0071B300	4_2_0071B300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0071C100	4_2_0071C100
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_007193D0	4_2_007193D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0071A7D0	4_2_0071A7D0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 00710D00 appears 42 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 0070F5B0 appears 135 times

Source: ESVoO7ywn5.exe, 00000000.00000002.1711447108.000000000A380000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs ESVoO7ywn5.exe

Source: ESVoO7ywn5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: 0.3.ESVoO7ywn5.exe.a450000.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.ESVoO7ywn5.exe.a450000.4.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.ESVoO7ywn5.exe.a3e4000.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.ESVoO7ywn5.exe.a408000.3.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.ESVoO7ywn5.exe.a42c000.5.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 4.2.BitLockerToGo.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.3.ESVoO7ywn5.exe.a42c000.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000002.1711447108.000000000A3E4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000002.1711628200.000000000A544000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1523614063.000000000A42C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000003.1523614063.000000000A450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000002.1711447108.000000000A408000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000002.1711567168.000000000A450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000002.1711567168.000000000A42C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@94/282@28/23

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_00711250 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,

4_2_00711250

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\GJQ34KA0.htm

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user~1\AppData\Local\Temp\26bba2b0-4900-4615-be81-66110fc7b0d7.tmp

Source: ESVoO7ywn5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ESVoO7ywn5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome.exe, 00000006.00000002.1957018615.00000F340076C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: kngv3e3wl.4.dr, eu3w4o89z.4.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ESVoO7ywn5.exe	Virustotal: Detection: 48%
Source: ESVoO7ywn5.exe	ReversingLabs: Detection: 44%

Source: ESVoO7ywn5.exe	String found in binary or memory: , levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeArabic Jordan (ar-JO)Arabic Kuwait (ar-KW)Arabic U.a.e. (ar-AE)Belarus Standard TimeBreton France (br-FR)CM_Get_DevNode_StatusCapitalDifferentialD;Catalan Spain (ca-ES)Central Standard TimeChangeServiceConfig2WDeregisterEventSourceDoubleLeftRightArrow;DoubleLongRightArrow;Dutch Belgium (nl-BE)DwmGetWindowAttributeDwmSetWindowAttributeEastern Standard TimeEmptyVerySmallSquare;English India (en-IN)EnumServicesStatusExWExtensionRangeOptionsFrench Canada (fr-CA)French France (fr-FR)Fulah Nigeria (ff-NG)GdiplusNotInitializedGetNamedSecurityInfoWGetProcessHandleCountGetProfilesDirectoryWGetTextExtentExPointWGetTextExtentPoint32WGetTextMetrics failedGetVolumeInformationWHebrew Israel (he-IL)IPv4 address too longImageList_ReplaceIconInscriptional_PahlaviInsertMenuItem failedInternal Server ErrorInvalidateRect failedIrish Ireland (ga-IE)Italian Italy (it-IT)Kannada India (kn-IN)LPSAFEARRAY_UnmarshalLoadIconWithScaleDownLookupPrivilegeValueWMagadan Standard TimeMaltese Malta (mt-MT)Marathi India (mr-IN)Morocco Standard TimeMyanmar Standard TimeNamibia Standard TimeNestedGreaterGreater;NetGetJoinInformationNetUserGetLocalGroupsNorfolk Standard TimeNotDoubleVerticalBar;NotGreaterSlantEqual;NotLeftTriangleEqual;NotSquareSubsetEqual;NtCreateNamedPipeFileOleCreateFontIndirectOleSetContainedObjectOpenCurlyDoubleQuote;Other_Grapheme_ExtendPacific Standard TimePdhAddEnglishCounterWPolish Poland (pl-PL)Precondition RequiredPunjabi India (pa-IN)Quechua Peru (quz-PE)QueryPathOfRegTypeLibReadDirectoryChangesWRemoveFontResourceExWReverseUpEquilibrium;Romance Standard TimeRoundTrip failure: %vRussian Standard TimeSE Asia Standard TimeSafeArrayCreateVectorSafeArrayUnaccessDataSakha Russia (sah-RU)Sami (Southern) (sma)Saratov Standard TimeScreenToClient failedSetNamedSecurityInfoWSetupDiEnumDeviceInfoSetupUninstallOEMInfWSpanish Chile (es-CL)Spanish Spain (es-ES)Syriac Syria (syr-SY)SysAllocStringByteLenSystemParametersInfoWTajik (Cyrillic) (tg)Thai Thailand (th-TH)UNKNOWN_FRAME_TYPE_%dUnhandled Setting: %vVARIANT_UserUnmarshalWSAAsyncGetHostByAddrWSAAsyncGetHostByNameWSAAsyncGetServByNameWSAAsyncGetServByPortWSACancelAsyncRequestWSACancelBlockingCallWSALookupServiceNextAWSALookupServiceNextWWSARemoveServiceClassWSAUnhookBlockingHookWSCUnInstallNameSpaceWSCWriteProviderOrderWTSEnumerateSessionsWWolof Senegal (wo-SN)Yakutsk Standard Time" rel="stylesheet" />after top-level valueapplication/clariscadapplication/groupwiseapplication/pkix-certapplication/vndhp-pclapplication/x-navidocapplication/x-navimapapplication/x-projectapplication/x-seelogoapplication/x-stuffitapplication/x-sv4cpioapplication/x-texinfoapplication/x-wintalkasync stack too largeat range loop break: audio/x-twinvq-pluginbad number syntax: %qbad type in compare: block device requiredbrotli: invalid statebufio: negative countcannot marshal type: checkdead: runnabl
Source: ESVoO7ywn5.exe	String found in binary or memory: Nyiakeng_Puachue_HmongOccitan France (oc-FR)OleCreatePropertyFrameOromo Ethiopia (om-ET)Pakistan Standard TimeParaguay Standard TimePlayEnhMetaFile failedPower PC little endianRegisterTypeLibForUserRegisterWindowMessageWRotate StartLogger: %sRtlDeleteFunctionTableRtlGetNtVersionNumbersRussian Russia (ru-RU)SafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSanskrit India (sa-IN)Sao Tome Standard TimeSesotho Sa Leboa (nso)SetMenuItemInfo failedSetupDiEnumDriverInfoWSetupDiGetClassDevsExWSomali Somalia (so-SO)Spanish Mexico (es-MX)Spanish Panama (es-PA)StaticExtensionsToGzipSwedish Sweden (sv-SE)Tasmania Standard TimeTotal number of frees.Turkish Turkey (tr-TR)Unsupported Media TypeWSAAsyncGetProtoByNameWSAGetOverlappedResultWSALookupServiceBeginAWSALookupServiceBeginWWSCWriteNameSpaceOrderWaitForMultipleObjectsWrong unwind opcode %dX-Content-Type-OptionsXXX_InternalExtensionsYiddish World (yi-001)Yoruba Nigeria (yo-NG)access-control-max-ageaddress already in useadvapi32.dll not foundapplication/ecmascriptapplication/freeloaderapplication/javascriptapplication/mac-binaryapplication/pkcs7-mimeapplication/postscriptapplication/vndhp-hpglapplication/x-compressapplication/x-directorapplication/x-esrehberapplication/x-helpfileapplication/x-inventorapplication/x-mplayer2application/x-stuffitxapplication/x-troff-meapplication/x-troff-msargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbody closed by handlerbuild line missing '='cannot allocate memorycannot unmarshal into compileCallabck: type driver: bad connectionduplicated defer entryduplicatehandle failederror decoding messageerror parsing regexp: expected /> in elementexpected end; found %sexpected quoted stringframe_data_pad_too_bigfreeIndex is not validgetenv before env initgo_gc_duration_secondsgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhttp2: frame too largeidna: invalid label %qinappropriate fallbackindex out of range: %dinteger divide by zerointerface conversion: internal inconsistencyinvalid Trailer key %qinvalid UTF-8 detectedinvalid address familyinvalid message lengthinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressnetwork is unreachablenon-Go function at pc=not a build constraintoldoverflow is not niloneof type already setoperation was canceledoverflowing coordinateparenthesized pipelinepe: file reader is nilprotocol not availableprotocol not supportedptr:%v, len:%d, cap:%dreflect.MapIter.SetKeyreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: global value=runtime: heapReleased=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelskipping Question Nameskipping Question Typeslice length too largespan has no free spacesql: no Rows availablestack no
Source: ESVoO7ywn5.exe	String found in binary or memory: FilledVerySmallSquare;French Belgium (fr-BE)French Morocco (fr-MA)French Reunion (fr-RE)French Senegal (fr-SN)Galician Spain (gl-ES)GenericParamConstraintGeorgian Standard TimeGerman Austria (de-AT)German Germany (de-DE)GetEnvironmentStringsWGetRecordInfoFromGuidsGetSystemMetricsForDpiGetTimeZoneInformationGujarati India (gu-IN)Hawaiian Standard TimeIPv4 address too shortIWebBrowser2.Navigate2Inscriptional_ParthianInt.Scan: invalid verbInuktitut (Latin) (iu)Japanese Japan (ja-JP)Khmer Cambodia (km-KH)Konkani India (kok-IN)Lao Lao P.d.r. (lo-LA)Latvian Latvia (lv-LV)MAX_CONCURRENT_STREAMSMalay Malaysia (ms-MY)Mohawk Canada (moh-CA)Mountain Standard TimeNegativeVeryThinSpace;No closing quote foundNotPrecedesSlantEqual;NotRightTriangleEqual;NotSucceedsSlantEqual;NtProtectVirtualMemoryNtSetSystemInformationNtWaitForSingleObjectNyiakeng_Puachue_HmongOccitan France (oc-FR)OleCreatePropertyFrameOromo Ethiopia (om-ET)Pakistan Standard TimeParaguay Standard TimePlayEnhMetaFile failedPower PC little endianRegisterTypeLibForUserRegisterWindowMessageWRotate StartLogger: %sRtlDeleteFunctionTableRtlGetNtVersionNumbersRussian Russia (ru-RU)SafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSanskrit India (sa-IN)Sao Tome Standard TimeSesotho Sa Leboa (nso)SetMenuItemInfo failedSetupDiEnumDriverInfoWSetupDiGetClassDevsExWSomali Somalia (so-SO)Spanish Mexico (es-MX)Spanish Panama (es-PA)StaticExtensionsToGzipSwedish Sweden (sv-SE)Tasmania Standard TimeTotal number of frees.Turkish Turkey (tr-TR)Unsupported Media TypeWSAAsyncGetProtoByNameWSAGetOverlappedResultWSALookupServiceBeginAWSALookupServiceBeginWWSCWriteNameSpaceOrderWaitForMultipleObjectsWrong unwind opcode %dX-Content-Type-OptionsXXX_InternalExtensionsYiddish World (yi-001)Yoruba Nigeria (yo-NG)access-control-max-ageaddress already in useadvapi32.dll not foundapplication/ecmascriptapplication/freeloaderapplication/javascriptapplication/mac-binaryapplication/pkcs7-mimeapplication/postscriptapplication/vndhp-hpglapplication/x-compressapplication/x-directorapplication/x-esrehberapplication/x-helpfileapplication/x-inventorapplication/x-mplayer2application/x-stuffitxapplication/x-troff-meapplication/x-troff-msargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbody closed by handlerbuild line missing '='cannot allocate memorycannot unmarshal into compileCallabck: type driver: bad connectionduplicated defer entryduplicatehandle failederror decoding messageerror parsing regexp: expected /> in elementexpected end; found %sexpected quoted stringframe_data_pad_too_bigfreeIndex is not validgetenv before env initgo_gc_duration_secondsgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhttp2: frame too largeidna: invalid label %qinappropriate fallbackindex out of range: %dinteger divide by zerointerface conversion: internal inconsistencyinvalid Trailer key %qinvalid UTF-8 detectedinvalid address familyinvalid message lengthinvalid n
Source: ESVoO7ywn5.exe	String found in binary or memory: span set block with unpopped elements found in resettls: received a session ticket with invalid lifetimetls: server selected unsupported protocol version %xwrong number of args for %s: want at least %d got %dx509: cannot verify signature: insecure algorithm %vxml: EncodeElement of StartElement with missing name(?i)(?:\W\|^)(?:on\s?)?(?:(this\|last\|past\|next)\s)?(Central Atlas Tamazight (Arabic) Morocco (tzm-ArabMA)^[-+]?(\.[0-9]+\|[0-9]+(\.[0-9])?)([eE][-+]?[0-9]+)?$application/vnd.ms-excel.sheet.binary.macroEnabled.12application/x-nokia-9000-communicator-add-on-softwarechacha20: internal error: wrong dst and/or src lengthcollected metric %s %s has help %q but should have %qcompileCallback: argument size is larger than uintptrcrypto/ecdh: internal error: mismatched isLess inputscrypto/elliptic: attempted operation on invalid pointhttp2: Framer %p: failed to decode just-written framehttp2: Transport failed to get client conn for %s: %vhttp: putIdleConn: too many idle connections for hostillegal use of AllowIllegalReads with ReadMetaHeadersincomparable values detected: want equal elements: %vmath/big: internal error: cannot find (D/n) = -1 for reflect.Value.Slice: string slice index out of boundsreflect: non-interface type passed to Type.Implementssync/atomic: compare and swap of nil value into Valuetls: HKDF-Expand-Label invocation failed unexpectedlytls: received unexpected handshake message of type %Tx509: certificate specifies an incompatible key usagexml: %s.MarshalXML wrote invalid XML: <%s> not closed)(?:\s(\d{4}))?(?:\s*
Source: ESVoO7ywn5.exe	String found in binary or memory: net/addrselect.go
Source: ESVoO7ywn5.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.6/loadconfig.go
Source: ESVoO7ywn5.exe	String found in binary or memory: github.com/lxn/walk@v0.0.0-20210112085537-c389da54e794/stopwatch.go
Source: ESVoO7ywn5.exe	String found in binary or memory: github.com/lxn/walk@v0.0.0-20210112085537-c389da54e794/stopwatch.go

Source: C:\Users\user\Desktop\ESVoO7ywn5.exe

File read: C:\Users\user\Desktop\ESVoO7ywn5.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ESVoO7ywn5.exe "C:\Users\user\Desktop\ESVoO7ywn5.exe"
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 --field-trial-handle=2156,i,1131510046767708764,2246000416851658240,262144 /prefetch:8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2456 --field-trial-handle=2412,i,9274776203736152754,605761456401538253,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2240 --field-trial-handle=2044,i,15981325911887861837,13651116499266714493,262144 /prefetch:3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2644 --field-trial-handle=2460,i,1138376815955586151,5217051833138542039,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1224,i,17455348826925458802,6377544182770007866,262144 /prefetch:3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2332,i,2532517917331351372,14812221957189302912,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=2100,i,13483832867504272092,8759147376075008789,262144 /prefetch:3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2616 --field-trial-handle=2412,i,16560664075412926242,1091205746907078500,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2536 --field-trial-handle=2016,i,8861881736564387129,5534421032980024966,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6628 --field-trial-handle=2016,i,8861881736564387129,5534421032980024966,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6820 --field-trial-handle=2016,i,8861881736564387129,5534421032980024966,262144 /prefetch:8
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 --field-trial-handle=2156,i,1131510046767708764,2246000416851658240,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2456 --field-trial-handle=2412,i,9274776203736152754,605761456401538253,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2240 --field-trial-handle=2044,i,15981325911887861837,13651116499266714493,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2644 --field-trial-handle=2460,i,1138376815955586151,5217051833138542039,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1224,i,17455348826925458802,6377544182770007866,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2332,i,2532517917331351372,14812221957189302912,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=2100,i,13483832867504272092,8759147376075008789,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2616 --field-trial-handle=2412,i,16560664075412926242,1091205746907078500,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2536 --field-trial-handle=2016,i,8861881736564387129,5534421032980024966,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6628 --field-trial-handle=2016,i,8861881736564387129,5534421032980024966,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6820 --field-trial-handle=2016,i,8861881736564387129,5534421032980024966,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: ESVoO7ywn5.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ESVoO7ywn5.exe

Static file information: File size 12978688 > 1048576

Source: ESVoO7ywn5.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x5bf800
Source: ESVoO7ywn5.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x5ea000

Source: ESVoO7ywn5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: ESVoO7ywn5.exe, 00000000.00000002.1711447108.000000000A380000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: ESVoO7ywn5.exe, 00000000.00000002.1711447108.000000000A380000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +Inf-1.0-Inf-inf...:.3dm.INF.Inf.NAN.NaN.aab.aam.aas.abc.ace.afl.aif.aim.aip.alz.ani.aos.apk.aps.arc.arj.art.asf.asm.asp.asx.avi.avs.bat.bin.bmp.boo.boz.bsh.bz2.c++.cab.cat.cco.cdf.cer.cha.cmd.com.cpp.cpt.crl.crt.crx.csh.css.csv.cxx.dar.dcr.deb.def.der.dif.dir.dmg.doc.dot.drw.dvi.dwf.dwg.dxf.dxr.elc.eml.env.eps.etx.evy.exe.f77.f90.fdf.fif.fli.flo.flv.flw.flx.fmf.for.fpx.frl.gif.gsd.gsm.gsp.gss.hdf.hgl.hlb.hlp.hpg.hqx.hta.htc.htm.htt.htx.ice.ico.ics.icz.idc.ief.igs.ima.inf.ins.isu.ivr.ivy.jam.jav.jcm.jpe.jpg.jps.jut.kar.key.kfo.kml.kmz.kon.kpr.kpt.ksh.ksp.kth.kwd.kwt.lam.lha.lhx.lma.log.lsp.lst.lsx.ltx.lzh.lzx.m1v.m2a.m2v.m3u.man.map.mar.mbd.mc$.mcd.mcf.mcp.mht.mid.mif.mjf.mjs.mme.mod.mov.mp2.mp3.mp4.mpa.mpc.mpe.mpg.mpp.mpt.mpv.mpx.mrc.mzz.nan.nap.ncm.nif.nix.nsc.nvd.oda.odb.odc.odf.odg.odi.odm.odp.ods.odt.oex.oga.ogg.ogv.omc.otc.otf.otg.oth.oti.otm.otp.ots.ott.p10.p12.p7a.p7c.p7m.p7r.p7s.pas.pbm.pcl.pct.pcx.pdb.pdf.pgm.pic.pkg.pko.plx.pm4.pm5.png.pnm.pot.pov.ppa.ppm.pps.ppt.ppz.pre.prt.psd.pvu.pwz.pyc.qcp.qd3.qif.qtc.qti.ram.rar.ras.rgb.rmi.rmm.rmp.rng.rnx.rpm.rtf.rtx.s3m.s7z.sbk.scm.sdp.sdr.sea.set.sgm.sid.sit.skd.skm.skp.skt.smi.snd.sol.spc.spl.spr.spx.src.ssi.ssm.sst.stl.stp.svf.svg.svr.swf.tar.tbk.tcl.tex.tgz.tif.tsi.tsp.tsv.txt.uil.uni.unv.uri.uue.vcd.vcf.vcs.vda.vdo.vew.viv.vmd.vmf.voc.vos.vox.vqe.vqf.vql.vrt.vsd.vst.vsw.w60.w61.w6w.wav.wb1.web.wiz.wk1.wmf.wml.wp5.wp6.wpd.wq1.wri.wrl.wrz.wsc.wtk.xbm.xdr.xgz.xif.xla.xlb.xlc.xld.xlk.xll.xlm.xls.xlt.xlv.xlw.xml.xmz.xpi.xpm.xsr.xwd.xyz.zip.zoo.zsh/qps0.0000000405044006600x%x108010th10 source: ESVoO7ywn5.exe

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_007108E0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_007108E0

Source: ESVoO7ywn5.exe

Static PE information: section name: .symtab

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

4_2_007108E0

Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00714E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,	4_2_00714E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00707210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	4_2_00707210
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0070B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,	4_2_0070B6B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00708360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose,	4_2_00708360
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_007013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,	4_2_007013F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00713FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	4_2_00713FD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_007097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	4_2_007097B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00713580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose,	4_2_00713580
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_0070ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose,	4_2_0070ACD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00715EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose,	4_2_00715EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00708C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn,	4_2_00708C90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00709560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	4_2_00709560
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00714950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	4_2_00714950

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_00713AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

4_2_00713AF0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_0070FDD0 GetSystemInfo,wsprintfA,

4_2_0070FDD0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: chrome.exe, 00000006.00000002.1956984307.00000F3400748000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: ukx47g.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: ukx47g.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: chrome.exe, 00000006.00000002.1961203124.00000F34010F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Virtual USB Mouse
Source: ukx47g.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: ukx47g.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: ukx47g.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: ukx47g.4.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: chrome.exe, 00000006.00000002.1958466214.00000F3400A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=c3c4a3b7-c32e-410d-a709-9c0faaef0ce4
Source: ukx47g.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: ukx47g.4.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: ukx47g.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: chrome.exe, 00000006.00000002.1958466214.00000F3400A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ce added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=c3c4a3b7-c32e-410d-a709-9c0faaef0ce4
Source: ukx47g.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000933000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000933000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW&
Source: msedge.exe, 0000000B.00000003.2027692082.000015C0002B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: ukx47g.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: ukx47g.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: ukx47g.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: ukx47g.4.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: ukx47g.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: ukx47g.4.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: ESVoO7ywn5.exe, 00000000.00000002.1691684721.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000B.00000002.2055722628.00000237B5843000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.2153546868.000001EFD3A46000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000013.00000002.2232960817.00000232E2443000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000017.00000002.2386674329.000001C722A45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ukx47g.4.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: ukx47g.4.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: ukx47g.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: ukx47g.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: ukx47g.4.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: ukx47g.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: ukx47g.4.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: ukx47g.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: ukx47g.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: ukx47g.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: ukx47g.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: chrome.exe, 00000006.00000002.1958466214.00000F3400A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qce added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=c3c4a3b7-c32e-410d-a709-9c0faaef0ce4
Source: ukx47g.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: ukx47g.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: ukx47g.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: ukx47g.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: chrome.exe, 00000006.00000002.1951189173.0000019EAE1C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@@

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

4_2_007108E0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_0070F470 CloseHandle,lstrlenA,GetProcessHeap,RtlFreeHeap,GetProcessHeap,HeapAlloc,lstrcpyA,

4_2_0070F470

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\ESVoO7ywn5.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 700000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ESVoO7ywn5.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 700000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00711250 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,		4_2_00711250
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4_2_00711310 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,		4_2_00711310

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 520008	Jump to behavior
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 700000	Jump to behavior
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 701000	Jump to behavior
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 71E000	Jump to behavior
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 722000	Jump to behavior
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 725000	Jump to behavior
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 726000	Jump to behavior
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 727000	Jump to behavior
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 728000	Jump to behavior

Source: C:\Users\user\Desktop\ESVoO7ywn5.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

Jump to behavior

Source: ESVoO7ywn5.exe

Binary or memory string: %s(?i)(?:\W|^)(, gp->status=, not pointer-byte block (.fasthttp.zst3814697265625403 Forbidden: unknown pc <script src="<unknown: %T>APACHE_FORMATAccept-RangesAlbanian (sq)Align 2-BytesAlign 4-BytesAlign 8-BytesAlign128BytesAlign256BytesAlign512BytesAnimateWindowAppConfigPathArmenian (hy)Assamese (as)AssemblyRefOSAuthorizationBEEGO_RUNMODEBSTR_UserFreeBSTR_UserSizeBefore RouterBefore StaticBrowserSearchCLIENT_RANDOMCONNECT_ERRORCache-ControlCertOpenStoreClearCustDataCoTaskMemFreeContains CodeContent-RangeCorsican (co)CreateActCtxWCreateRectRgnCreateTypeLibCroatian (hr)DebugStrippedDeleteServiceDestroyWindowDownArrowBar;DownTeeArrow;DrawFocusRectECDSAWithSHA1EFI ROM imageEFI byte codeEnumPrintersWEnumProcessesEstonian (et)ExitWindowsExExponentialE;ExtendedRelocFQDN too longFile TransferFindFirstFileFindNextFileWFindResourceWFinish RouterFreeAddrInfoWGC sweep waitGalician (gl)Georgian (ka)GetClassNameWGetClientRectGetDeviceCapsGetDriveTypeWGetIfEntry2ExGetMenuItemIDGetScrollInfoGetSystemMenuGetThemeColorGetWindowLongGetWindowRectGreaterEqual;GreaterTilde;Gujarati (gu)Gunjala_GondiHanja / KanjiHighEntropyVAHilbertSpace;HumpDownHump;If-None-MatchImageList_AddInterfaceImplIntersection;IsPlaceholderJapanese (ja)Kana / HangulKashmiri (ks)Konkani (kok)Last-ModifiedLeftArrowBar;LeftTeeArrow;LeftTriangle;LeftUpVector;LineTo failedLoadTypeLibExLoop DetectedMIPS JMP AddrMIPS with FPUMapViewOfFileMasaram_GondiMende_KikakuiMethodOptionsModule32NextWNotCongruent;NotHumpEqual;NotLessEqual;NotLessTilde;OMAP From SrcOld_HungarianOleInitializeOpenClipboardOpenThemeDataPKCS1WithSHA1PdhCloseQueryProportional;Quechua (quz)RISC-V Low 12RISC-V Low12sRegDeleteKeyWRegEnumKeyExWRegEnumValueWRegOpenKeyExWRequestMethodReservedNamesReset ContentRightCeiling;Romanian (ro)RoundImplies;RtlGetVersionRtlInitStringRtlMoveMemorySHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSSTREAM_CLOSEDSafeArrayCopySafeArrayLockSanskrit (sa)SetBrushOrgExSetScrollInfoSetWindowLongSetswana (tn)ShellExecuteWShell_TrayWndShortUpArrow;SquareSubset;StandAloneSigStartServiceWSysFreeStringThread32FirstTigrinya (ti)UnderBracket;Usage of %s:

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,GetLocaleInfoA,LocalFree,

4_2_0070FC20

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Queries volume information: C:\Users\user\Desktop\ESVoO7ywn5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ESVoO7ywn5.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_0071BAA0 GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

4_2_0071BAA0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_00717210 EntryPoint,lstrlenW,GetWindowsDirectoryW,GetComputerNameW,GetFullPathNameA,GetUserNameW,GetFileType,GetModuleFileNameA,GetTempPathW,

4_2_00717210

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 4_2_0070FBC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

4_2_0070FBC0

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7980, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: BitLockerToGo.exe, 00000004.00000002.2566577986.0000000005170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ata\Local\\Coinomi\Coinomi\wallets\\
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MultiDoge
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: BitLockerToGo.exe, 00000004.00000002.2563279231.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\.

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\temporary\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\default\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\security_state\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000004.00000002.2563279231.0000000000947000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7980, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7980, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Create Account	1 Extra Window Memory Injection	1 Obfuscated Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	412 Process Injection	1 DLL Side-Loading	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Extra Window Memory Injection	NTDS	34 System Information Discovery	Distributed Component Object Model	11 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Query Registry	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	412 Process Injection	Cached Domain Credentials	11 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ESVoO7ywn5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
ESVoO7ywn5.exe