Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1632159
MD5: ed3e56e82616299362c06be3db4b4501
SHA1: aba484f0fcca2f4049738be60a2261139ff5cb22
SHA256: a6aa68fe529c45fbc83557b73308846911369230c0ca911652c851d682f60c87
Tags: NETexeMSILVidaruser-jstrosch
Infos:

Detection

Vidar
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Monitors registry run keys for changes
Searches for specific processes (likely to inject)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Browser Started with Remote Debugging
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://go.f.goldenloafuae.com Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 0.2.file.exe.3649550.0.raw.unpack Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199829660832", "Botnet": "ir7am"}
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 74% Perma Link
Source: file.exe ReversingLabs: Detection: 86%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00406A10 StrStrA,lstrlenA,LocalAlloc,CryptUnprotectData,LocalAlloc,LocalFree,lstrlenA, 1_2_00406A10
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00410830 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree, 1_2_00410830
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040A150 BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider, 1_2_0040A150
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00406CF0 LocalAlloc,BCryptDecrypt, 1_2_00406CF0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00406940 BCryptCloseAlgorithmProvider,BCryptDestroyKey, 1_2_00406940
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040A560 StrCmpCA,BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey, 1_2_0040A560
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00406980 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey, 1_2_00406980
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.10:49681 version: TLS 1.2
Source: unknown HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.10:49683 version: TLS 1.2
Source: unknown HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.10:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.10:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.10:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.10:49839 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Windows.Forms.pdb source: WERF266.tmp.dmp.4.dr
Source: Binary string: mscorlib.pdb source: WERF266.tmp.dmp.4.dr
Source: Binary string: System.ni.pdbRSDS source: WERF266.tmp.dmp.4.dr
Source: Binary string: System.Windows.Forms.pdbMZ@ source: WERF266.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdb source: WERF266.tmp.dmp.4.dr
Source: Binary string: System.pdb) source: WERF266.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WERF266.tmp.dmp.4.dr
Source: Binary string: Initial.pdb source: WERF266.tmp.dmp.4.dr
Source: Binary string: C:\Users\Admin\source\repos\Initial\Initial\obj\Release\Initial.pdb source: file.exe
Source: Binary string: System.ni.pdb source: WERF266.tmp.dmp.4.dr
Source: Binary string: System.pdb source: WERF266.tmp.dmp.4.dr
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00414E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose, 1_2_00414E70
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00407210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose, 1_2_00407210
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose, 1_2_0040B6B0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00415EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose, 1_2_00415EB0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00408360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose, 1_2_00408360
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00413FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose, 1_2_00413FD0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose, 1_2_004013F0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00413580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose, 1_2_00413580
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA, 1_2_004097B0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose, 1_2_0040ACD0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00408C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn, 1_2_00408C90
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00414950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 1_2_00414950
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00409560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA, 1_2_00409560
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00413AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA, 1_2_00413AF0
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\ Jump to behavior
Source: chrome.exe Memory has grown: Private usage: 14MB later: 39MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49697 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49695 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.10:49687 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.10:49689 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49719 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49698 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.10:49698 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49723 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.10:49723 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49724 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.10:49724 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49746 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.10:49746 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49700 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.10:49700 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49768 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.10:49768 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 95.217.27.252:443 -> 192.168.2.10:49693
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.217.27.252:443 -> 192.168.2.10:49689
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49699 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.10:49699 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49725 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.10:49725 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49722 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49736 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49789 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.10:49789 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49839 -> 95.217.27.252:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.10:49840 -> 95.217.27.252:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199829660832
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /l793oy HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.44.201.19 23.44.201.19
Source: Joe Sandbox View IP Address: 2.22.242.105 2.22.242.105
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.8
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.8
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.8
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.8
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.8
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.8
Source: unknown TCP traffic detected without corresponding DNS query: 40.79.150.121
Source: unknown TCP traffic detected without corresponding DNS query: 40.79.150.121
Source: unknown TCP traffic detected without corresponding DNS query: 40.79.150.121
Source: unknown TCP traffic detected without corresponding DNS query: 104.117.182.33
Source: unknown TCP traffic detected without corresponding DNS query: 104.117.182.33
Source: unknown TCP traffic detected without corresponding DNS query: 104.117.182.33
Source: unknown TCP traffic detected without corresponding DNS query: 104.117.182.33
Source: unknown TCP traffic detected without corresponding DNS query: 104.117.182.33
Source: unknown TCP traffic detected without corresponding DNS query: 104.117.182.33
Source: unknown TCP traffic detected without corresponding DNS query: 104.117.182.33
Source: unknown TCP traffic detected without corresponding DNS query: 104.117.182.33
Source: unknown TCP traffic detected without corresponding DNS query: 104.117.182.33
Source: unknown TCP traffic detected without corresponding DNS query: 104.117.182.33
Source: unknown TCP traffic detected without corresponding DNS query: 104.117.182.33
Source: unknown TCP traffic detected without corresponding DNS query: 104.117.182.33
Source: unknown TCP traffic detected without corresponding DNS query: 104.117.182.33
Source: unknown TCP traffic detected without corresponding DNS query: 104.117.182.33
Source: unknown TCP traffic detected without corresponding DNS query: 104.117.182.33
Source: unknown TCP traffic detected without corresponding DNS query: 18.173.132.94
Source: unknown TCP traffic detected without corresponding DNS query: 18.173.132.94
Source: unknown TCP traffic detected without corresponding DNS query: 18.173.132.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.44.201.19
Source: unknown TCP traffic detected without corresponding DNS query: 23.44.201.19
Source: unknown TCP traffic detected without corresponding DNS query: 23.44.201.19
Source: unknown TCP traffic detected without corresponding DNS query: 23.44.201.19
Source: unknown TCP traffic detected without corresponding DNS query: 23.44.201.19
Source: unknown TCP traffic detected without corresponding DNS query: 23.44.201.19
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.8
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.8
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.8
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.8
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00403850 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 1_2_00403850
Source: global traffic HTTP traffic detected: GET /l793oy HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0Host: go.f.goldenloafuae.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIlqHLAQiKo8sBCIWgzQEI/aXOAQiB1s4BCMnczgEI4ODOAQjl484BCK/kzgEIyOTOAQjf5M4BCIvlzgEIjuXOAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIlqHLAQiKo8sBCIWgzQEI/aXOAQiB1s4BCMnczgEI4ODOAQjl484BCK/kzgEIyOTOAQjf5M4BCIvlzgEIjuXOAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.867cdfd625d830718faf.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.45sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=F9E0D1F8CE8D467F9EFF30F7E8492571.RefC=2025-03-07T19:10:22Z; USRLOC=; MUID=2AE5DD6B582E6D0F30EDC8C359996CFE; MUIDB=2AE5DD6B582E6D0F30EDC8C359996CFE; _EDGE_S=F=1&SID=22D27E42445C674A35C26BEA458E66F7; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.948ffa5ea2d441a35f55.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.45sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=F9E0D1F8CE8D467F9EFF30F7E8492571.RefC=2025-03-07T19:10:22Z; USRLOC=; MUID=2AE5DD6B582E6D0F30EDC8C359996CFE; MUIDB=2AE5DD6B582E6D0F30EDC8C359996CFE; _EDGE_S=F=1&SID=22D27E42445C674A35C26BEA458E66F7; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /crx/blobs/Ad_brx23lef_cW590ESOTTAroOhZ9si0XFJIUC52j2ILHW1VLB5ou6c0RgLWwGr1aRJJZ0WPNyiPBYgIpWfykvhKW-6BLzMRsp9ykw5f6ReBQmPpO6WB9pcSJPfykLTHDjYAxlKa5bf72z8tHS5eXuTavTP1h4WZBjSs/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.5d0f28115e15fcff20c5.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.4fa8815283fe3d88a934.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.005fa5d1a45c7a2d7a6d.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.712fce86a817d16b2c92.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=2AE5DD6B582E6D0F30EDC8C359996CFE; _EDGE_S=F=1&SID=22D27E42445C674A35C26BEA458E66F7; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /c.gif?rnd=1741374632730&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=f9e0d1f8ce8d467f9eff30f7e8492571&activityId=f9e0d1f8ce8d467f9eff30f7e8492571&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=2AE5DD6B582E6D0F30EDC8C359996CFE; _EDGE_S=F=1&SID=22D27E42445C674A35C26BEA458E66F7; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /b?rn=1741374632731&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=2AE5DD6B582E6D0F30EDC8C359996CFE&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.4sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 500sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 3gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=F9E0D1F8CE8D467F9EFF30F7E8492571.RefC=2025-03-07T19:10:22Z; USRLOC=; MUID=2AE5DD6B582E6D0F30EDC8C359996CFE; MUIDB=2AE5DD6B582E6D0F30EDC8C359996CFE; _EDGE_S=F=1&SID=22D27E42445C674A35C26BEA458E66F7; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=e471404a-d276-4094-b764-d4b1c22f660a; ai_session=U9WGQ6DhZJ9+s92aVEj+l5|1741374632726|1741374632726; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=F9E0D1F8CE8D467F9EFF30F7E8492571.RefC=2025-03-07T19:10:22Z
Source: global traffic HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: */*Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":20,"imageId":"BB1msyCF","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=F9E0D1F8CE8D467F9EFF30F7E8492571.RefC=2025-03-07T19:10:22Z; USRLOC=; MUID=2AE5DD6B582E6D0F30EDC8C359996CFE; MUIDB=2AE5DD6B582E6D0F30EDC8C359996CFE; _EDGE_S=F=1&SID=22D27E42445C674A35C26BEA458E66F7; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=e471404a-d276-4094-b764-d4b1c22f660a; ai_session=U9WGQ6DhZJ9+s92aVEj+l5|1741374632726|1741374632726; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=F9E0D1F8CE8D467F9EFF30F7E8492571.RefC=2025-03-07T19:10:22Z
Source: global traffic HTTP traffic detected: GET /b2?rn=1741374632731&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=2AE5DD6B582E6D0F30EDC8C359996CFE&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1B78a5df139ff85e4ba78191741374635; XID=1B78a5df139ff85e4ba78191741374635
Source: global traffic HTTP traffic detected: GET /c.gif?rnd=1741374632730&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=f9e0d1f8ce8d467f9eff30f7e8492571&activityId=f9e0d1f8ce8d467f9eff30f7e8492571&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=C21CDA202D0C4DF6AABBACB9D6B1AF10&MUID=2AE5DD6B582E6D0F30EDC8C359996CFE HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=2AE5DD6B582E6D0F30EDC8C359996CFE; _EDGE_S=F=1&SID=22D27E42445C674A35C26BEA458E66F7; _EDGE_V=1; SM=T; _C_ETH=1; msnup=%7B%22cnex%22%3A%22no%22%7D
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: 000003.log10.20.dr String found in binary or memory: "www.facebook.com": "{\"Tier1\": [1103, 6061], \"Tier2\": [5445, 1780, 8220]}", equals www.facebook.com (Facebook)
Source: 000003.log10.20.dr String found in binary or memory: "www.linkedin.com": "{\"Tier1\": [1103, 214, 6061], \"Tier2\": [2771, 9515, 1780, 1303, 1099, 6081, 5581, 9396]}", equals www.linkedin.com (Linkedin)
Source: 000003.log10.20.dr String found in binary or memory: "www.youtube.com": "{\"Tier1\": [983, 6061, 1103], \"Tier2\": [2413, 8118, 1720, 5007]}", equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000E.00000003.1381796184.000002840189C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 0000000E.00000003.1381796184.000002840189C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000E.00000002.1459668522.00000284013A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459437515.00000284012AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000E.00000002.1459982546.000002840148C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459668522.00000284013A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459437515.00000284012AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000E.00000002.1463324303.0000028401B80000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459556132.0000028401344000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1375375796.0000028401344000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000E.00000002.1459556132.0000028401344000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1375375796.0000028401344000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlr equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000E.00000002.1459982546.000002840148C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: www.youtube.com:443 equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: t.me
Source: global traffic DNS traffic detected: DNS query: go.f.goldenloafuae.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic DNS traffic detected: DNS query: c.msn.com
Source: global traffic DNS traffic detected: DNS query: assets.msn.com
Source: global traffic DNS traffic detected: DNS query: api.msn.com
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----9zcba1nym7gv3e3oh47gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0Host: go.f.goldenloafuae.comContent-Length: 255Connection: Keep-AliveCache-Control: no-cache
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2162
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2517
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2970
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3078
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3205
Source: msedge.exe, 00000012.00000003.1546845265.0000461C003E4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3206
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3452
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3498
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3502
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3577
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3584
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3586
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3623
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3624
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3625
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3832
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3862
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3965
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4324
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4384
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4405
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4428
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4551
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4633
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4722
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4836
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4901
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4937
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5007
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5055
Source: msedge.exe, 00000012.00000003.1546845265.0000461C003E4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5061
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5281
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5371
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5375
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5421
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5430
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5535
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5658
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5750
Source: msedge.exe, 00000012.00000003.1546845265.0000461C003E4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5881
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5901
Source: msedge.exe, 00000012.00000003.1546845265.0000461C003E4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6041
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6048
Source: msedge.exe, 00000012.00000003.1546845265.0000461C003E4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6141
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6248
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6439
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6651
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6692
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6755
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6860
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6876
Source: msedge.exe, 00000012.00000003.1546845265.0000461C003E4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6878
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6929
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6953
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7047
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7172
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7370
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7406
Source: msedge.exe, 00000012.00000003.1546845265.0000461C003E4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7488
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7553
Source: msedge.exe, 00000012.00000003.1546845265.0000461C003E4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7556
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7724
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8162
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8215
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8229
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280
Source: chrome.exe, 0000000E.00000002.1454115921.000002840020C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 0000000E.00000002.1456436729.0000028400B88000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: chrome.exe, 0000000E.00000002.1453646008.0000028400154000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1453361285.00000284000DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
Source: chrome.exe, 0000000E.00000002.1459668522.00000284013A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: file.exe, 00000001.00000002.1986878340.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1982267616.0000000003D7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://e6.i.lencr.org/0
Source: file.exe, 00000001.00000002.1986878340.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1982267616.0000000003D7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://e6.o.lencr.org0
Source: chrome.exe, 0000000E.00000002.1453224654.0000028400096000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 0000000E.00000002.1464304762.0000028401C04000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: chrome.exe, 0000000E.00000002.1458819147.00000284010D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 0000000E.00000002.1458980523.0000028401130000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.gstatic.com/generate_204
Source: chrome.exe, 0000000E.00000002.1443336845.0000021288FD2000.00000002.00000001.00040000.00000013.sdmp String found in binary or memory: http://www.unicode.org/copyright.html
Source: file.exe, 00000001.00000002.1986878340.00000000041B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1986878340.00000000041F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000001.00000002.1986878340.00000000041B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1986878340.00000000041F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: chrome.exe, 0000000E.00000002.1458714261.0000028401094000.00000004.00001000.00020000.00000000.sdmp, zm7gdb.1.dr String found in binary or memory: https://ac.ecosia.org?q=
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 0000000E.00000002.1453086140.000002840003C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 0000000E.00000002.1456059813.0000028400AB0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1464304762.0000028401C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1455850379.0000028400A64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459668522.00000284013A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 0000000E.00000002.1464304762.0000028401C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454115921.000002840020C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AccountChooser
Source: chrome.exe, 0000000E.00000002.1454115921.000002840020C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 0000000E.00000002.1454115921.000002840020C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 0000000E.00000002.1461973014.0000028401A24000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 0000000E.00000002.1454115921.000002840020C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 0000000E.00000002.1453254781.00000284000B1000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 0000000E.00000002.1453254781.00000284000B1000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxABata
Source: chrome.exe, 0000000E.00000002.1454115921.000002840020C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 0000000E.00000002.1454115921.000002840020C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/samlredirect
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 0000000E.00000002.1464304762.0000028401C04000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com05b1
Source: chrome.exe, 0000000E.00000002.1455850379.0000028400A64000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4830
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4966
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/5845
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/6574
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7161
Source: msedge.exe, 00000012.00000003.1546845265.0000461C003E4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7162
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7246
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7308
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7319
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7320
Source: msedge.exe, 00000012.00000003.1546845265.0000461C003E4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7382
Source: msedge.exe, 00000012.00000003.1546845265.0000461C003E4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7489
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7604
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7714
Source: msedge.exe, 00000012.00000003.1546845265.0000461C003E4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7847
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 0000000E.00000002.1467164560.0000028402204000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: msedge.exe, 00000012.00000002.1613903330.0000020C7352F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com963
Source: chrome.exe, 0000000E.00000002.1457167517.0000028400CC4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp, xl6pp8.1.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp, xl6pp8.1.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&cta
Source: chrome.exe, 0000000E.00000003.1416715765.000002840189C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1416747181.0000028400878000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1415805539.00000284018BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1416674268.000002840176C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com
Source: chrome.exe, 0000000E.00000002.1457823888.0000028400E68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459804360.0000028401404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458418022.0000028400FB8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 0000000E.00000002.1458714261.0000028401094000.00000004.00001000.00020000.00000000.sdmp, zm7gdb.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000001.00000002.1986377064.00000000040AB000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458714261.0000028401094000.00000004.00001000.00020000.00000000.sdmp, zm7gdb.1.dr, Web Data.20.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000001.00000002.1986377064.00000000040AB000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458714261.0000028401094000.00000004.00001000.00020000.00000000.sdmp, zm7gdb.1.dr, Web Data.20.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 0000000E.00000003.1415216847.0000028401904000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1456436729.0000028400B88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1456985867.0000028400C54000.00000004.00001000.00020000.00000000.sdmp, msedge.exe, 00000012.00000002.1615884025.0000461C0017C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000000E.00000002.1454367409.0000028400328000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore/category/collection/chrome_color_themes?hl=$
Source: chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: chrome.exe, 0000000E.00000002.1463324303.0000028401B80000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1453047193.0000028400014000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458980523.0000028401130000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459859744.0000028401420000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1449265230.000002128FDB7000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: chrome.exe, 0000000E.00000003.1415968966.00000284014A8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1415875352.0000028401498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1415216847.0000028401904000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: chrome.exe, 0000000E.00000003.1416497649.000002800073C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1417214773.0000028401D44000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 0000000E.00000003.1416497649.000002800073C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1417214773.0000028401D44000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000000E.00000003.1364356180.00000280005E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1364324538.00000280005DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000000E.00000003.1416497649.000002800073C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1417214773.0000028401D44000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000000E.00000002.1456195705.0000028400B00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 0000000E.00000002.1456195705.0000028400B00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: chrome.exe, 0000000E.00000002.1453805564.0000028400190000.00000004.00001000.00020000.00000000.sdmp, msedge.exe, 00000012.00000002.1615884025.0000461C0017C000.00000004.00000800.00020000.00000000.sdmp, manifest.json.20.dr String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 0000000E.00000002.1457167517.0000028400CC4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/category/extensions
Source: chrome.exe, 0000000E.00000002.1457167517.0000028400CC4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/category/themes
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 0000000E.00000003.1358938265.000046E0000DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 0000000E.00000002.1457056086.0000028400C7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1453805564.0000028400190000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1453772401.0000028400180000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459859744.0000028401420000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp, msedge.exe, 00000012.00000002.1614537280.0000461C00040000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.20.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 0000000E.00000002.1456396534.0000028400B70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 0000000E.00000002.1456273058.0000028400B28000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 0000000E.00000002.1456273058.0000028400B28000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 0000000E.00000002.1456436729.0000028400B88000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp, xl6pp8.1.dr String found in binary or memory: https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpg
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp, xl6pp8.1.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: chrome.exe, 0000000E.00000002.1454847908.0000028400530000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: chrome.exe, 0000000E.00000002.1459982546.000002840148C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459668522.00000284013A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458680060.000002840105C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 0000000E.00000002.1457056086.0000028400C7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459668522.00000284013A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458680060.000002840105C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 0000000E.00000003.1416497649.000002800073C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1417214773.0000028401D44000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 0000000E.00000002.1455671212.0000028400994000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1463324303.0000028401B80000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458680060.000002840105C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000E.00000002.1463324303.0000028401B80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultult
Source: chrome.exe, 0000000E.00000002.1457823888.0000028400E68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459804360.0000028401404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458418022.0000028400FB8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000E.00000002.1457823888.0000028400E68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459804360.0000028401404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458418022.0000028400FB8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000E.00000002.1459982546.000002840148C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459668522.00000284013A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459754936.00000284013EC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 0000000E.00000002.1455671212.0000028400994000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1460237178.0000028401550000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459754936.00000284013EC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 0000000E.00000002.1463077512.0000028401B24000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1463324303.0000028401B80000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1457823888.0000028400E68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459754936.00000284013EC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000E.00000002.1459804360.0000028401404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458418022.0000028400FB8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000E.00000002.1459668522.00000284013A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459437515.00000284012AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 0000000E.00000002.1459556132.0000028401344000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1375375796.0000028401344000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1460237178.0000028401550000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 0000000E.00000002.1455671212.0000028400994000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1463324303.0000028401B80000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000E.00000002.1457823888.0000028400E68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459804360.0000028401404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458418022.0000028400FB8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000E.00000002.1459804360.0000028401404000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actionst
Source: chrome.exe, 0000000E.00000002.1459668522.00000284013A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459437515.00000284012AC000.00000004.00001000.00020000.00000000.sdmp, manifest.json0.20.dr String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 0000000E.00000002.1458980523.0000028401130000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459982546.000002840148C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459668522.00000284013A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 0000000E.00000002.1458980523.0000028401130000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2e
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 0000000E.00000002.1463324303.0000028401B80000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459556132.0000028401344000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458849344.00000284010F8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1375375796.0000028401344000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000E.00000002.1459556132.0000028401344000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1375375796.0000028401344000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_defaultrdler
Source: file.exe, 00000001.00000002.1986377064.00000000040AB000.00000004.00000020.00020000.00000000.sdmp, zm7gdb.1.dr, Web Data.20.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000001.00000002.1986377064.00000000040AB000.00000004.00000020.00020000.00000000.sdmp, zm7gdb.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: file.exe, 00000001.00000002.1986377064.00000000040AB000.00000004.00000020.00020000.00000000.sdmp, zm7gdb.1.dr, Web Data.20.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_163_music.png/1.0.3/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr, HubApps Icons.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr, HubApps Icons.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr, HubApps Icons.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gaana.png/1.0.3/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr, HubApps Icons.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_iHeart.png/1.0.3/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_instagram.png/1.4.13/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_ku_gou.png/1.0.3/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_last.png/1.0.3/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_naver_vibe.png/1.0.3/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr, HubApps Icons.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_qq.png/1.0.3/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr, HubApps Icons.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr, HubApps Icons.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_dark.png/1.2.19/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_hc.png/1.2.19/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_light.png/1.2.19/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_telegram.png/1.0.4/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tidal.png/1.0.3/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr, HubApps Icons.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_twitter_light.png/1.0.9/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_vk.png/1.0.3/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whatsapp_light.png/1.4.11/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: chrome.exe, 0000000E.00000003.1415502574.00000284019AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1415335154.0000028401984000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://fonts.google.com/icons?selected=Material
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://gaana.com/
Source: chrome.exe, 0000000E.00000002.1458714261.0000028401094000.00000004.00001000.00020000.00000000.sdmp, zm7gdb.1.dr String found in binary or memory: https://gemini.google.com/app?q=
Source: chrome.exe, 0000000E.00000003.1416497649.000002800073C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1415600805.0000028401930000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1417214773.0000028401D44000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/glic/intro?20
Source: chrome.exe, 0000000E.00000003.1416497649.000002800073C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1415600805.0000028401930000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1417214773.0000028401D44000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/glic2
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.f.goldenloafuae.com
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.f.goldenloafuae.com/
Source: chrome.exe, 0000000E.00000003.1364324538.00000280005DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000E.00000003.1416497649.000002800073C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1417214773.0000028401D44000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000000E.00000003.1364356180.00000280005E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1364324538.00000280005DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 0000000E.00000003.1416497649.000002800073C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1417214773.0000028401D44000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 0000000E.00000003.1364356180.00000280005E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1364324538.00000280005DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 0000000E.00000003.1364356180.00000280005E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1364324538.00000280005DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Pre
Source: chrome.exe, 0000000E.00000003.1364324538.00000280005DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: msedge.exe, 00000012.00000002.1616265210.0000461C002D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: chrome.exe, 0000000E.00000002.1456952134.0000028400C3C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 0000000E.00000003.1416497649.000002800073C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1416976077.0000028401D2C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1417214773.0000028401D44000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://i.y.qq.com/n2/m/index.html
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp, xl6pp8.1.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/161903006
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/166809097
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/184850002
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/187425444
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/229267970
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/250706693
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/253522366
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/255411748
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/258207403
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/284462263
Source: msedge.exe, 00000012.00000003.1546766775.0000461C00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 0000000E.00000002.1462054700.0000028401A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458759648.000002840109C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1457960928.0000028400EC8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 0000000E.00000002.1454876630.0000028400544000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1467363881.0000028402274000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 0000000E.00000003.1416747181.0000028400878000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1415805539.00000284018BC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/gen204
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://m.kugou.com/
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://m.soundcloud.com/
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://m.vk.com/
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459982546.000002840148C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459668522.00000284013A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/:
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/J
Source: chrome.exe, 0000000E.00000002.1463324303.0000028401B80000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1457823888.0000028400E68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default
Source: chrome.exe, 0000000E.00000002.1459668522.00000284013A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459437515.00000284012AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 0000000E.00000002.1454876630.0000028400544000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1467363881.0000028402274000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?tab=rm&amp;ogbl
Source: chrome.exe, 0000000E.00000002.1457056086.0000028400C7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459530835.0000028401300000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459668522.00000284013A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 0000000E.00000002.1455671212.0000028400994000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1463324303.0000028401B80000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000E.00000002.1455671212.0000028400994000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_defaulttml
Source: msedge.exe, 00000012.00000002.1616265210.0000461C002D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://msn.cn/
Source: msedge.exe, 00000012.00000002.1616265210.0000461C002D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://msn.com/
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://music.amazon.com
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://music.apple.com
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://music.yandex.com
Source: chrome.exe, 0000000E.00000002.1457735703.0000028400E04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459896550.0000028401454000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 0000000E.00000002.1457634803.0000028400DC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459263279.0000028401204000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458578774.0000028401004000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 0000000E.00000002.1457634803.0000028400DC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458578774.0000028401004000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 0000000E.00000003.1416497649.000002800073C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1417214773.0000028401D44000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 0000000E.00000002.1457634803.0000028400DC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458578774.0000028401004000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 0000000E.00000003.1380634874.00000284014C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458299036.0000028400F74000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: msedge.exe, 00000012.00000002.1616265210.0000461C002D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://office.net/
Source: chrome.exe, 0000000E.00000002.1467164560.0000028402204000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 0000000E.00000002.1462677178.0000028401AE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 0000000E.00000002.1467164560.0000028402204000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 0000000E.00000002.1467164560.0000028402204000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://open.spotify.com
Source: chrome.exe, 0000000E.00000002.1460722811.0000028401680000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1460879104.00000284016D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459859744.0000028401420000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1460856024.00000284016C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1380489874.0000028401668000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 0000000E.00000002.1463769615.0000028401BD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459470472.00000284012D4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1460856024.00000284016C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1380489874.0000028401668000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 0000000E.00000002.1460722811.0000028401680000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1460856024.00000284016C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1453615161.0000028400144000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 0000000E.00000002.1453879753.00000284001C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1460722811.0000028401680000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1460879104.00000284016D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1448141576.000002128E277000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 0000000E.00000002.1461999379.0000028401A34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1460856024.00000284016C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1380489874.0000028401668000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1455093673.00000284005E6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 0000000E.00000002.1460722811.0000028401680000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1460879104.00000284016D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1461999379.0000028401A34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1460856024.00000284016C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1380489874.0000028401668000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458260239.0000028400F58000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 0000000E.00000002.1460722811.0000028401680000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459470472.00000284012D4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1460856024.00000284016C4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 0000000E.00000002.1463769615.0000028401BD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1461999379.0000028401A34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1460856024.00000284016C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1380489874.0000028401668000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1455093673.00000284005E6000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459896550.0000028401454000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://outlook.live.com/mail/0/
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: chrome.exe, 0000000E.00000003.1416715765.000002840189C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1416747181.0000028400878000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1415805539.00000284018BC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://outlook.office.com/calendar/
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://outlook.office.com/mail/0/
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://passwords.google.comSaved
Source: chrome.exe, 0000000E.00000002.1457088515.0000028400C8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://passwords.google/
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://people.googleapis.com/
Source: msedge.exe, 00000012.00000003.1545538082.0000461C00274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 00000012.00000003.1545538082.0000461C00274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 00000012.00000003.1545538082.0000461C00274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/LogoutYxAB
Source: msedge.exe, 00000012.00000003.1545538082.0000461C00274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 00000012.00000003.1545538082.0000461C00274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 00000012.00000003.1545538082.0000461C00274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 00000012.00000003.1545538082.0000461C00274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 00000012.00000003.1545538082.0000461C00274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 00000012.00000003.1545538082.0000461C00274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 00000012.00000003.1545538082.0000461C00274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 00000012.00000003.1545538082.0000461C00274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 00000012.00000003.1545538082.0000461C00274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 00000012.00000003.1545538082.0000461C00274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 00000012.00000003.1545538082.0000461C00274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chrome.exe, 0000000E.00000003.1380634874.00000284014C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458299036.0000028400F74000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://policies.google.com/
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: chrome.exe, 0000000E.00000002.1456103453.0000028400AF2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 0000000E.00000002.1456103453.0000028400AF2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 0000000E.00000002.1454710036.00000284004F8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1415928003.00000284004F8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 0000000E.00000002.1453254781.00000284000A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
Source: chrome.exe, 0000000E.00000002.1458980523.0000028401130000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 0000000E.00000003.1416497649.000002800073C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1417214773.0000028401D44000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 0000000E.00000002.1462054700.0000028401A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458680060.000002840105C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1457960928.0000028400EC8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000E.00000002.1454876630.0000028400544000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1467363881.0000028402274000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: file.exe, file.exe, 00000001.00000002.1979891635.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199829660832
Source: file.exe, 00000001.00000002.1979891635.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199829660832ir7amMozilla/5.0
Source: chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
Source: chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://support.google.com/chrome/answer/96817
Source: chrome.exe, 0000000E.00000002.1455671212.0000028400994000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome?p=desktop_tab_groups
Source: chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: file.exe, 00000001.00000002.1989742690.0000000004836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000001.00000002.1989742690.0000000004836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000001.00000002.1980324743.000000000122F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/
Source: file.exe, file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1980324743.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1979891635.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/l793oy
Source: file.exe, 00000001.00000002.1979891635.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/l793oyir7amMozilla/5.0
Source: chrome.exe, 0000000E.00000002.1458980523.0000028401130000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 0000000E.00000002.1454156209.0000028400238000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://tidal.com/
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://twitter.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.20.dr String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.20.dr String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.20.dr String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://vibe.naver.com/today
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://web.telegram.org/
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://web.whatsapp.com
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp, xl6pp8.1.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.deezer.com/
Source: file.exe, 00000001.00000002.1986377064.00000000040AB000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458714261.0000028401094000.00000004.00001000.00020000.00000000.sdmp, zm7gdb.1.dr String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: chrome.exe, 0000000E.00000002.1463640863.0000028401BB8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 0000000E.00000002.1456985867.0000028400C54000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 0000000E.00000002.1461003343.0000028401704000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 0000000E.00000002.1463324303.0000028401B80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 0000000E.00000002.1457088515.0000028400C8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/#safe
Source: chrome.exe, 0000000E.00000002.1457167517.0000028400CC4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/browser-features/
Source: chrome.exe, 0000000E.00000002.1457167517.0000028400CC4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/browser-tools/
Source: chrome.exe, 0000000E.00000003.1416497649.000002800073C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1415600805.0000028401930000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 0000000E.00000002.1441948465.0000021288610000.00000002.00000001.00040000.00000012.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: chrome.exe, 0000000E.00000002.1458479394.0000028400FD4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459437515.00000284012AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1457960928.0000028400EC8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: file.exe, 00000001.00000002.1986377064.00000000040AB000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1453912137.00000284001D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1455671212.0000028400994000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1375375796.0000028401344000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1456273058.0000028400B28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454905551.0000028400558000.00000004.00001000.00020000.00000000.sdmp, zm7gdb.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: chrome.exe, 0000000E.00000003.1375375796.0000028401344000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.icoe
Source: chrome.exe, 0000000E.00000002.1454876630.0000028400544000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1467363881.0000028402274000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/imghp?hl=en&amp;tab=ri&amp;ogbl
Source: chrome.exe, 0000000E.00000002.1467164560.0000028402204000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 0000000E.00000003.1416497649.000002800073C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1416976077.0000028401D2C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1416932810.0000028401D20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1415600805.0000028401930000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 0000000E.00000002.1455705468.00000284009A4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 0000000E.00000002.1454115921.000002840020C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 0000000E.00000003.1416497649.000002800073C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1417214773.0000028401D44000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 0000000E.00000002.1454115921.000002840020C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 0000000E.00000002.1454115921.000002840020C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 0000000E.00000002.1454115921.000002840020C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 0000000E.00000002.1454115921.000002840020C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 0000000E.00000002.1463640863.0000028401BB8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 0000000E.00000002.1461999379.0000028401A34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1456436729.0000028400B88000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 0000000E.00000002.1462238413.0000028401AB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/useren_image_grey600_18dp.png
Source: chrome.exe, 0000000E.00000002.1465566478.0000028401CA4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1467209810.0000028402210000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1423105011.0000028401FD0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1467363881.0000028402274000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1467008632.00000284021B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1467288142.000002840223C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1467327799.0000028402254000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1462238413.0000028401AB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/useren_image_grey600_18dp.png
Source: chrome.exe, 0000000E.00000002.1467164560.0000028402204000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.WcyoQrvsWY0.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 0000000E.00000002.1467164560.0000028402204000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.L8bgMGq1rcI.L.W.O/m=qmd
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.iheart.com/podcast/
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.instagram.com
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.last.fm/
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp, xl6pp8.1.dr String found in binary or memory: https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Pr
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.messenger.com
Source: file.exe, 00000001.00000002.1989742690.0000000004836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.d-GHL1OW1fkT
Source: file.exe, 00000001.00000002.1989742690.0000000004836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sYEKgG4Or0s6
Source: file.exe, 00000001.00000002.1989742690.0000000004836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000001.00000002.1989742690.0000000004836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000001.00000002.1989742690.0000000004836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.office.com
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: chrome.exe, 0000000E.00000002.1459668522.00000284013A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459437515.00000284012AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459982546.000002840148C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459668522.00000284013A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459437515.00000284012AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 0000000E.00000002.1463324303.0000028401B80000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1459556132.0000028401344000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1458955069.0000028401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1375375796.0000028401344000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1454536201.00000284004E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: chrome.exe, 0000000E.00000002.1459556132.0000028401344000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1375375796.0000028401344000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlr
Source: 33bbe23d-6b16-4242-9819-814f54b4872d.tmp.20.dr String found in binary or memory: https://y.music.163.com/m/
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.10:49681 version: TLS 1.2
Source: unknown HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.10:49683 version: TLS 1.2
Source: unknown HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.10:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.10:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.10:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.10:49839 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00410A90 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,malloc,StrCmpCW,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 1_2_00410A90
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00406480 memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,CreateProcessA,Sleep,CloseDesktop, 1_2_00406480

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.file.exe.3649550.0.raw.unpack, type: UNPACKEDPE Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000001.00000002.1979891635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009625E0 0_2_009625E0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00404A20 1_2_00404A20
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00418630 1_2_00418630
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0041B770 1_2_0041B770
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0041B300 1_2_0041B300
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0041C100 1_2_0041C100
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004193D0 1_2_004193D0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0041A7D0 1_2_0041A7D0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00410D00 appears 42 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0040F5B0 appears 135 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 800
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1138340258.000000000099E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Yara signature match
Source: 1.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.file.exe.3649550.0.raw.unpack, type: UNPACKEDPE Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000001.00000002.1979891635.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static PE information: Section: .CSS ZLIB complexity 1.0003622159090908
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@71/275@24/23
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00411250 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle, 1_2_00411250
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\4R30EGPD.htm Jump to behavior
Source: C:\Users\user\Desktop\file.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6936
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b6b0a6e6-d85c-44da-ab3e-b2b43c56baf3 Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\file.exe File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: chrome.exe, 0000000E.00000002.1457167517.0000028400CD5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: gv3w4e37y.1.dr, 47gdjwt00.1.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe Virustotal: Detection: 74%
Source: file.exe ReversingLabs: Detection: 86%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 800
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2420,i,1879571237387738867,10453943320962855917,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2548 /prefetch:3
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2512 --field-trial-handle=2312,i,271099577594506018,1403885451667962874,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2788 --field-trial-handle=2244,i,2275257019305872411,4464955084961015424,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6680 --field-trial-handle=2244,i,2275257019305872411,4464955084961015424,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6852 --field-trial-handle=2244,i,2275257019305872411,4464955084961015424,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\ymg4o" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceuserer --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6776 --field-trial-handle=2244,i,2275257019305872411,4464955084961015424,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\ymg4o" & exit Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2420,i,1879571237387738867,10453943320962855917,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2548 /prefetch:3 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2512 --field-trial-handle=2312,i,271099577594506018,1403885451667962874,262144 /prefetch:3 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2788 --field-trial-handle=2244,i,2275257019305872411,4464955084961015424,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6680 --field-trial-handle=2244,i,2275257019305872411,4464955084961015424,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6852 --field-trial-handle=2244,i,2275257019305872411,4464955084961015424,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceuserer --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6776 --field-trial-handle=2244,i,2275257019305872411,4464955084961015424,262144 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: System.Windows.Forms.pdb source: WERF266.tmp.dmp.4.dr
Source: Binary string: mscorlib.pdb source: WERF266.tmp.dmp.4.dr
Source: Binary string: System.ni.pdbRSDS source: WERF266.tmp.dmp.4.dr
Source: Binary string: System.Windows.Forms.pdbMZ@ source: WERF266.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdb source: WERF266.tmp.dmp.4.dr
Source: Binary string: System.pdb) source: WERF266.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WERF266.tmp.dmp.4.dr
Source: Binary string: Initial.pdb source: WERF266.tmp.dmp.4.dr
Source: Binary string: C:\Users\Admin\source\repos\Initial\Initial\obj\Release\Initial.pdb source: file.exe
Source: Binary string: System.ni.pdb source: WERF266.tmp.dmp.4.dr
Source: Binary string: System.pdb source: WERF266.tmp.dmp.4.dr
Binary contains a suspicious time stamp
Source: file.exe Static PE information: 0xE13E9B06 [Sat Oct 1 03:41:58 2089 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004108E0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_004108E0
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .CSS

Boot Survival
barindex
Monitors registry run keys for changes
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004108E0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_004108E0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 2640000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 4640000 memory reserve | memory write watch Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\file.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetSystemTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\timeout.exe TID: 4356 Thread sleep count: 95 > 30
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00414E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose, 1_2_00414E70
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00407210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose, 1_2_00407210
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose, 1_2_0040B6B0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00415EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose, 1_2_00415EB0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00408360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose, 1_2_00408360
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00413FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose, 1_2_00413FD0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose, 1_2_004013F0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00413580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose, 1_2_00413580
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA, 1_2_004097B0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose, 1_2_0040ACD0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00408C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn, 1_2_00408C90
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00414950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 1_2_00414950
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00409560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA, 1_2_00409560
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00413AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA, 1_2_00413AF0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040FDD0 GetSystemInfo,wsprintfA, 1_2_0040FDD0
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\ Jump to behavior
Source: Web Data.20.dr Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: chrome.exe, 0000000E.00000002.1448456994.000002128F940000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root PartitionJG
Source: chrome.exe, 0000000E.00000002.1460902962.00000284016DC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=4c5a614a-04da-4a06-a70a-e5f1dd0d2306
Source: chrome.exe, 0000000E.00000002.1447381441.000002128C21B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual ProcessorS
Source: chrome.exe, 0000000E.00000002.1448456994.000002128F940000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1447381441.000002128C1FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: Web Data.20.dr Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: chrome.exe, 0000000E.00000003.1407646781.000002128FA07000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Registry\Machine\Software\Classes\CLSID\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}\InProcServer326328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-ProcessR0
Source: Web Data.20.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: Web Data.20.dr Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: Web Data.20.dr Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: Web Data.20.dr Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: chrome.exe, 0000000E.00000003.1404344553.000002128F9A9000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1448456994.000002128F940000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1405324361.000002128F9A9000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1403684880.000002128F9A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Serviceram
Source: chrome.exe, 0000000E.00000003.1409797579.000002128FA76000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1403929217.000002128FA5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence N
Source: chrome.exe, 0000000E.00000002.1447381441.000002128C185000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V ulsqnrsvaqeqbjp Bus
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: chrome.exe, 0000000E.00000003.1408090697.000002128F9D3000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1448456994.000002128F9FA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1407883332.000002128F9F9000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1408180037.000002128F9F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Registry\Machine\Software\Classes\CLSID\{C2CB2CF0-AF47-413E-9780-8BC3A3C16068}\InProcServer326328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-ProcessR0
Source: chrome.exe, 0000000E.00000003.1404280745.000002128FA0D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions
Source: chrome.exe, 0000000E.00000002.1448456994.000002128F940000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus PipesqG
Source: chrome.exe, 0000000E.00000003.1404344553.000002128F9A9000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1405324361.000002128F9A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Resets/sec5084Page Table Validations/sec5086APIC TPR Accesses/sec5088Page Table Write Intercep
Source: chrome.exe, 0000000E.00000002.1447381441.000002128C1C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus Pipesndoo
Source: chrome.exe, 0000000E.00000002.1448456994.000002128F940000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitionll
Source: chrome.exe, 0000000E.00000002.1447381441.000002128C1FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: chrome.exe, 0000000E.00000003.1404223592.000002128F9ED000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1405256356.000002128F9ED000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1403639030.000002128F9E6000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1403598194.000002128F9CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupt
Source: chrome.exe, 0000000E.00000002.1447381441.000002128C1C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: chrome.exe, 0000000E.00000002.1448456994.000002128F940000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Servicei
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Web Data.20.dr Binary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
Source: Web Data.20.dr Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: chrome.exe, 0000000E.00000002.1447381441.000002128C185000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisor
Source: chrome.exe, 0000000E.00000003.1409442180.000002128F9D3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: chrome.exe, 0000000E.00000003.1409923656.000002128F9D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: evice Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: Web Data.20.dr Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: Web Data.20.dr Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Web Data.20.dr Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: chrome.exe, 0000000E.00000003.1406113646.000002128F9F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Registry\Machine\Software\Classes\CLSID\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\InProcServer326328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-ProcessR0
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: chrome.exe, 0000000E.00000003.1405010996.000002128F9F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
Source: Web Data.20.dr Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: chrome.exe, 0000000E.00000003.1404344553.000002128F9A9000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1405324361.000002128F9A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/
Source: Amcache.hve.4.dr Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: chrome.exe, 0000000E.00000003.1409636472.000002128FA62000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1448710119.000002128FA62000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1410584279.000002128FA62000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: Web Data.20.dr Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: Web Data.20.dr Binary or memory string: global block list test formVMware20,11696501413
Source: chrome.exe, 0000000E.00000002.1447381441.000002128C240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor
Source: Web Data.20.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: chrome.exe, 0000000E.00000002.1447381441.000002128C21B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical ProcessormuiE
Source: chrome.exe, 0000000E.00000002.1447381441.000002128C1C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical ProcessorS3
Source: chrome.exe, 0000000E.00000002.1448456994.000002128F940000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid PartitionntqOm
Source: Web Data.20.dr Binary or memory string: tasks.office.comVMware20,11696501413o
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: Web Data.20.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: Web Data.20.dr Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: Web Data.20.dr Binary or memory string: dev.azure.comVMware20,11696501413j
Source: chrome.exe, 0000000E.00000002.1448456994.000002128F940000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V ulsqnrsvaqeqbjp Bus Pipes
Source: chrome.exe, 0000000E.00000002.1448456994.000002128F940000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisoriu
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: chrome.exe, 0000000E.00000002.1448456994.000002128F940000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root PartitionFF
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: chrome.exe, 0000000E.00000002.1447381441.000002128C1C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: chrome.exe, 0000000E.00000002.1447381441.000002128C1C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root Partitionh
Source: chrome.exe, 0000000E.00000002.1441578419.0000021288513000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRR:
Source: chrome.exe, 0000000E.00000002.1448456994.000002128F940000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus PipesldF
Source: chrome.exe, 0000000E.00000003.1409442180.000002128F9D3000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1409923656.000002128F9D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence N
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Web Data.20.dr Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Web Data.20.dr Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Web Data.20.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: Web Data.20.dr Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: chrome.exe, 0000000E.00000003.1409412814.000002128F9D9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: umber4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Resets/sec5084Page Table Validations/sec5086APIC TPR Accesses/sec5088Page Table Write Intercepts/sec5090Synthetic Interrupts/sec5092Virtual Interrupts/sec5094APIC IPIs Sent/sec5096APIC Self IPIs Sent/sec5098GPA Space Hypercalls/sec5100Logical Proce
Source: Web Data.20.dr Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: chrome.exe, 0000000E.00000003.1403993057.000002128FA2B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1403477321.000002128FA13000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1405106516.000002128FA2C000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1403543846.000002128FA2C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842
Source: Web Data.20.dr Binary or memory string: AMC password management pageVMware20,11696501413
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Web Data.20.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: chrome.exe, 0000000E.00000003.1404344553.000002128F9A9000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1448456994.000002128F940000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1405324361.000002128F9A9000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1403684880.000002128F9A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partition
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: chrome.exe, 0000000E.00000002.1448456994.000002128F940000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: chrome.exe, 0000000E.00000003.1404344553.000002128F9A9000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.1448456994.000002128F940000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1405324361.000002128F9A9000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.1403684880.000002128F9A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: chrome.exe, 0000000E.00000002.1447381441.000002128C1C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: chrome.exe, 0000000E.00000003.1366827876.00000284004D8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMware20,1(
Source: chrome.exe, 0000000E.00000002.1447381441.000002128C1FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processor.mui..
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: msedge.exe, 00000012.00000002.1610738674.0000020C71644000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Web Data.20.dr Binary or memory string: outlook.office.comVMware20,11696501413s
Source: chrome.exe, 0000000E.00000003.1407156247.000002128FA07000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Registry\Machine\Software\Classes\CLSID\{e2bf9676-5f8f-435c-97eb-11607a5bedf7}\InProcServer326328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-ProcessR0
Source: Web Data.20.dr Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: file.exe, 00000001.00000002.1980324743.00000000011D7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: Web Data.20.dr Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: chrome.exe, 0000000E.00000003.1403684880.000002128F9A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Web Data.20.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: chrome.exe, 0000000E.00000002.1441578419.0000021288581000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V VM Vid Partitionll
Source: Web Data.20.dr Binary or memory string: discord.comVMware20,11696501413f
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004108E0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_004108E0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02642111 mov edi, dword ptr fs:[00000030h] 0_2_02642111
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0264228E mov edi, dword ptr fs:[00000030h] 0_2_0264228E
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040F450 GetProcessHeap,RtlFreeHeap, 1_2_0040F450
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02642111 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_02642111
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A Jump to behavior
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00411250 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle, 1_2_00411250
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00411310 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle, 1_2_00411310
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\ymg4o" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,GetLocaleInfoA,LocalFree, 1_2_0040FC20
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0041BAA0 GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 1_2_0041BAA0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00417210 EntryPoint,lstrlenW,GetWindowsDirectoryW,GetComputerNameW,GetFullPathNameA,GetUserNameW,GetFileType,GetModuleFileNameA,GetTempPathW, 1_2_00417210
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040FBC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 1_2_0040FBC0
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Vidar stealer
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: file.exe PID: 6960, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \ElectronCash\wallets\
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: exodus.conf.json
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000001.00000002.1980324743.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: info.seco
Source: file.exe, 00000001.00000002.1980324743.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC
Source: file.exe, 00000001.00000002.1980324743.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: file.exe, 00000001.00000002.1980324743.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Ethereum\
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: multidoge.wallet
Source: file.exe, 00000001.00000002.1980324743.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: seed.seco
Source: file.exe, 00000001.00000002.1980324743.0000000001216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: file.exe, 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\security_state\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\saved-telemetry-pings\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\crashes\events\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\temporary\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\minidumps\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\glean\pending_pings\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\archived\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\default\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\glean\tmp\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\to-be-removed\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\sessionstore-backups\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\dtbqpus9.default\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\glean\events\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\archived\2023-10\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\crashes\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\glean\db\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\glean\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\bookmarkbackups\key4.db Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\backups\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.1980324743.0000000001256000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6960, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Yara detected Vidar stealer
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: file.exe PID: 6960, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632159 Sample: file.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 51 go.f.goldenloafuae.com 2->51 53 t.me 2->53 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 6 other signatures 2->85 9 file.exe 2->9         started        12 msedge.exe 2->12         started        signatures3 process4 dnsIp5 87 Attempt to bypass Chrome Application-Bound Encryption 9->87 89 Contains functionality to inject code into remote processes 9->89 91 Searches for specific processes (likely to inject) 9->91 93 Injects a PE file into a foreign processes 9->93 15 file.exe 29 9->15         started        19 WerFault.exe 19 16 9->19         started        57 239.255.255.250 unknown Reserved 12->57 22 msedge.exe 12->22         started        24 msedge.exe 12->24         started        26 msedge.exe 12->26         started        28 msedge.exe 12->28         started        signatures6 process7 dnsIp8 59 go.f.goldenloafuae.com 95.217.27.252, 443, 49683, 49687 HETZNER-ASDE Germany 15->59 61 t.me 149.154.167.99, 443, 49681 TELEGRAMRU United Kingdom 15->61 63 127.0.0.1 unknown unknown 15->63 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->71 73 Found many strings related to Crypto-Wallets (likely being stolen) 15->73 75 Tries to harvest and steal ftp login credentials 15->75 77 3 other signatures 15->77 30 msedge.exe 2 9 15->30         started        33 chrome.exe 15->33         started        36 cmd.exe 15->36         started        47 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->47 dropped 65 18.173.132.94, 443, 49811, 49836 MIT-GATEWAYSUS United States 22->65 67 c-msn-pme.trafficmanager.net 13.74.129.1, 443, 49769 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->67 69 32 other IPs or domains 22->69 file9 signatures10 process11 dnsIp12 95 Monitors registry run keys for changes 30->95 38 msedge.exe 30->38         started        49 192.168.2.10, 138, 443, 49164 unknown unknown 33->49 40 chrome.exe 33->40         started        43 conhost.exe 36->43         started        45 timeout.exe 36->45         started        signatures13 process14 dnsIp15 55 www.google.com 172.217.16.196, 443, 49705, 49708 GOOGLEUS United States 40->55
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.44.201.19
 unknown United States
20940 AKAMAI-ASN1EU false
2.22.242.105
 a416.dscd.akamai.net European Union
20940 AKAMAI-ASN1EU false
92.123.12.148
 e28578.d.akamaiedge.net European Union
16625 AKAMAI-ASUS false
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU false
40.79.150.121
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
162.159.61.3
 unknown United States
13335 CLOUDFLARENETUS false
13.74.129.1
 c-msn-pme.trafficmanager.net United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
172.217.18.97
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
20.110.205.119
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
204.79.197.219
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
172.64.41.3
 chrome.cloudflare-dns.com United States
13335 CLOUDFLARENETUS false
23.209.72.8
 unknown United States
20940 AKAMAI-ASN1EU false
95.217.27.252
 go.f.goldenloafuae.com Germany
24940 HETZNER-ASDE true
23.57.90.166
 unknown United States
35994 AKAMAI-ASUS false
18.173.132.94
 unknown United States
3 MIT-GATEWAYSUS false
18.244.18.38
 sb.scorecardresearch.com United States
16509 AMAZON-02US false
104.117.182.33
 unknown United States
20940 AKAMAI-ASN1EU false
239.255.255.250
 unknown Reserved
unknown unknown false
172.217.16.196
 www.google.com United States
15169 GOOGLEUS false
204.79.197.203
 a-0003.a-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
23.57.90.78
 unknown United States
35994 AKAMAI-ASUS false

Private

IP
192.168.2.10
127.0.0.1

Contacted Domains

Name IP Active
s-part-0012.t-0009.t-msedge.net 13.107.246.40 true
chrome.cloudflare-dns.com 172.64.41.3 true
a416.dscd.akamai.net 2.22.242.105 true
t.me 149.154.167.99 true
a-0003.a-msedge.net 204.79.197.203 true
c-msn-pme.trafficmanager.net 13.74.129.1 true
ssl.bingadsedgeextension-prod-europe.azurewebsites.net 94.245.104.56 true
ax-0001.ax-msedge.net 150.171.28.10 true
go.f.goldenloafuae.com 95.217.27.252 true
sb.scorecardresearch.com 18.244.18.38 true
www.google.com 172.217.16.196 true
googlehosted.l.googleusercontent.com 172.217.18.97 true
e28578.d.akamaiedge.net 92.123.12.148 true
clients2.googleusercontent.com unknown unknown
bzib.nelreports.net unknown unknown
assets.msn.com unknown unknown
c.msn.com unknown unknown
ntp.msn.com unknown unknown
api.msn.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 false
    		high
    https://go.f.goldenloafuae.com/ true
    • Avira URL Cloud: malware
    		 unknown
    https://ntp.msn.com/edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true false
      		high
      https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true false
        		high
        https://bzib.nelreports.net/api/report?cat=bingbusiness false
          		high
          https://ntp.msn.com/bundles/v1/edgeChromium/latest/SSR-extension.867cdfd625d830718faf.js false
            		high
            https://assets.msn.com/statics/icons/favicon_newtabpage.png false
              		high
              https://t.me/l793oy false
                		high
                https://steamcommunity.com/profiles/76561199829660832 false
                  		high