Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1639583
MD5:	38da35e91c9aeea07d77b7df32e30591
SHA1:	49eebb6f1db4065b62e276f61c6f2c6abc0cb66e
SHA256:	53d491fcb95b0cd2c073b1a2b7dc8c032e9de2d9422ac13170fe5975b78f6a7e
Tags:	exeuser-Bitsight
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Monitors registry run keys for changes

Searches for specific processes (likely to inject)

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Browser Started with Remote Debugging

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Found malware configuration

Source: 2.2.MSBuild.exe.400000.0.raw.unpack

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199832267488", "Botnet": "dqu220"}

Multi AV Scanner detection for submitted file

Source: file.exe	Virustotal: Detection: 19%			Perma Link
Source: file.exe	ReversingLabs: Detection: 16%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00406A10 StrStrA,lstrlenA,LocalAlloc,CryptUnprotectData,LocalAlloc,LocalFree,lstrlenA,	2_2_00406A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00410830 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree,	2_2_00410830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040A150 BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,	2_2_0040A150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00406CF0 LocalAlloc,BCryptDecrypt,	2_2_00406CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00406940 BCryptCloseAlgorithmProvider,BCryptDestroyKey,	2_2_00406940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040A560 StrCmpCA,BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	2_2_0040A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00406980 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	2_2_00406980

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.7:49682 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A1358 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7531A1358
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A11D4 FindFirstFileExW,	0_2_00007FF7531A11D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00407210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	2_2_00407210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,	2_2_0040B6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00408360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose,	2_2_00408360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	2_2_004097B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00414E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,	2_2_00414E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose,	2_2_0040ACD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00408C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn,	2_2_00408C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00415EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose,	2_2_00415EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00414950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	2_2_00414950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00409560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	2_2_00409560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00413FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	2_2_00413FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,	2_2_004013F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00413580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose,	2_2_00413580

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00413AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

2_2_00413AF0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 6MB later: 39MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.7:49683 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.7:49686 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49687 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49721 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49688 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49689 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49689 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49718 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49722 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49722 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 78.47.63.132:443 -> 192.168.2.7:49686
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49724 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49724 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49690 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49690 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49691 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49691 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49776 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 78.47.63.132:443 -> 192.168.2.7:49685
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49789 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49789 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49834 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49834 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49723 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49723 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49814 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49814 -> 78.47.63.132:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199832267488

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /g_etcontent HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 52.168.117.175 52.168.117.175
Source: Joe Sandbox View	IP Address: 2.22.242.11 2.22.242.11
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.215.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.98.62
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.215.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.98.62
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00403850 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

2_2_00403850

Source: global traffic	HTTP traffic detected: GET /g_etcontent HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0Host: t.p.formaxprime.co.ukConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiKo8sBCIWgzQEI9s/OAQiA1s4BCMnczgEIhODOAQii5M4BCK/kzgEI6eTOAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiKo8sBCIWgzQEI9s/OAQiA1s4BCMnczgEIhODOAQii5M4BCK/kzgEI6eTOAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8NP2y291iiPDmfAN0GV3dvCuqlYA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiKo8sBCIWgzQE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.cb278af4d754dd8a1a58.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.6sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A6701706864E412ABBF0E9E1CF90AF38.RefC=2025-03-15T22:03:45Z; USRLOC=; MUID=06898F1A137E61ED2A909AAA12D66026; MUIDB=06898F1A137E61ED2A909AAA12D66026; _EDGE_S=F=1&SID=1D0F47763CCD6A8D038A52C63D7F6B88; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.948ffa5ea2d441a35f55.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.6sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A6701706864E412ABBF0E9E1CF90AF38.RefC=2025-03-15T22:03:45Z; USRLOC=; MUID=06898F1A137E61ED2A909AAA12D66026; MUIDB=06898F1A137E61ED2A909AAA12D66026; _EDGE_S=F=1&SID=1D0F47763CCD6A8D038A52C63D7F6B88; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.08ddc3af8246ad2193cd.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.1ed6fad3ee8a8960478c.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.f2bbb948ce12d0d1625c.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.8704366d527afd4c1c1c.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/Ad_brx23lef_cW590ESOTTAroOhZ9si0XFJIUC52j2ILHW1VLB5ou6c0RgLWwGr1aRJJZ0WPNyiPBYgIpWfykvhKW-6BLzMRsp9ykw5f6ReBQmPpO6WB9pcSJPfykLTHDjYAxlKa5bf72z8tHS5eXuTavTP1h4WZBjSs/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=06898F1A137E61ED2A909AAA12D66026; _EDGE_S=F=1&SID=1D0F47763CCD6A8D038A52C63D7F6B88; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1742076230513&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=a6701706864e412abbf0e9e1cf90af38&activityId=a6701706864e412abbf0e9e1cf90af38&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=06898F1A137E61ED2A909AAA12D66026; _EDGE_S=F=1&SID=1D0F47763CCD6A8D038A52C63D7F6B88; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b?rn=1742076230514&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=06898F1A137E61ED2A909AAA12D66026&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b2?rn=1742076230514&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=06898F1A137E61ED2A909AAA12D66026&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=184aec4ece667d50c8349e61742076232; XID=184aec4ece667d50c8349e61742076232
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.75sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 250sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A6701706864E412ABBF0E9E1CF90AF38.RefC=2025-03-15T22:03:45Z; USRLOC=; MUID=06898F1A137E61ED2A909AAA12D66026; MUIDB=06898F1A137E61ED2A909AAA12D66026; _EDGE_S=F=1&SID=1D0F47763CCD6A8D038A52C63D7F6B88; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=f894a01a-65a1-42cd-84d2-bac763fe6a80; ai_session=qBH2uQSGXtetv6P0L1uXGB\|1742076230508\|1742076230508; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A6701706864E412ABBF0E9E1CF90AF38.RefC=2025-03-15T22:03:45Z
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":37,"imageId":"BB1msMCf","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A6701706864E412ABBF0E9E1CF90AF38.RefC=2025-03-15T22:03:45Z; USRLOC=; MUID=06898F1A137E61ED2A909AAA12D66026; MUIDB=06898F1A137E61ED2A909AAA12D66026; _EDGE_S=F=1&SID=1D0F47763CCD6A8D038A52C63D7F6B88; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=f894a01a-65a1-42cd-84d2-bac763fe6a80; ai_session=qBH2uQSGXtetv6P0L1uXGB\|1742076230508\|1742076230508; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A6701706864E412ABBF0E9E1CF90AF38.RefC=2025-03-15T22:03:45Z
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1742076230513&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=a6701706864e412abbf0e9e1cf90af38&activityId=a6701706864e412abbf0e9e1cf90af38&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=A8E397131C874C1FAC7B2D8BF332CDF5&MUID=06898F1A137E61ED2A909AAA12D66026 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=06898F1A137E61ED2A909AAA12D66026; _EDGE_S=F=1&SID=1D0F47763CCD6A8D038A52C63D7F6B88; _EDGE_V=1; SM=T

Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000003.976791093.000009CC03604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.983871203.000009CC02514000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 00000003.00000003.976791093.000009CC03604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.983871203.000009CC02514000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: t.p.formaxprime.co.uk
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: c.pki.goog
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----900h4wl68q1djm7ymglxUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0Host: t.p.formaxprime.co.ukContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1201681443.0000788000390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1201681443.0000788000390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1201681443.0000788000390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1201681443.0000788000390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000003.00000003.1001655338.000009CC034C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: Amcache.hve.32.dr	String found in binary or memory: http://upx.sf.net
Source: chromecache_445.4.dr	String found in binary or memory: http://www.broofa.com
Source: h4euai.2.dr	String found in binary or memory: https://ac.ecosia.org?q=
Source: chrome.exe, 00000003.00000003.1010544983.000009CC02980000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1001438598.000009CC02980000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chromecache_443.4.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_443.4.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000003.00000003.1010210708.000009CC03B7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010447494.000009CC03B1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp, chromecache_445.4.dr, chromecache_443.4.dr	String found in binary or memory: https://apis.google.com
Source: msedge.exe, 00000008.00000002.1104415049.0000022BCBD57000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.1271888229.00000226B2482000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://assets.msn.cn/resolver/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://assets.msn.com/resolver/
Source: json[1].json.2.dr	String found in binary or memory: https://assets.msn.com/statics/icons/favicon_newtabpage.png
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://bard.google.com/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://bit.ly/wb-precache
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp, n7glxt.2.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp, n7glxt.2.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://browser.events.data.msn.cn/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://browser.events.data.msn.com/
Source: Reporting and NEL.15.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://c.msn.com/
Source: chrome.exe, 00000003.00000003.984027708.000009CC03624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1001718973.000009CC03514000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1001786497.000009CC02794000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com
Source: h4euai.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: offscreendocument_main.js.14.dr, service_worker_bin_prod.js.14.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mathjax/
Source: MSBuild.exe, 00000002.00000002.1380480797.0000000003BD7000.00000004.00000020.00020000.00000000.sdmp, h4euai.2.dr, Web Data.14.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 00000002.00000002.1380480797.0000000003BD7000.00000004.00000020.00020000.00000000.sdmp, h4euai.2.dr, Web Data.14.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000003.00000003.1010108435.000009CC03A64000.00000004.00001000.00020000.00000000.sdmp, msedge.exe, 00000008.00000002.1107046665.000078E80017C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.1302551154.000078800017C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: manifest.json.14.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: chrome.exe, 00000003.00000003.976522721.000009CC03368000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1001595220.000009CC038EC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010108435.000009CC03A64000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000003.00000003.966178523.000009C800504000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000003.00000003.966178523.000009C800504000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000003.00000003.966162642.000009C8004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.966066378.000009C8004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.966102403.000009C8004D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: msedge.exe, 00000008.00000002.1107046665.000078E80017C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.1302551154.000078800017C000.00000004.00000800.00020000.00000000.sdmp, manifest.json.14.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: msedge.exe, 0000000C.00000002.1302551154.000078800017C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/https://chrome.google.com/webstorex
Source: 53ec8dce-f773-41e1-8b5d-8921ed252e7c.tmp.15.dr	String found in binary or memory: https://clients2.google.com
Source: chrome.exe, 00000003.00000003.960177709.00005410000DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: msedge.exe, 00000008.00000002.1106603419.000078E800040000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.1298254974.0000788000054000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.14.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 53ec8dce-f773-41e1-8b5d-8921ed252e7c.tmp.15.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: chromecache_443.4.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_443.4.dr	String found in binary or memory: https://content.googleapis.com
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp, n7glxt.2.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp, n7glxt.2.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 2cc80dabc69f58b6_0.14.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: manifest.json0.14.dr	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chromecache_443.4.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive.google.com/
Source: h4euai.2.dr, Web Data.14.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.14.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 00000002.00000002.1380480797.0000000003BD7000.00000004.00000020.00020000.00000000.sdmp, h4euai.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: h4euai.2.dr, Web Data.14.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.log2.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log2.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 000003.log1.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_163_music.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: HubApps Icons.14.dr, 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: HubApps Icons.14.dr, 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_bard_light.png/1.0.1/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_hc.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_dark.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_light.png/1.0.3/asse
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_dark.png/1.0.6/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_light.png/1.0.6/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: HubApps Icons.14.dr, 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gaana.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: HubApps Icons.14.dr, 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gmail.png/1.5.4/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_help.png/1.0.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_iHeart.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_instagram.png/1.4.13/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_ku_gou.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_last.png/1.0.3/asset
Source: 000003.log2.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_dark.png/1.1.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_hc.png/1.1.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_light.png/1.1.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_naver_vibe.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: HubApps Icons.14.dr, 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_hc.png/1.1.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_dark.png/1.1.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_light.png/1.1.0/asse
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_qq.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_hc.png/1.1.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_dark.png/1.1.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_light.png/1.1.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: HubApps Icons.14.dr, 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: HubApps Icons.14.dr, 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_dark.png/1.3.20/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_hc.png/1.3.20/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_light.png/1.3.20/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_dark.png/1.2.19/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_hc.png/1.2.19/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_light.png/1.2.19/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_telegram.png/1.0.4/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_hc.png/1.0.5/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_dark.png/1.0.5/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_light.png/1.0.5/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tidal.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tik_tok_light.png/1.0.5/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: HubApps Icons.14.dr, 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_twitter_light.png/1.0.9/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_vk.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whats_new.png/1.0.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whatsapp_light.png/1.4.11/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_youtube.png/1.4.14/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: chrome.exe, 00000003.00000003.984963946.000009CC03758000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.985391847.000009CC03704000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.984963946.000009CC03780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fonts.google.com/icons?selected=Material
Source: chromecache_445.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_445.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_445.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_445.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://gaana.com/
Source: h4euai.2.dr	String found in binary or memory: https://gemini.google.com/app?q=
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic/intro?20
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic2
Source: chrome.exe, 00000003.00000003.966102403.000009C8004D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000003.00000003.966066378.000009C8004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000003.00000003.966162642.000009C8004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.966066378.000009C8004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.966102403.000009C8004D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000003.00000003.966162642.000009C8004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.966066378.000009C8004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.966102403.000009C8004D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000003.00000003.966066378.000009C8004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000003.00000003.966066378.000009C8004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Pre
Source: chrome.exe, 00000003.00000003.966066378.000009C8004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.966102403.000009C8004D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: msedge.exe, 0000000C.00000002.1304412191.00007880002C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000003.00000003.1010660098.000009CC03E84000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://i.y.qq.com/n2/m/index.html
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://img-s.msn.cn/tenant/amp/entityid/
Source: n7glxt.2.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://latest.web.skype.com/?browsername=edge_canary_shoreline
Source: chrome.exe, 00000003.00000003.984027708.000009CC03624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1001786497.000009CC02794000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/gen204
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://m.kugou.com/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://m.soundcloud.com/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://m.vk.com/
Source: chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://mail.google.com/mail/mu/mp/266/#tl/Inbox
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://manifestdeliveryservice.edgebrowser.microsoft-staging-falcon.io/app/page-context-demo
Source: msedge.exe, 0000000C.00000002.1304412191.00007880002C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 0000000C.00000002.1304412191.00007880002C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: Cookies.15.dr	String found in binary or memory: https://msn.comXID/
Source: Cookies.15.dr	String found in binary or memory: https://msn.comXIDv10
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://music.amazon.com
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://music.apple.com
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://music.yandex.com
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 00000003.00000003.976559785.000009CC03378000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://ntp.msn.cn/edge/ntp
Source: 000003.log10.14.dr	String found in binary or memory: https://ntp.msn.com
Source: 000003.log4.14.dr	String found in binary or memory: https://ntp.msn.com/
Source: 000003.log4.14.dr	String found in binary or memory: https://ntp.msn.com/0
Source: QuotaManager.14.dr	String found in binary or memory: https://ntp.msn.com/_default
Source: 2cc80dabc69f58b6_1.14.dr, 000003.log4.14.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp
Source: 000003.log4.14.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: Session_13386549825537769.14.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: QuotaManager.14.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
Source: 2cc80dabc69f58b6_0.14.dr	String found in binary or memory: https://ntp.msn.comService-Worker-Allowed:
Source: msedge.exe, 0000000C.00000002.1304412191.00007880002C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 00000003.00000003.1010210708.000009CC03B7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010447494.000009CC03B1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000003.00000003.1010008825.000009CC03538000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000003.00000003.1010210708.000009CC03B7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010447494.000009CC03B1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000003.00000003.1010210708.000009CC03B7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010447494.000009CC03B1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://open.spotify.com
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://outlook.live.com/mail/0/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: chrome.exe, 00000003.00000003.984027708.000009CC03624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1001786497.000009CC02794000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/calendar/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://outlook.office.com/mail/0/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxAB
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 00000008.00000003.1089167177.000078E8001D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/events
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chromecache_445.4.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_443.4.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_443.4.dr	String found in binary or memory: https://plus.googleapis.com
Source: chrome.exe, 00000003.00000003.976559785.000009CC03378000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://sb.scorecardresearch.com/
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://srtb.msn.cn/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://srtb.msn.com/
Source: chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: MSBuild.exe, MSBuild.exe, 00000002.00000002.1378643031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199832267488
Source: MSBuild.exe, 00000002.00000002.1378643031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199832267488dqu220Mozilla/5.0
Source: MSBuild.exe, 00000002.00000002.1382796474.000000000430F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: MSBuild.exe, 00000002.00000002.1382796474.000000000430F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/?
Source: MSBuild.exe, MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1378907264.0000000000E48000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1378643031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g_etcontent
Source: MSBuild.exe, 00000002.00000002.1378643031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g_etcontentdqu220Mozilla/5.0
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/7wner3.default-release
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/G
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/I
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/W
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/ac
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/l
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/qL
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/s
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk:
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk?
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.ukj
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://tidal.com/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://twitter.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.14.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.14.dr	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.14.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://vibe.naver.com/today
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_canary_shoreline
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_stable_shoreline
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://web.telegram.org/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://web.whatsapp.com
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: chromecache_443.4.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp, n7glxt.2.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.deezer.com/
Source: MSBuild.exe, 00000002.00000002.1380480797.0000000003BD7000.00000004.00000020.00020000.00000000.sdmp, h4euai.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: chrome.exe, 00000003.00000003.1010108435.000009CC03A64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.976559785.000009CC03378000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: content_new.js.14.dr, content.js.14.dr	String found in binary or memory: https://www.google.com/chrome
Source: chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: MSBuild.exe, 00000002.00000002.1380480797.0000000003BD7000.00000004.00000020.00020000.00000000.sdmp, h4euai.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: Web Data.14.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chromecache_443.4.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_443.4.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chromecache_445.4.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_445.4.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_445.4.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000003.00000003.1010191527.000009CC036BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010381083.000009CC03B4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000003.00000003.1010210708.000009CC03B7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010447494.000009CC03B1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.eebVy_fNKiM.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000003.00000003.1010210708.000009CC03B7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010447494.000009CC03B1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.sDa5bc0wD58.L.W.O/m=qmd
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.iheart.com/podcast/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.instagram.com
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp, n7glxt.2.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.last.fm/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.messenger.com
Source: MSBuild.exe, 00000002.00000002.1382796474.000000000430F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: MSBuild.exe, 00000002.00000002.1382796474.000000000430F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: MSBuild.exe, 00000002.00000002.1382796474.000000000430F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: MSBuild.exe, 00000002.00000002.1382796474.000000000430F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MSBuild.exe, 00000002.00000002.1382796474.000000000430F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://www.msn.com/web-notification-icon-light.png
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.office.com
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.tiktok.com/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.youtube.com
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://y.music.163.com/m/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.7:49682 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00410A90 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,malloc,StrCmpCW,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

2_2_00410A90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00406480 memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,CreateProcessA,Sleep,CloseDesktop,

2_2_00406480

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000002.00000002.1378643031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A72EC	0_2_00007FF7531A72EC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75318F440	0_2_00007FF75318F440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753192450	0_2_00007FF753192450
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753197880	0_2_00007FF753197880
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753194060	0_2_00007FF753194060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531908E0	0_2_00007FF7531908E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75318BB40	0_2_00007FF75318BB40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753184790	0_2_00007FF753184790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A1358	0_2_00007FF7531A1358
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753182B70	0_2_00007FF753182B70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753191FA0	0_2_00007FF753191FA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753191BB0	0_2_00007FF753191BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75318D3F0	0_2_00007FF75318D3F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753182640	0_2_00007FF753182640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A7A6C	0_2_00007FF7531A7A6C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75318C2C0	0_2_00007FF75318C2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753195AD0	0_2_00007FF753195AD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753194AD0	0_2_00007FF753194AD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753183ED0	0_2_00007FF753183ED0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75319A29C	0_2_00007FF75319A29C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75318F710	0_2_00007FF75318F710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A9708	0_2_00007FF7531A9708
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753186EE0	0_2_00007FF753186EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75318D920	0_2_00007FF75318D920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75318DD60	0_2_00007FF75318DD60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753190170	0_2_00007FF753190170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A11D4	0_2_00007FF7531A11D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753195E00	0_2_00007FF753195E00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753194DE0	0_2_00007FF753194DE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531951F0	0_2_00007FF7531951F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00404A20	2_2_00404A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00418630	2_2_00418630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041B770	2_2_0041B770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041B300	2_2_0041B300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041C100	2_2_0041C100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004193D0	2_2_004193D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041A7D0	2_2_0041A7D0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00410D00 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0040F5B0 appears 135 times

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6964 -s 2776

Yara signature match

Source: 2.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000002.00000002.1378643031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76

Source: file.exe

Static PE information: Section: .bss ZLIB complexity 1.0003622159090908

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@78/291@30/24

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00410230 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,

2_2_00410230

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\AZ5N9PKP.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6964

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user~1\AppData\Local\Temp\4581bab3-27fd-4c25-b636-434a9cca70dc.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: kno8yc26x.2.dr, glf379z5p.2.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe	Virustotal: Detection: 19%
Source: file.exe	ReversingLabs: Detection: 16%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2308,i,15293753799897546638,14223410568821553602,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2476 /prefetch:3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=2064,i,11077271955637265282,249532908686684789,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1576 --field-trial-handle=1916,i,2447333108888660332,14346485730295745683,262144 /prefetch:3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2408 --field-trial-handle=2224,i,10611571270307567122,8227078237677590620,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2088,i,11204622022202113914,5734698100804861925,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6892 --field-trial-handle=2088,i,11204622022202113914,5734698100804861925,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7044 --field-trial-handle=2088,i,11204622022202113914,5734698100804861925,262144 /prefetch:8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6964 -s 2776
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7008 --field-trial-handle=2088,i,11204622022202113914,5734698100804861925,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2308,i,15293753799897546638,14223410568821553602,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2476 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1576 --field-trial-handle=1916,i,2447333108888660332,14346485730295745683,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=2064,i,11077271955637265282,249532908686684789,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2408 --field-trial-handle=2224,i,10611571270307567122,8227078237677590620,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2088,i,11204622022202113914,5734698100804861925,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6892 --field-trial-handle=2088,i,11204622022202113914,5734698100804861925,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7044 --field-trial-handle=2088,i,11204622022202113914,5734698100804861925,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7008 --field-trial-handle=2088,i,11204622022202113914,5734698100804861925,262144 /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_004108E0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_004108E0

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name: .gxfg
Source: file.exe	Static PE information: section name: .retplne
Source: file.exe	Static PE information: section name: _RDATA

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

2_2_004108E0

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Found decision node followed by non-executed suspicious APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (date check)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A1358 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7531A1358
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A11D4 FindFirstFileExW,	0_2_00007FF7531A11D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00407210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	2_2_00407210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,	2_2_0040B6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00408360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose,	2_2_00408360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	2_2_004097B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00414E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,	2_2_00414E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose,	2_2_0040ACD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00408C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn,	2_2_00408C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00415EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose,	2_2_00415EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00414950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	2_2_00414950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00409560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	2_2_00409560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00413FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	2_2_00413FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,	2_2_004013F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00413580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose,	2_2_00413580

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00413AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

2_2_00413AF0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_0040FDD0 GetSystemInfo,wsprintfA,

2_2_0040FDD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: chrome.exe, 00000003.00000003.1012275836.0000023805E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 34% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory In
Source: Amcache.hve.32.dr	Binary or memory string: VMware
Source: Web Data.14.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: Web Data.14.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: Web Data.14.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: Web Data.14.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: Web Data.14.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.32.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Web Data.14.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: Web Data.14.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1378907264.0000000000E48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: chrome.exe, 00000003.00000003.1010437300.0000023805D9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812H
Source: Web Data.14.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: Web Data.14.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Amcache.hve.32.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Web Data.14.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: Amcache.hve.32.dr	Binary or memory string: vmci.sys
Source: Web Data.14.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: Web Data.14.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: Web Data.14.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: Web Data.14.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.32.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.32.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.32.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.32.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Web Data.14.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.32.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.32.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.32.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Web Data.14.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Amcache.hve.32.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.32.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.32.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Web Data.14.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Amcache.hve.32.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Web Data.14.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: Web Data.14.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: Web Data.14.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.32.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Web Data.14.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.32.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Web Data.14.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.32.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.32.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.32.dr	Binary or memory string: VMware20,1hbin@
Source: chrome.exe, 00000003.00000003.1010476244.0000023805D73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transit
Source: Amcache.hve.32.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Web Data.14.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.32.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: chrome.exe, 00000003.00000003.1010476244.0000023805D73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB
Source: Amcache.hve.32.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: chrome.exe, 00000003.00000003.968335692.000009CC02500000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: Web Data.14.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: Web Data.14.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: Web Data.14.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.32.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.32.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: msedge.exe, 00000008.00000002.1103746965.0000022BC9E53000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.1271810578.00000226B2444000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Web Data.14.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: Web Data.14.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.32.dr	Binary or memory string: vmci.syshbin`
Source: chrome.exe, 00000003.00000003.1012347939.0000023805D78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Costmber]
Source: Amcache.hve.32.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Web Data.14.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW5m
Source: chrome.exe, 00000003.00000003.1010476244.0000023805D73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root
Source: Amcache.hve.32.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.32.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Web Data.14.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: Web Data.14.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF75319AB04 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF75319AB04

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

2_2_004108E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF75319E2EC GetProcessHeap,

0_2_00007FF75319E2EC

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753198088 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF753198088
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75319AB04 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF75319AB04
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753198704 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF753198704
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531986F4 SetUnhandledExceptionFilter,	0_2_00007FF7531986F4

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00411310 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,		2_2_00411310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00411250 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,		2_2_00411250

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 425000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 426000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 427000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 428000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: C29008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7531A9520 cpuid

0_2_00007FF7531A9520

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,GetLocaleInfoA,LocalFree,

2_2_0040FC20

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF753198570 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF753198570

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00417210 EntryPoint,lstrlenW,GetWindowsDirectoryW,GetComputerNameW,GetFullPathNameA,GetUserNameW,GetFileType,GetModuleFileNameA,GetTempPathW,

2_2_00417210

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_0040FBC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

2_2_0040FBC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.32.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.32.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.32.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.32.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.32.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6964, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3 Wallet
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\temporary\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\default\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\security_state\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6964, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6964, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.168.117.175	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.22.242.11	a416.dscd.akamai.net	European Union	20940	AKAMAI-ASN1EU	false
78.47.63.132	t.p.formaxprime.co.uk	Germany	24940	HETZNER-ASDE	true
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
20.110.205.119	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.44.201.25	unknown	United States	20940	AKAMAI-ASN1EU	false
142.250.185.65	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
23.44.201.26	unknown	United States	20940	AKAMAI-ASN1EU	false
18.244.18.32	sb.scorecardresearch.com	United States	16509	AMAZON-02US	false
23.204.152.9	unknown	United States	20940	AKAMAI-ASN1EU	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
18.164.96.18	unknown	United States	3	MIT-GATEWAYSUS	false
216.58.206.78	plus.l.google.com	United States	15169	GOOGLEUS	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
13.74.129.1	c-msn-pme.trafficmanager.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.186.132	www.google.com	United States	15169	GOOGLEUS	false
204.79.197.219	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
2.22.242.89	a233.dscd.akamai.net	European Union	20940	AKAMAI-ASN1EU	false
150.171.27.12	ax-0003.ax-msedge.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.43.85.19	unknown	United States	3257	GTT-BACKBONEGTTDE	false
204.79.197.203	a-0003.a-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.7
127.0.0.1

Contacted Domains

Name	IP	Active
ax-0003.ax-msedge.net	150.171.27.12	true
chrome.cloudflare-dns.com	172.64.41.3	true
plus.l.google.com	216.58.206.78	true
a416.dscd.akamai.net	2.22.242.11	true
ax-0002.ax-msedge.net	150.171.28.11	true
t.p.formaxprime.co.uk	78.47.63.132	true
t.me	149.154.167.99	true
a-0003.a-msedge.net	204.79.197.203	true
c-msn-pme.trafficmanager.net	13.74.129.1	true
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true
pki-goog.l.google.com	142.250.185.163	true
ax-0001.ax-msedge.net	150.171.27.10	true
a233.dscd.akamai.net	2.22.242.89	true
fg.microsoft.map.fastly.net	199.232.210.172	true
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	84.201.210.23	true
play.google.com	142.250.185.238	true
sb.scorecardresearch.com	18.244.18.32	true
www.google.com	142.250.186.132	true
googlehosted.l.googleusercontent.com	142.250.185.65	true
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true
assets.msn.com	unknown	unknown
c.msn.com	unknown	unknown
ntp.msn.com	unknown	unknown
clients2.googleusercontent.com	unknown	unknown
bzib.nelreports.net	unknown	unknown
c.pki.goog	unknown	unknown
apis.google.com	unknown	unknown
api.msn.com	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1742076232410&w=0&anoncknm=app_anon&NoResponseBody=true	false	high
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531	false	high
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true	false	high
https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true	false	high
https://bzib.nelreports.net/api/report?cat=bingbusiness	false	high
https://assets.msn.com/statics/icons/favicon_newtabpage.png	false	high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1742076233408&w=0&anoncknm=app_anon&NoResponseBody=true	false	high
https://t.me/g_etcontent	false	high
https://sb.scorecardresearch.com/b?rn=1742076230514&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=06898F1A137E61ED2A909AAA12D66026&cs_fpit=o&cs_fpdm=null&cs_fpdt=null	false	high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE	false	high

AV Detection

Found malware configuration

Source: 2.2.MSBuild.exe.400000.0.raw.unpack

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199832267488", "Botnet": "dqu220"}

Multi AV Scanner detection for submitted file

Source: file.exe	Virustotal: Detection: 19%			Perma Link
Source: file.exe	ReversingLabs: Detection: 16%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00406A10 StrStrA,lstrlenA,LocalAlloc,CryptUnprotectData,LocalAlloc,LocalFree,lstrlenA,	2_2_00406A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00410830 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree,	2_2_00410830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040A150 BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,	2_2_0040A150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00406CF0 LocalAlloc,BCryptDecrypt,	2_2_00406CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00406940 BCryptCloseAlgorithmProvider,BCryptDestroyKey,	2_2_00406940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040A560 StrCmpCA,BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	2_2_0040A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00406980 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	2_2_00406980

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.7:49682 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A1358 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7531A1358
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A11D4 FindFirstFileExW,	0_2_00007FF7531A11D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00407210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	2_2_00407210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,	2_2_0040B6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00408360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose,	2_2_00408360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	2_2_004097B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00414E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,	2_2_00414E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose,	2_2_0040ACD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00408C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn,	2_2_00408C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00415EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose,	2_2_00415EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00414950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	2_2_00414950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00409560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	2_2_00409560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00413FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	2_2_00413FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,	2_2_004013F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00413580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose,	2_2_00413580

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00413AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

2_2_00413AF0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 6MB later: 39MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.7:49683 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.7:49686 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49687 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49721 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49688 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49689 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49689 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49718 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49722 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49722 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 78.47.63.132:443 -> 192.168.2.7:49686
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49724 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49724 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49690 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49690 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49691 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49691 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49776 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 78.47.63.132:443 -> 192.168.2.7:49685
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49789 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49789 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49834 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49834 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49723 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49723 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49814 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49814 -> 78.47.63.132:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199832267488

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /g_etcontent HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 52.168.117.175 52.168.117.175
Source: Joe Sandbox View	IP Address: 2.22.242.11 2.22.242.11
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.215.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.98.62
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.215.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.98.62
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.175
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 18.164.96.18
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00403850 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

2_2_00403850

Source: global traffic	HTTP traffic detected: GET /g_etcontent HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0Host: t.p.formaxprime.co.ukConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiKo8sBCIWgzQEI9s/OAQiA1s4BCMnczgEIhODOAQii5M4BCK/kzgEI6eTOAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiKo8sBCIWgzQEI9s/OAQiA1s4BCMnczgEIhODOAQii5M4BCK/kzgEI6eTOAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8NP2y291iiPDmfAN0GV3dvCuqlYA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiKo8sBCIWgzQE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.cb278af4d754dd8a1a58.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.6sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A6701706864E412ABBF0E9E1CF90AF38.RefC=2025-03-15T22:03:45Z; USRLOC=; MUID=06898F1A137E61ED2A909AAA12D66026; MUIDB=06898F1A137E61ED2A909AAA12D66026; _EDGE_S=F=1&SID=1D0F47763CCD6A8D038A52C63D7F6B88; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.948ffa5ea2d441a35f55.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.6sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A6701706864E412ABBF0E9E1CF90AF38.RefC=2025-03-15T22:03:45Z; USRLOC=; MUID=06898F1A137E61ED2A909AAA12D66026; MUIDB=06898F1A137E61ED2A909AAA12D66026; _EDGE_S=F=1&SID=1D0F47763CCD6A8D038A52C63D7F6B88; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.08ddc3af8246ad2193cd.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.1ed6fad3ee8a8960478c.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.f2bbb948ce12d0d1625c.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.8704366d527afd4c1c1c.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/Ad_brx23lef_cW590ESOTTAroOhZ9si0XFJIUC52j2ILHW1VLB5ou6c0RgLWwGr1aRJJZ0WPNyiPBYgIpWfykvhKW-6BLzMRsp9ykw5f6ReBQmPpO6WB9pcSJPfykLTHDjYAxlKa5bf72z8tHS5eXuTavTP1h4WZBjSs/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=06898F1A137E61ED2A909AAA12D66026; _EDGE_S=F=1&SID=1D0F47763CCD6A8D038A52C63D7F6B88; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1742076230513&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=a6701706864e412abbf0e9e1cf90af38&activityId=a6701706864e412abbf0e9e1cf90af38&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=06898F1A137E61ED2A909AAA12D66026; _EDGE_S=F=1&SID=1D0F47763CCD6A8D038A52C63D7F6B88; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b?rn=1742076230514&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=06898F1A137E61ED2A909AAA12D66026&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b2?rn=1742076230514&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=06898F1A137E61ED2A909AAA12D66026&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=184aec4ece667d50c8349e61742076232; XID=184aec4ece667d50c8349e61742076232
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.75sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 250sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A6701706864E412ABBF0E9E1CF90AF38.RefC=2025-03-15T22:03:45Z; USRLOC=; MUID=06898F1A137E61ED2A909AAA12D66026; MUIDB=06898F1A137E61ED2A909AAA12D66026; _EDGE_S=F=1&SID=1D0F47763CCD6A8D038A52C63D7F6B88; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=f894a01a-65a1-42cd-84d2-bac763fe6a80; ai_session=qBH2uQSGXtetv6P0L1uXGB\|1742076230508\|1742076230508; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A6701706864E412ABBF0E9E1CF90AF38.RefC=2025-03-15T22:03:45Z
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":37,"imageId":"BB1msMCf","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A6701706864E412ABBF0E9E1CF90AF38.RefC=2025-03-15T22:03:45Z; USRLOC=; MUID=06898F1A137E61ED2A909AAA12D66026; MUIDB=06898F1A137E61ED2A909AAA12D66026; _EDGE_S=F=1&SID=1D0F47763CCD6A8D038A52C63D7F6B88; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=f894a01a-65a1-42cd-84d2-bac763fe6a80; ai_session=qBH2uQSGXtetv6P0L1uXGB\|1742076230508\|1742076230508; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A6701706864E412ABBF0E9E1CF90AF38.RefC=2025-03-15T22:03:45Z
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1742076230513&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=a6701706864e412abbf0e9e1cf90af38&activityId=a6701706864e412abbf0e9e1cf90af38&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=A8E397131C874C1FAC7B2D8BF332CDF5&MUID=06898F1A137E61ED2A909AAA12D66026 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=06898F1A137E61ED2A909AAA12D66026; _EDGE_S=F=1&SID=1D0F47763CCD6A8D038A52C63D7F6B88; _EDGE_V=1; SM=T

Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000003.976791093.000009CC03604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.983871203.000009CC02514000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 00000003.00000003.976791093.000009CC03604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.983871203.000009CC02514000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: t.p.formaxprime.co.uk
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: c.pki.goog
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1201681443.0000788000390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1201681443.0000788000390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1201681443.0000788000390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1201681443.0000788000390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000003.00000003.1001655338.000009CC034C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: Amcache.hve.32.dr	String found in binary or memory: http://upx.sf.net
Source: chromecache_445.4.dr	String found in binary or memory: http://www.broofa.com
Source: h4euai.2.dr	String found in binary or memory: https://ac.ecosia.org?q=
Source: chrome.exe, 00000003.00000003.1010544983.000009CC02980000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1001438598.000009CC02980000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chromecache_443.4.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_443.4.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000003.00000003.1010210708.000009CC03B7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010447494.000009CC03B1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp, chromecache_445.4.dr, chromecache_443.4.dr	String found in binary or memory: https://apis.google.com
Source: msedge.exe, 00000008.00000002.1104415049.0000022BCBD57000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.1271888229.00000226B2482000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://assets.msn.cn/resolver/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://assets.msn.com/resolver/
Source: json[1].json.2.dr	String found in binary or memory: https://assets.msn.com/statics/icons/favicon_newtabpage.png
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://bard.google.com/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://bit.ly/wb-precache
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp, n7glxt.2.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp, n7glxt.2.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://browser.events.data.msn.cn/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://browser.events.data.msn.com/
Source: Reporting and NEL.15.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://c.msn.com/
Source: chrome.exe, 00000003.00000003.984027708.000009CC03624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1001718973.000009CC03514000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1001786497.000009CC02794000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com
Source: h4euai.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: offscreendocument_main.js.14.dr, service_worker_bin_prod.js.14.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mathjax/
Source: MSBuild.exe, 00000002.00000002.1380480797.0000000003BD7000.00000004.00000020.00020000.00000000.sdmp, h4euai.2.dr, Web Data.14.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 00000002.00000002.1380480797.0000000003BD7000.00000004.00000020.00020000.00000000.sdmp, h4euai.2.dr, Web Data.14.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000003.00000003.1010108435.000009CC03A64000.00000004.00001000.00020000.00000000.sdmp, msedge.exe, 00000008.00000002.1107046665.000078E80017C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.1302551154.000078800017C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: manifest.json.14.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: chrome.exe, 00000003.00000003.976522721.000009CC03368000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1001595220.000009CC038EC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010108435.000009CC03A64000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000003.00000003.966178523.000009C800504000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000003.00000003.966178523.000009C800504000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000003.00000003.966162642.000009C8004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.966066378.000009C8004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.966102403.000009C8004D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: msedge.exe, 00000008.00000002.1107046665.000078E80017C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.1302551154.000078800017C000.00000004.00000800.00020000.00000000.sdmp, manifest.json.14.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: msedge.exe, 0000000C.00000002.1302551154.000078800017C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/https://chrome.google.com/webstorex
Source: 53ec8dce-f773-41e1-8b5d-8921ed252e7c.tmp.15.dr	String found in binary or memory: https://clients2.google.com
Source: chrome.exe, 00000003.00000003.960177709.00005410000DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: msedge.exe, 00000008.00000002.1106603419.000078E800040000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.1298254974.0000788000054000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.14.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 53ec8dce-f773-41e1-8b5d-8921ed252e7c.tmp.15.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: chromecache_443.4.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_443.4.dr	String found in binary or memory: https://content.googleapis.com
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp, n7glxt.2.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp, n7glxt.2.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 2cc80dabc69f58b6_0.14.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: manifest.json0.14.dr	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chromecache_443.4.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: manifest.json0.14.dr	String found in binary or memory: https://drive.google.com/
Source: h4euai.2.dr, Web Data.14.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.14.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 00000002.00000002.1380480797.0000000003BD7000.00000004.00000020.00020000.00000000.sdmp, h4euai.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: h4euai.2.dr, Web Data.14.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.log2.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log2.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 000003.log1.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_163_music.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: HubApps Icons.14.dr, 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: HubApps Icons.14.dr, 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_bard_light.png/1.0.1/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_hc.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_dark.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_light.png/1.0.3/asse
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_dark.png/1.0.6/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_light.png/1.0.6/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: HubApps Icons.14.dr, 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gaana.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: HubApps Icons.14.dr, 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gmail.png/1.5.4/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_help.png/1.0.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_iHeart.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_instagram.png/1.4.13/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_ku_gou.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_last.png/1.0.3/asset
Source: 000003.log2.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_dark.png/1.1.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_hc.png/1.1.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_light.png/1.1.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_naver_vibe.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: HubApps Icons.14.dr, 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_hc.png/1.1.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_dark.png/1.1.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_light.png/1.1.0/asse
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_qq.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_hc.png/1.1.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_dark.png/1.1.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_light.png/1.1.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: HubApps Icons.14.dr, 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: HubApps Icons.14.dr, 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_dark.png/1.3.20/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_hc.png/1.3.20/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_light.png/1.3.20/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_dark.png/1.2.19/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_hc.png/1.2.19/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_light.png/1.2.19/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_telegram.png/1.0.4/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_hc.png/1.0.5/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_dark.png/1.0.5/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_light.png/1.0.5/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tidal.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tik_tok_light.png/1.0.5/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: HubApps Icons.14.dr, 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_twitter_light.png/1.0.9/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_vk.png/1.0.3/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whats_new.png/1.0.0/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whatsapp_light.png/1.4.11/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_youtube.png/1.4.14/asset
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: chrome.exe, 00000003.00000003.984963946.000009CC03758000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.985391847.000009CC03704000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.984963946.000009CC03780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fonts.google.com/icons?selected=Material
Source: chromecache_445.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_445.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_445.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_445.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://gaana.com/
Source: h4euai.2.dr	String found in binary or memory: https://gemini.google.com/app?q=
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic/intro?20
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic2
Source: chrome.exe, 00000003.00000003.966102403.000009C8004D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000003.00000003.966066378.000009C8004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000003.00000003.966162642.000009C8004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.966066378.000009C8004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.966102403.000009C8004D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000003.00000003.966162642.000009C8004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.966066378.000009C8004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.966102403.000009C8004D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000003.00000003.966066378.000009C8004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000003.00000003.966066378.000009C8004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Pre
Source: chrome.exe, 00000003.00000003.966066378.000009C8004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.966102403.000009C8004D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: msedge.exe, 0000000C.00000002.1304412191.00007880002C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000003.00000003.1010660098.000009CC03E84000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://i.y.qq.com/n2/m/index.html
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://img-s.msn.cn/tenant/amp/entityid/
Source: n7glxt.2.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: msedge.exe, 0000000C.00000003.1200710184.000078800043C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://latest.web.skype.com/?browsername=edge_canary_shoreline
Source: chrome.exe, 00000003.00000003.984027708.000009CC03624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1001786497.000009CC02794000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/gen204
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://m.kugou.com/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://m.soundcloud.com/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://m.vk.com/
Source: chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://mail.google.com/mail/mu/mp/266/#tl/Inbox
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://manifestdeliveryservice.edgebrowser.microsoft-staging-falcon.io/app/page-context-demo
Source: msedge.exe, 0000000C.00000002.1304412191.00007880002C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 0000000C.00000002.1304412191.00007880002C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: Cookies.15.dr	String found in binary or memory: https://msn.comXID/
Source: Cookies.15.dr	String found in binary or memory: https://msn.comXIDv10
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://music.amazon.com
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://music.apple.com
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://music.yandex.com
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 00000003.00000003.976559785.000009CC03378000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://ntp.msn.cn/edge/ntp
Source: 000003.log10.14.dr	String found in binary or memory: https://ntp.msn.com
Source: 000003.log4.14.dr	String found in binary or memory: https://ntp.msn.com/
Source: 000003.log4.14.dr	String found in binary or memory: https://ntp.msn.com/0
Source: QuotaManager.14.dr	String found in binary or memory: https://ntp.msn.com/_default
Source: 2cc80dabc69f58b6_1.14.dr, 000003.log4.14.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp
Source: 000003.log4.14.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: Session_13386549825537769.14.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: QuotaManager.14.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
Source: 2cc80dabc69f58b6_0.14.dr	String found in binary or memory: https://ntp.msn.comService-Worker-Allowed:
Source: msedge.exe, 0000000C.00000002.1304412191.00007880002C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 00000003.00000003.1010210708.000009CC03B7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010447494.000009CC03B1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000003.00000003.1010008825.000009CC03538000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000003.00000003.1010210708.000009CC03B7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010447494.000009CC03B1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000003.00000003.1010210708.000009CC03B7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010447494.000009CC03B1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://open.spotify.com
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://outlook.live.com/mail/0/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: chrome.exe, 00000003.00000003.984027708.000009CC03624000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1001786497.000009CC02794000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/calendar/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://outlook.office.com/mail/0/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxAB
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 00000008.00000003.1089167177.000078E8001D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/events
Source: msedge.exe, 00000008.00000003.1093832738.000078E800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000008.00000003.1096821728.000078E800274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200376307.0000788000274000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.1200142603.0000788000270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chromecache_445.4.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_443.4.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_443.4.dr	String found in binary or memory: https://plus.googleapis.com
Source: chrome.exe, 00000003.00000003.976559785.000009CC03378000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://sb.scorecardresearch.com/
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://srtb.msn.cn/
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://srtb.msn.com/
Source: chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: MSBuild.exe, MSBuild.exe, 00000002.00000002.1378643031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199832267488
Source: MSBuild.exe, 00000002.00000002.1378643031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199832267488dqu220Mozilla/5.0
Source: MSBuild.exe, 00000002.00000002.1382796474.000000000430F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: MSBuild.exe, 00000002.00000002.1382796474.000000000430F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/?
Source: MSBuild.exe, MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1378907264.0000000000E48000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1378643031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g_etcontent
Source: MSBuild.exe, 00000002.00000002.1378643031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g_etcontentdqu220Mozilla/5.0
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/7wner3.default-release
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/G
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/I
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/W
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/ac
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/l
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/qL
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk/s
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk:
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.uk?
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.p.formaxprime.co.ukj
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://tidal.com/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://twitter.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.14.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.14.dr	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.14.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://vibe.naver.com/today
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_canary_shoreline
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_stable_shoreline
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://web.telegram.org/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://web.whatsapp.com
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: chromecache_443.4.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp, n7glxt.2.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.deezer.com/
Source: MSBuild.exe, 00000002.00000002.1380480797.0000000003BD7000.00000004.00000020.00020000.00000000.sdmp, h4euai.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: chrome.exe, 00000003.00000003.1010108435.000009CC03A64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.976559785.000009CC03378000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: content_new.js.14.dr, content.js.14.dr	String found in binary or memory: https://www.google.com/chrome
Source: chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: MSBuild.exe, 00000002.00000002.1380480797.0000000003BD7000.00000004.00000020.00020000.00000000.sdmp, h4euai.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: Web Data.14.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chromecache_443.4.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_443.4.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chrome.exe, 00000003.00000003.1010918401.000009CC03C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010824628.000009C800624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chromecache_445.4.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_445.4.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_445.4.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000003.00000003.1010191527.000009CC036BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010381083.000009CC03B4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000003.00000003.1010210708.000009CC03B7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010447494.000009CC03B1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.eebVy_fNKiM.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000003.00000003.1010210708.000009CC03B7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010330586.000009CC03B6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010210708.000009CC03B5C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010264471.000009CC03B64000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010447494.000009CC03B1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.1010491221.000009CC03B98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.sDa5bc0wD58.L.W.O/m=qmd
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.iheart.com/podcast/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.instagram.com
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000F12000.00000004.00000020.00020000.00000000.sdmp, n7glxt.2.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.last.fm/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.messenger.com
Source: MSBuild.exe, 00000002.00000002.1382796474.000000000430F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: MSBuild.exe, 00000002.00000002.1382796474.000000000430F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: MSBuild.exe, 00000002.00000002.1382796474.000000000430F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: MSBuild.exe, 00000002.00000002.1382796474.000000000430F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MSBuild.exe, 00000002.00000002.1382796474.000000000430F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 2cc80dabc69f58b6_1.14.dr	String found in binary or memory: https://www.msn.com/web-notification-icon-light.png
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.office.com
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.tiktok.com/
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://www.youtube.com
Source: 2450143e-36df-4a4a-95ba-acc9fa68a8a9.tmp.14.dr	String found in binary or memory: https://y.music.163.com/m/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.7:49682 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

2_2_00410A90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00406480 memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,CreateProcessA,Sleep,CloseDesktop,

2_2_00406480

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000002.00000002.1378643031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A72EC	0_2_00007FF7531A72EC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75318F440	0_2_00007FF75318F440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753192450	0_2_00007FF753192450
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753197880	0_2_00007FF753197880
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753194060	0_2_00007FF753194060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531908E0	0_2_00007FF7531908E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75318BB40	0_2_00007FF75318BB40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753184790	0_2_00007FF753184790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A1358	0_2_00007FF7531A1358
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753182B70	0_2_00007FF753182B70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753191FA0	0_2_00007FF753191FA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753191BB0	0_2_00007FF753191BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75318D3F0	0_2_00007FF75318D3F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753182640	0_2_00007FF753182640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A7A6C	0_2_00007FF7531A7A6C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75318C2C0	0_2_00007FF75318C2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753195AD0	0_2_00007FF753195AD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753194AD0	0_2_00007FF753194AD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753183ED0	0_2_00007FF753183ED0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75319A29C	0_2_00007FF75319A29C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75318F710	0_2_00007FF75318F710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A9708	0_2_00007FF7531A9708
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753186EE0	0_2_00007FF753186EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75318D920	0_2_00007FF75318D920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75318DD60	0_2_00007FF75318DD60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753190170	0_2_00007FF753190170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A11D4	0_2_00007FF7531A11D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753195E00	0_2_00007FF753195E00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753194DE0	0_2_00007FF753194DE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531951F0	0_2_00007FF7531951F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00404A20	2_2_00404A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00418630	2_2_00418630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041B770	2_2_0041B770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041B300	2_2_0041B300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041C100	2_2_0041C100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004193D0	2_2_004193D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041A7D0	2_2_0041A7D0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00410D00 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0040F5B0 appears 135 times

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6964 -s 2776

Yara signature match

Source: 2.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000002.00000002.1378643031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76

Source: file.exe

Static PE information: Section: .bss ZLIB complexity 1.0003622159090908

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@78/291@30/24

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00410230 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,

2_2_00410230

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\AZ5N9PKP.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6964

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user~1\AppData\Local\Temp\4581bab3-27fd-4c25-b636-434a9cca70dc.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: kno8yc26x.2.dr, glf379z5p.2.dr

Source: file.exe	Virustotal: Detection: 19%
Source: file.exe	ReversingLabs: Detection: 16%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2308,i,15293753799897546638,14223410568821553602,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2476 /prefetch:3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=2064,i,11077271955637265282,249532908686684789,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1576 --field-trial-handle=1916,i,2447333108888660332,14346485730295745683,262144 /prefetch:3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2408 --field-trial-handle=2224,i,10611571270307567122,8227078237677590620,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2088,i,11204622022202113914,5734698100804861925,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6892 --field-trial-handle=2088,i,11204622022202113914,5734698100804861925,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7044 --field-trial-handle=2088,i,11204622022202113914,5734698100804861925,262144 /prefetch:8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6964 -s 2776
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7008 --field-trial-handle=2088,i,11204622022202113914,5734698100804861925,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2308,i,15293753799897546638,14223410568821553602,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2476 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1576 --field-trial-handle=1916,i,2447333108888660332,14346485730295745683,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=2064,i,11077271955637265282,249532908686684789,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2408 --field-trial-handle=2224,i,10611571270307567122,8227078237677590620,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2088,i,11204622022202113914,5734698100804861925,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6892 --field-trial-handle=2088,i,11204622022202113914,5734698100804861925,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7044 --field-trial-handle=2088,i,11204622022202113914,5734698100804861925,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7008 --field-trial-handle=2088,i,11204622022202113914,5734698100804861925,262144 /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

2_2_004108E0

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name: .gxfg
Source: file.exe	Static PE information: section name: .retplne
Source: file.exe	Static PE information: section name: _RDATA

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

2_2_004108E0

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Found decision node followed by non-executed suspicious APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (date check)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A1358 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7531A1358
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531A11D4 FindFirstFileExW,	0_2_00007FF7531A11D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00407210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	2_2_00407210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,	2_2_0040B6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00408360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose,	2_2_00408360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	2_2_004097B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00414E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,	2_2_00414E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose,	2_2_0040ACD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00408C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn,	2_2_00408C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00415EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose,	2_2_00415EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00414950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	2_2_00414950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00409560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	2_2_00409560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00413FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	2_2_00413FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,	2_2_004013F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00413580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose,	2_2_00413580

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00413AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

2_2_00413AF0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_0040FDD0 GetSystemInfo,wsprintfA,

2_2_0040FDD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: chrome.exe, 00000003.00000003.1012275836.0000023805E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 34% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory In
Source: Amcache.hve.32.dr	Binary or memory string: VMware
Source: Web Data.14.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: Web Data.14.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: Web Data.14.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: Web Data.14.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: Web Data.14.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.32.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Web Data.14.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: Web Data.14.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1378907264.0000000000E48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: chrome.exe, 00000003.00000003.1010437300.0000023805D9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812H
Source: Web Data.14.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: Web Data.14.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Amcache.hve.32.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Web Data.14.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: Amcache.hve.32.dr	Binary or memory string: vmci.sys
Source: Web Data.14.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: Web Data.14.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: Web Data.14.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: Web Data.14.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.32.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.32.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.32.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.32.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Web Data.14.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.32.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.32.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.32.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Web Data.14.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Amcache.hve.32.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.32.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.32.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Web Data.14.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Amcache.hve.32.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Web Data.14.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: Web Data.14.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: Web Data.14.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.32.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Web Data.14.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.32.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Web Data.14.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.32.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.32.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.32.dr	Binary or memory string: VMware20,1hbin@
Source: chrome.exe, 00000003.00000003.1010476244.0000023805D73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transit
Source: Amcache.hve.32.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Web Data.14.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.32.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: chrome.exe, 00000003.00000003.1010476244.0000023805D73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB
Source: Amcache.hve.32.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: chrome.exe, 00000003.00000003.968335692.000009CC02500000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: Web Data.14.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: Web Data.14.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: Web Data.14.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.32.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.32.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: msedge.exe, 00000008.00000002.1103746965.0000022BC9E53000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.1271810578.00000226B2444000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Web Data.14.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: Web Data.14.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.32.dr	Binary or memory string: vmci.syshbin`
Source: chrome.exe, 00000003.00000003.1012347939.0000023805D78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Costmber]
Source: Amcache.hve.32.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Web Data.14.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW5m
Source: chrome.exe, 00000003.00000003.1010476244.0000023805D73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root
Source: Amcache.hve.32.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.32.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Web Data.14.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: Web Data.14.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF75319AB04 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF75319AB04

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

2_2_004108E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF75319E2EC GetProcessHeap,

0_2_00007FF75319E2EC

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753198088 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF753198088
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF75319AB04 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF75319AB04
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF753198704 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF753198704
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7531986F4 SetUnhandledExceptionFilter,	0_2_00007FF7531986F4

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00411310 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,		2_2_00411310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00411250 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,		2_2_00411250

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 425000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 426000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 427000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 428000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: C29008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7531A9520 cpuid

0_2_00007FF7531A9520

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,GetLocaleInfoA,LocalFree,

2_2_0040FC20

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF753198570 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF753198570

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00417210 EntryPoint,lstrlenW,GetWindowsDirectoryW,GetComputerNameW,GetFullPathNameA,GetUserNameW,GetFileType,GetModuleFileNameA,GetTempPathW,

2_2_00417210

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_0040FBC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

2_2_0040FBC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.32.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.32.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.32.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.32.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.32.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6964, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3 Wallet
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|
Source: MSBuild.exe, 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|Daedalus Mainnet\wallets\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\temporary\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\default\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\security_state\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000002.00000002.1378907264.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6964, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6964, type: MEMORYSTR

ID:	1639583
Product:	CloudBasic
Start time:	23:02:16
Start date:	15.03.2025
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	38da35e91c9aeea07d77b7df32e30591
SHA1:	49eebb6f1db4065b62e276f61c6f2c6abc0cb66e
SHA256:	53d491fcb95b0cd2c073b1a2b7dc8c032e9de2d9422ac13170fe5975b78f6a7e
Filetype:	Win64 Executable Console (202006/5) 92.65%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by