Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FNLJD8Q3.exe

Overview

General Information

Sample name:FNLJD8Q3.exe
Analysis ID:1639974
MD5:03448ca5ad0f02a391d177dad4b9073f
SHA1:bc8e48ecd27159d4285a8bd6d722af80164033b0
SHA256:91a6786843c5205e09e280322de4f921f897af72ba7585af9349116a0f28a7e1
Tags:exevidaruser-aachum
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Confidence:100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Vidar stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Searches for specific processes (likely to inject)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Browser Started with Remote Debugging
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • FNLJD8Q3.exe (PID: 8092 cmdline: "C:\Users\user\Desktop\FNLJD8Q3.exe" MD5: 03448CA5AD0F02A391D177DAD4B9073F)
    • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 8152 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • chrome.exe (PID: 8096 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)
        • chrome.exe (PID: 3324 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2380,i,12614543058951041071,778037290261149111,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2472 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
      • cmd.exe (PID: 9132 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\zmoh4" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 9140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 9184 cmdline: timeout /t 11 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199832267488", "Botnet": "dqu220"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.1605264200.0000000000400000.00000040.00000400.00020000.00000000.sdmpinfostealer_win_vidar_strings_nov23Finds Vidar samples based on the specific stringsSekoia.io
    • 0x1fcca:$str01: MachineID:
    • 0x1ef53:$str02: Work Dir: In memory
    • 0x1fd01:$str03: [Hardware]
    • 0x1fcb3:$str04: VideoCard:
    • 0x1f6b5:$str05: [Processes]
    • 0x1f6c1:$str06: [Software]
    • 0x1efd0:$str07: information.txt
    • 0x1fa36:$str08: %s\*
    • 0x1fa83:$str08: %s\*
    • 0x1f206:$str11: Software\Martin Prikryl\WinSCP 2\Configuration
    • 0x1f59f:$str12: UseMasterPassword
    • 0x1fd0d:$str13: Soft: WinSCP
    • 0x1f7eb:$str14: <Pass encoding="base64">
    • 0x1fcf0:$str15: Soft: FileZilla
    • 0x1efc2:$str16: passwords.txt
    • 0x1f5ca:$str17: build_id
    • 0x1f679:$str18: file_data
    00000002.00000002.1605562607.0000000001564000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: MSBuild.exe PID: 8152JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        Process Memory Space: MSBuild.exe PID: 8152JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.MSBuild.exe.400000.0.raw.unpackinfostealer_win_vidar_strings_nov23Finds Vidar samples based on the specific stringsSekoia.io
          • 0x1fcca:$str01: MachineID:
          • 0x1ef53:$str02: Work Dir: In memory
          • 0x1fd01:$str03: [Hardware]
          • 0x1fcb3:$str04: VideoCard:
          • 0x1f6b5:$str05: [Processes]
          • 0x1f6c1:$str06: [Software]
          • 0x1efd0:$str07: information.txt
          • 0x1fa36:$str08: %s\*
          • 0x1fa83:$str08: %s\*
          • 0x1f206:$str11: Software\Martin Prikryl\WinSCP 2\Configuration
          • 0x1f59f:$str12: UseMasterPassword
          • 0x1fd0d:$str13: Soft: WinSCP
          • 0x1f7eb:$str14: <Pass encoding="base64">
          • 0x1fcf0:$str15: Soft: FileZilla
          • 0x1efc2:$str16: passwords.txt
          • 0x1f5ca:$str17: build_id
          • 0x1f679:$str18: file_data
          2.2.MSBuild.exe.400000.0.unpackinfostealer_win_vidar_strings_nov23Finds Vidar samples based on the specific stringsSekoia.io
          • 0x1e2ca:$str01: MachineID:
          • 0x1d553:$str02: Work Dir: In memory
          • 0x1e301:$str03: [Hardware]
          • 0x1e2b3:$str04: VideoCard:
          • 0x1dcb5:$str05: [Processes]
          • 0x1dcc1:$str06: [Software]
          • 0x1d5d0:$str07: information.txt
          • 0x1e036:$str08: %s\*
          • 0x1e083:$str08: %s\*
          • 0x1d806:$str11: Software\Martin Prikryl\WinSCP 2\Configuration
          • 0x1db9f:$str12: UseMasterPassword
          • 0x1e30d:$str13: Soft: WinSCP
          • 0x1ddeb:$str14: <Pass encoding="base64">
          • 0x1e2f0:$str15: Soft: FileZilla
          • 0x1d5c2:$str16: passwords.txt
          • 0x1dbca:$str17: build_id
          • 0x1dc79:$str18: file_data

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Silenttrinity Stager Msbuild Activity
          Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 149.154.167.99, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 8152, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49723
          Sigma detected: Browser Started with Remote Debugging
          Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 8152, ParentProcessName: MSBuild.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 8096, ProcessName: chrome.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-16T19:44:50.892839+010020442471Malware Command and Control Activity Detected78.47.63.132443192.168.2.449730TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-16T19:44:52.219975+010020518311Malware Command and Control Activity Detected78.47.63.132443192.168.2.449731TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-16T19:44:50.892640+010020490871A Network Trojan was detected192.168.2.44973078.47.63.132443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-16T19:44:53.648160+010020593311Malware Command and Control Activity Detected192.168.2.44973378.47.63.132443TCP
          2025-03-16T19:44:55.125421+010020593311Malware Command and Control Activity Detected192.168.2.44973578.47.63.132443TCP
          2025-03-16T19:44:55.469754+010020593311Malware Command and Control Activity Detected192.168.2.44973678.47.63.132443TCP
          2025-03-16T19:44:56.513051+010020593311Malware Command and Control Activity Detected192.168.2.44973778.47.63.132443TCP
          2025-03-16T19:44:57.568379+010020593311Malware Command and Control Activity Detected192.168.2.44973878.47.63.132443TCP
          2025-03-16T19:45:06.399894+010020593311Malware Command and Control Activity Detected192.168.2.44976778.47.63.132443TCP
          2025-03-16T19:45:07.415944+010020593311Malware Command and Control Activity Detected192.168.2.44976878.47.63.132443TCP
          2025-03-16T19:45:07.762949+010020593311Malware Command and Control Activity Detected192.168.2.44976978.47.63.132443TCP
          2025-03-16T19:45:08.764917+010020593311Malware Command and Control Activity Detected192.168.2.44977078.47.63.132443TCP
          2025-03-16T19:45:09.813998+010020593311Malware Command and Control Activity Detected192.168.2.44977178.47.63.132443TCP
          2025-03-16T19:45:10.831441+010020593311Malware Command and Control Activity Detected192.168.2.44977278.47.63.132443TCP
          2025-03-16T19:45:11.874966+010020593311Malware Command and Control Activity Detected192.168.2.44977378.47.63.132443TCP
          2025-03-16T19:45:13.978309+010020593311Malware Command and Control Activity Detected192.168.2.44977478.47.63.132443TCP
          2025-03-16T19:45:18.192561+010020593311Malware Command and Control Activity Detected192.168.2.44977778.47.63.132443TCP
          2025-03-16T19:45:20.218444+010020593311Malware Command and Control Activity Detected192.168.2.44977878.47.63.132443TCP
          2025-03-16T19:45:22.303390+010020593311Malware Command and Control Activity Detected192.168.2.44977978.47.63.132443TCP
          2025-03-16T19:45:23.759614+010020593311Malware Command and Control Activity Detected192.168.2.44978078.47.63.132443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-16T19:44:55.469754+010028596361Malware Command and Control Activity Detected192.168.2.44973678.47.63.132443TCP
          2025-03-16T19:44:56.513051+010028596361Malware Command and Control Activity Detected192.168.2.44973778.47.63.132443TCP
          2025-03-16T19:44:57.568379+010028596361Malware Command and Control Activity Detected192.168.2.44973878.47.63.132443TCP
          2025-03-16T19:45:07.762949+010028596361Malware Command and Control Activity Detected192.168.2.44976978.47.63.132443TCP
          2025-03-16T19:45:08.764917+010028596361Malware Command and Control Activity Detected192.168.2.44977078.47.63.132443TCP
          2025-03-16T19:45:09.813998+010028596361Malware Command and Control Activity Detected192.168.2.44977178.47.63.132443TCP
          2025-03-16T19:45:10.831441+010028596361Malware Command and Control Activity Detected192.168.2.44977278.47.63.132443TCP
          2025-03-16T19:45:11.874966+010028596361Malware Command and Control Activity Detected192.168.2.44977378.47.63.132443TCP
          2025-03-16T19:45:13.978309+010028596361Malware Command and Control Activity Detected192.168.2.44977478.47.63.132443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-16T19:44:48.246739+010028593781Malware Command and Control Activity Detected192.168.2.44972578.47.63.132443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000002.00000002.1605264200.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199832267488", "Botnet": "dqu220"}
          Multi AV Scanner detection for submitted file
          Source: FNLJD8Q3.exeReversingLabs: Detection: 38%
          Source: FNLJD8Q3.exeVirustotal: Detection: 39%Perma Link
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00406A10 StrStrA,lstrlenA,LocalAlloc,CryptUnprotectData,LocalAlloc,LocalFree,lstrlenA,2_2_00406A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00410830 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree,2_2_00410830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0040A150 BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,2_2_0040A150
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00406CF0 LocalAlloc,BCryptDecrypt,2_2_00406CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00406940 BCryptCloseAlgorithmProvider,BCryptDestroyKey,2_2_00406940
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0040A560 StrCmpCA,BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey,2_2_0040A560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00406980 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey,2_2_00406980
          Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49723 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49724 version: TLS 1.2
          Source: FNLJD8Q3.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF311D4 FindFirstFileExW,0_2_00007FF67CF311D4
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF31358 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF67CF31358
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00414E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,2_2_00414E70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00407210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,2_2_00407210
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0040B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,2_2_0040B6B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00415EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose,2_2_00415EB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00408360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose,2_2_00408360
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00413FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,2_2_00413FD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_004013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,2_2_004013F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00413580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose,2_2_00413580
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_004097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,2_2_004097B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0040ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose,2_2_0040ACD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00408C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn,2_2_00408C90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00414950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,2_2_00414950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00409560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,2_2_00409560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00413AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,2_2_00413AF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
          Source: chrome.exeMemory has grown: Private usage: 1MB later: 39MB

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.4:49730 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49735 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49767 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49737 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49737 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49769 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49769 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.4:49725 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49770 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49770 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49771 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49771 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49772 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49772 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49773 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49773 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 78.47.63.132:443 -> 192.168.2.4:49731
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49768 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 78.47.63.132:443 -> 192.168.2.4:49730
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49738 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49738 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49733 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49736 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49736 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49779 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49778 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49780 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49774 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49774 -> 78.47.63.132:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49777 -> 78.47.63.132:443
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199832267488
          Source: global trafficHTTP traffic detected: GET /g_etcontent HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
          Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
          Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
          Source: Joe Sandbox ViewIP Address: 78.47.63.132 78.47.63.132
          Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
          Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.60
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
          Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.163
          Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
          Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
          Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.163
          Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
          Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
          Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.9
          Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
          Source: unknownTCP traffic detected without corresponding DNS query: 2.23.77.188
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.128
          Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.128
          Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00403850 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,2_2_00403850
          Source: global trafficHTTP traffic detected: GET /g_etcontent HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0Host: t.p.formaxprime.co.ukConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJOhywEInP7MAQiFoM0BCL7VzgEIgNbOAQjI3M4BCIrgzgEIruTOAQjk5M4BCIvlzgE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJOhywEInP7MAQiFoM0BCL7VzgEIgNbOAQjI3M4BCIrgzgEIruTOAQjk5M4BCIvlzgE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8NP2y291iiPDmfAN0GV3dvCuqlYA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJOhywEInP7MAQiFoM0BCOTkzgE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
          Source: chrome.exe, 00000009.00000003.1321243180.0000085C01490000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1321220729.0000085C014C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
          Source: chrome.exe, 00000009.00000003.1321243180.0000085C01490000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1321220729.0000085C014C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
          Source: chrome.exe, 00000009.00000002.1406750154.0000085C006BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
          Source: global trafficDNS traffic detected: DNS query: t.me
          Source: global trafficDNS traffic detected: DNS query: t.p.formaxprime.co.uk
          Source: global trafficDNS traffic detected: DNS query: www.google.com
          Source: global trafficDNS traffic detected: DNS query: apis.google.com
          Source: global trafficDNS traffic detected: DNS query: play.google.com
          Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2djmo8g4ect2nymophdtUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0Host: t.p.formaxprime.co.ukContent-Length: 256Connection: Keep-AliveCache-Control: no-cache
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://clients2.google.com/time/1/current
          Source: chrome.exe, 00000009.00000002.1407136038.0000085C00858000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
          Source: chrome.exe, 00000009.00000002.1409148547.0000085C0109C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
          Source: chrome.exe, 00000009.00000002.1405005859.0000085C000E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://google.com/
          Source: chrome.exe, 00000009.00000002.1407362518.0000085C0095C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
          Source: chrome.exe, 00000009.00000002.1408413887.0000085C00D8C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://unisolated.invalid/
          Source: chromecache_78.10.drString found in binary or memory: http://www.broofa.com
          Source: chrome.exe, 00000009.00000002.1410312940.0000085C01440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/update2/response
          Source: chrome.exe, 00000009.00000002.1408504196.0000085C00DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.gstatic.com/generate_204
          Source: chrome.exe, 00000009.00000002.1394826724.000001CC4F486000.00000002.00000001.00040000.0000000E.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
          Source: glf379.2.drString found in binary or memory: https://ac.ecosia.org?q=
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accountcapabilities-pa.googleapis.com/
          Source: chrome.exe, 00000009.00000002.1404828228.0000085C00040000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
          Source: chrome.exe, 00000009.00000002.1406776765.0000085C0072C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1406891194.0000085C00784000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410059349.0000085C01368000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1407473859.0000085C009C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com
          Source: chrome.exe, 00000009.00000002.1410406125.0000085C01474000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/AccountChooser
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/AddSession
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/Logout
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/RotateBoundCookies
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/chrome/blank.html
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/windows
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
          Source: chrome.exe, 00000009.00000002.1404875219.0000085C0006C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
          Source: chromecache_76.10.drString found in binary or memory: https://accounts.google.com/o/oauth2/auth
          Source: chromecache_76.10.drString found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/o/oauth2/revoke
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/oauth/multilogin
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/samlredirect
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
          Source: chrome.exe, 00000009.00000002.1406776765.0000085C0072C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com:443
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://adsmeasurement.com
          Source: chrome.exe, 00000009.00000003.1354684824.0000085C01994000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354709429.0000085C01520000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354879499.0000085C019B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354657642.0000085C0198C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1412081946.0000085C0191C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354626492.0000085C01984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354859909.0000085C01948000.00000004.00001000.00020000.00000000.sdmp, chromecache_76.10.dr, chromecache_78.10.drString found in binary or memory: https://apis.google.com
          Source: chrome.exe, 00000009.00000002.1408434821.0000085C00D9C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1405221235.0000085C0016C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://appsflyer.com
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://aqfer.com
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://azubiyo.de
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beaconmax.com
          Source: chrome.exe, 00000009.00000002.1407405236.0000085C00984000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, iwlf3o.2.drString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, iwlf3o.2.drString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
          Source: chrome.exe, 00000009.00000003.1323440826.0000085C014E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1353180748.0000085C00558000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1323667796.0000085C01480000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1353103391.0000085C014C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com
          Source: chrome.exe, 00000009.00000002.1407815884.0000085C00B50000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408128930.0000085C00C98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410593747.0000085C01628000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
          Source: glf379.2.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: MSBuild.exe, 00000002.00000002.1607359648.00000000040BE000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408393327.0000085C00D80000.00000004.00001000.00020000.00000000.sdmp, glf379.2.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: MSBuild.exe, 00000002.00000002.1607359648.00000000040BE000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408393327.0000085C00D80000.00000004.00001000.00020000.00000000.sdmp, glf379.2.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: chrome.exe, 00000009.00000003.1353414290.0000085C011C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1405321900.0000085C001AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore
          Source: chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: https://chrome.google.com/webstore/category/extensions
          Source: chrome.exe, 00000009.00000002.1408732069.0000085C00E94000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1401985726.000001CC563D7000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 00000009.00000003.1320969436.0000085C0112C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1409319586.0000085C01130000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1411647003.0000085C01820000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1411670507.0000085C01838000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408504196.0000085C00DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
          Source: chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
          Source: chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
          Source: chrome.exe, 00000009.00000003.1353467581.0000085C011D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1353414290.0000085C011C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstoreLDDiscover
          Source: chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
          Source: chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
          Source: chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
          Source: chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
          Source: chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
          Source: chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
          Source: chrome.exe, 00000009.00000003.1311740953.000008580048C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/
          Source: chrome.exe, 00000009.00000003.1354463061.0000085800604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1355033181.0000085C01A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
          Source: chrome.exe, 00000009.00000003.1311740953.000008580048C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
          Source: chrome.exe, 00000009.00000003.1354463061.0000085800604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1355033181.0000085C01A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
          Source: chrome.exe, 00000009.00000003.1355033181.0000085C01A98000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/AttributionReportingCrossAppWeb
          Source: chrome.exe, 00000009.00000003.1355033181.0000085C01A98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311740953.000008580048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311657206.0000085800458000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311720332.0000085800468000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
          Source: chrome.exe, 00000009.00000003.1354463061.0000085800604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1355033181.0000085C01A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
          Source: chrome.exe, 00000009.00000003.1355033181.0000085C01A98000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/KAnonymityServiceJoinServer
          Source: chrome.exe, 00000009.00000003.1311740953.000008580048C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/https://google-ohttp-relay-join.fastly-edge.com/
          Source: chrome.exe, 00000009.00000002.1407091538.0000085C0082C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
          Source: chrome.exe, 00000009.00000002.1407091538.0000085C0082C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
          Source: chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
          Source: chrome.exe, 00000009.00000002.1405321900.0000085C001AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/
          Source: chrome.exe, 00000009.00000002.1407432325.0000085C009AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/category/extensions
          Source: chrome.exe, 00000009.00000002.1407432325.0000085C009AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/category/themes
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://classroom.googleapis.com/
          Source: chrome.exe, 00000009.00000003.1310172545.00004600000DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report
          Source: chrome.exe, 00000009.00000002.1407432325.0000085C009AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1407383282.0000085C00968000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1405321900.0000085C001AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
          Source: chrome.exe, 00000009.00000002.1407136038.0000085C00858000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
          Source: chrome.exe, 00000009.00000002.1407136038.0000085C00858000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
          Source: chrome.exe, 00000009.00000002.1407136038.0000085C00858000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-sync
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-sync/event
          Source: chromecache_76.10.drString found in binary or memory: https://clients6.google.com
          Source: chrome.exe, 00000009.00000002.1407136038.0000085C00858000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
          Source: chromecache_76.10.drString found in binary or memory: https://content.googleapis.com
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, iwlf3o.2.drString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, iwlf3o.2.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
          Source: chrome.exe, 00000009.00000002.1405921348.0000085C003C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dailymail.co.uk
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/:
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/J
          Source: chrome.exe, 00000009.00000003.1355033181.0000085C01A98000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview
          Source: chrome.exe, 00000009.00000003.1354463061.0000085800604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1355033181.0000085C01A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1406750154.0000085C006BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
          Source: chrome.exe, 00000009.00000002.1407815884.0000085C00B50000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408128930.0000085C00C98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410593747.0000085C01628000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
          Source: chrome.exe, 00000009.00000002.1407815884.0000085C00B50000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408128930.0000085C00C98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410593747.0000085C01628000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/:
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/J
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1406750154.0000085C006BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
          Source: chrome.exe, 00000009.00000002.1407815884.0000085C00B50000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408128930.0000085C00C98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410593747.0000085C01628000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/:
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/J
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1406750154.0000085C006BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
          Source: chrome.exe, 00000009.00000002.1407815884.0000085C00B50000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408128930.0000085C00C98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410593747.0000085C01628000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
          Source: chromecache_76.10.drString found in binary or memory: https://domains.google.com/suggest/flow
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/:
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?lfhs=2
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/J
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1406750154.0000085C006BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
          Source: glf379.2.drString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: MSBuild.exe, 00000002.00000002.1607359648.00000000040BE000.00000004.00000020.00020000.00000000.sdmp, glf379.2.drString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
          Source: glf379.2.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ebayadservices.com
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://elle.com
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://elnacional.cat
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://finn.no
          Source: chrome.exe, 00000009.00000003.1352807074.0000085C01034000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1323914572.0000085C015B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1324043406.0000085C0154C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fonts.google.com/icons?selected=Material
          Source: chromecache_78.10.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
          Source: chromecache_78.10.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
          Source: chromecache_78.10.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
          Source: chromecache_78.10.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
          Source: glf379.2.drString found in binary or memory: https://gemini.google.com/app?q=
          Source: chrome.exe, 00000009.00000003.1355033181.0000085C01A98000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic
          Source: chrome.exe, 00000009.00000003.1355033181.0000085C01A98000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic/intro?
          Source: chrome.exe, 00000009.00000003.1354463061.0000085800604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1355033181.0000085C01A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic/intro?20
          Source: chrome.exe, 00000009.00000003.1354463061.0000085800604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1355033181.0000085C01A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic2
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://getcapi.co
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gokwik.co
          Source: chrome.exe, 00000009.00000003.1311720332.0000085800468000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
          Source: chrome.exe, 00000009.00000003.1354463061.0000085800604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1355033181.0000085C01A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
          Source: chrome.exe, 00000009.00000003.1355033181.0000085C01A98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311740953.000008580048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311657206.0000085800458000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311720332.0000085800468000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
          Source: chrome.exe, 00000009.00000003.1354463061.0000085800604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1355033181.0000085C01A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
          Source: chrome.exe, 00000009.00000003.1311740953.000008580048C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
          Source: chrome.exe, 00000009.00000003.1311740953.000008580048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311657206.0000085800458000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311720332.0000085800468000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
          Source: chrome.exe, 00000009.00000002.1404775981.0000085C00004000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google.com/
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://googlesyndication.com
          Source: chrome.exe, 00000009.00000002.1407319234.0000085C00934000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://googleusercontent.com/
          Source: chrome.exe, 00000009.00000003.1355033181.0000085C01A98000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goto.google.com/sme-bugs
          Source: chrome.exe, 00000009.00000003.1353756126.0000085C018F4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354463061.0000085800604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1355033181.0000085C01A40000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1355224434.0000085C018FC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goto.google.com/sme-bugs2e
          Source: iwlf3o.2.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ingereck.net
          Source: chrome.exe, 00000009.00000002.1410903419.0000085C016A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408242529.0000085C00D40000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1407883132.0000085C00B74000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
          Source: chrome.exe, 00000009.00000002.1406097434.0000085C00414000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search?source=ntp
          Source: chrome.exe, 00000009.00000003.1323440826.0000085C014E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1353180748.0000085C00558000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/gen204
          Source: chrome.exe, 00000009.00000002.1406142880.0000085C00430000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1405768127.0000085C0031C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://m.google.com/devicemanagement/data/api
          Source: chrome.exe, 00000009.00000002.1408919993.0000085C00F98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1407340723.0000085C00948000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408434821.0000085C00D9C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410059349.0000085C01368000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1407405236.0000085C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/:
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/J
          Source: chrome.exe, 00000009.00000002.1409051963.0000085C01004000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1409645737.0000085C01280000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410593747.0000085C01628000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default
          Source: chrome.exe, 00000009.00000002.1410593747.0000085C01628000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/download?usp=chrome_defaultfault
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/:
          Source: chrome.exe, 00000009.00000002.1406097434.0000085C00414000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=rm&amp;ogbl
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/J
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1406750154.0000085C006BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
          Source: chrome.exe, 00000009.00000002.1407694638.0000085C00A8C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410651963.0000085C01638000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
          Source: chrome.exe, 00000009.00000002.1407694638.0000085C00A8C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1411168364.0000085C01700000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408209130.0000085C00D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
          Source: chrome.exe, 00000009.00000002.1407694638.0000085C00A8C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1411168364.0000085C01700000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408209130.0000085C00D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
          Source: chrome.exe, 00000009.00000003.1311891535.00000858004AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome
          Source: chrome.exe, 00000009.00000003.1354463061.0000085800604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1355033181.0000085C01A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
          Source: chrome.exe, 00000009.00000002.1407694638.0000085C00A8C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1411168364.0000085C01700000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408209130.0000085C00D00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
          Source: chrome.exe, 00000009.00000003.1320677647.0000085C00304000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1407987383.0000085C00C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmp, chrome.exe, 00000009.00000003.1320952666.0000085C011E8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myactivity.google.com/
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://oauthaccountmanager.googleapis.com/
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
          Source: chrome.exe, 00000009.00000002.1412081946.0000085C0191C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354626492.0000085C01984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1406368204.0000085C00598000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354859909.0000085C01948000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogads-pa.googleapis.com
          Source: chrome.exe, 00000009.00000002.1410842625.0000085C01670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com
          Source: chrome.exe, 00000009.00000003.1354684824.0000085C01994000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354709429.0000085C01520000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354879499.0000085C019B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354657642.0000085C0198C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1412081946.0000085C0191C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354626492.0000085C01984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1406368204.0000085C00598000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354859909.0000085C01948000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
          Source: chrome.exe, 00000009.00000003.1354684824.0000085C01994000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354709429.0000085C01520000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354879499.0000085C019B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354657642.0000085C0198C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1412081946.0000085C0191C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354626492.0000085C01984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1406368204.0000085C00598000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354859909.0000085C01948000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?eom=1
          Source: chrome.exe, 00000009.00000002.1411001569.0000085C016D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410882277.0000085C01690000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1413300806.0000085C01EE0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410963085.0000085C016B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1411051547.0000085C016DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410747553.0000085C01657000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1409216648.0000085C010E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
          Source: chrome.exe, 00000009.00000002.1410747553.0000085C01657000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410982575.0000085C016C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1409216648.0000085C010E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
          Source: chrome.exe, 00000009.00000002.1411001569.0000085C016D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410882277.0000085C01690000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410963085.0000085C016B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1411051547.0000085C016DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410747553.0000085C01657000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1409216648.0000085C010E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
          Source: chrome.exe, 00000009.00000002.1410015622.0000085C01338000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410963085.0000085C016B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410747553.0000085C01657000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410982575.0000085C016C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
          Source: chrome.exe, 00000009.00000002.1408952353.0000085C00FD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410963085.0000085C016B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410747553.0000085C01657000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
          Source: chrome.exe, 00000009.00000002.1410963085.0000085C016B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410747553.0000085C01657000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410982575.0000085C016C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
          Source: chrome.exe, 00000009.00000002.1411001569.0000085C016D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410882277.0000085C01690000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1411051547.0000085C016DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1411071244.0000085C016E8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1696267841&target=OPTIMIZATION_TARGET_OMN
          Source: chrome.exe, 00000009.00000002.1411001569.0000085C016D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410882277.0000085C01690000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1413300806.0000085C01EE0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1411051547.0000085C016DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1409216648.0000085C010E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1728324084&target=OPTIMIZATION_TARGET_OMN
          Source: chrome.exe, 00000009.00000002.1411001569.0000085C016D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410882277.0000085C01690000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410036413.0000085C01348000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1411051547.0000085C016DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739808228&target=OPTIMIZATION_TARGET_GEO
          Source: chrome.exe, 00000009.00000002.1411001569.0000085C016D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410882277.0000085C01690000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1413300806.0000085C01EE0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1409216648.0000085C010E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739808249&target=OPTIMIZATION_TARGET_NOT
          Source: chrome.exe, 00000009.00000002.1411001569.0000085C016D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410882277.0000085C01690000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1413300806.0000085C01EE0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1411051547.0000085C016DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1409216648.0000085C010E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1411071244.0000085C016E8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739894676&target=OPTIMIZATION_TARGET_CLI
          Source: chrome.exe, 00000009.00000002.1410747553.0000085C01657000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410982575.0000085C016C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1409216648.0000085C010E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
          Source: chrome.exe, 00000009.00000002.1411001569.0000085C016D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410882277.0000085C01690000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1413300806.0000085C01EE0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1411051547.0000085C016DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1411071244.0000085C016E8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=240731042075&target=OPTIMIZATION_TARGET_S
          Source: chrome.exe, 00000009.00000002.1410963085.0000085C016B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410747553.0000085C01657000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410982575.0000085C016C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1409216648.0000085C010E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=4&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
          Source: chrome.exe, 00000009.00000002.1411001569.0000085C016D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1413300806.0000085C01EE0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1411051547.0000085C016DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=5&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
          Source: chrome.exe, 00000009.00000003.1323440826.0000085C014E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1353180748.0000085C00558000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1353103391.0000085C014C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/calendar/
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://paa-reporting-advertising.amazon
          Source: chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: https://passwords.google.comSaved
          Source: chrome.exe, 00000009.00000002.1407383282.0000085C00968000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://passwords.google/
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://people.googleapis.com/
          Source: chromecache_78.10.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
          Source: chrome.exe, 00000009.00000002.1400851523.000001CC544F7000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://play.google.com/log?format=json&hasfast=true(
          Source: chromecache_76.10.drString found in binary or memory: https://plus.google.com
          Source: chromecache_76.10.drString found in binary or memory: https://plus.googleapis.com
          Source: chrome.exe, 00000009.00000003.1320677647.0000085C00304000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1407987383.0000085C00C04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmp, chrome.exe, 00000009.00000003.1320952666.0000085C011E8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://policies.google.com/
          Source: chrome.exe, 00000009.00000002.1407066222.0000085C00804000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
          Source: chrome.exe, 00000009.00000002.1407066222.0000085C00804000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
          Source: chrome.exe, 00000009.00000002.1405940255.0000085C003DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
          Source: chrome.exe, 00000009.00000002.1405064011.0000085C000F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
          Source: chrome.exe, 00000009.00000002.1405590960.0000085C00214000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408504196.0000085C00DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://seedtag.com
          Source: chrome.exe, 00000009.00000003.1355033181.0000085C01A98000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.com
          Source: chrome.exe, 00000009.00000003.1354463061.0000085800604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1355033181.0000085C01A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.comb
          Source: chrome.exe, 00000009.00000002.1410903419.0000085C016A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408242529.0000085C00D40000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1407883132.0000085C00B74000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sitescout.com
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://smadexprivacysandbox.com
          Source: chrome.exe, 00000009.00000002.1406097434.0000085C00414000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
          Source: MSBuild.exe, MSBuild.exe, 00000002.00000002.1605264200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199832267488
          Source: MSBuild.exe, 00000002.00000002.1605264200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199832267488dqu220Mozilla/5.0
          Source: chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
          Source: chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869
          Source: chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: https://support.google.com/chrome/answer/96817
          Source: chrome.exe, 00000009.00000002.1406415559.0000085C005B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome?p=desktop_tab_groups
          Source: chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: https://support.google.com/chromebook?p=app_intent
          Source: MSBuild.exe, 00000002.00000002.1609359089.0000000004930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
          Source: MSBuild.exe, 00000002.00000002.1609359089.0000000004930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
          Source: chrome.exe, 00000009.00000002.1411071244.0000085C016E8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
          Source: chrome.exe, 00000009.00000002.1411071244.0000085C016E8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20161
          Source: chrome.exe, 00000009.00000002.1411071244.0000085C016E8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
          Source: chrome.exe, 00000009.00000002.1411071244.0000085C016E8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e175
          Source: MSBuild.exe, 00000002.00000002.1605562607.0000000001548000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/G
          Source: MSBuild.exe, 00000002.00000002.1605562607.0000000001548000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/Q
          Source: MSBuild.exe, MSBuild.exe, 00000002.00000002.1605264200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1605562607.0000000001508000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1605562607.0000000001564000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/g_etcontent
          Source: MSBuild.exe, 00000002.00000002.1605562607.0000000001508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/g_etcontent)
          Source: MSBuild.exe, 00000002.00000002.1605264200.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/g_etcontentdqu220Mozilla/5.0
          Source: MSBuild.exe, 00000002.00000002.1605562607.0000000001564000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1605562607.0000000001548000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1606712996.0000000003F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.p.formaxprime.co.uk
          Source: MSBuild.exe, 00000002.00000002.1605562607.0000000001564000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1605562607.0000000001548000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.p.formaxprime.co.uk/
          Source: chrome.exe, 00000009.00000002.1408504196.0000085C00DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://t0.gstatic.com/faviconV2
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tailtarget.com
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tamedia.com.tw
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tangooserver.com
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tasks.googleapis.com/
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tiktok.com
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://trkkn.com
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tya-dev.com
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://verve.com
          Source: MSBuild.exe, 00000002.00000002.1605562607.0000000001564000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://weborama-tech.ru
          Source: chromecache_76.10.drString found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
          Source: chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://worldhistory.org
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, iwlf3o.2.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
          Source: MSBuild.exe, 00000002.00000002.1607359648.00000000040BE000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408393327.0000085C00D80000.00000004.00001000.00020000.00000000.sdmp, glf379.2.drString found in binary or memory: https://www.ecosia.org/newtab/v20
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, iwlf3o.2.drString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
          Source: chrome.exe, 00000009.00000003.1353414290.0000085C011C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1320952666.0000085C011E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1407250811.0000085C008E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408477621.0000085C00DBC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
          Source: chrome.exe, 00000009.00000002.1409710376.0000085C012BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
          Source: chrome.exe, 00000009.00000003.1323440826.0000085C01520000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
          Source: chrome.exe, 00000009.00000002.1411474975.0000085C017D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/async/newtab_promos
          Source: chrome.exe, 00000009.00000002.1407383282.0000085C00968000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/#safe
          Source: chrome.exe, 00000009.00000002.1407432325.0000085C009AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/browser-features/
          Source: chrome.exe, 00000009.00000002.1407432325.0000085C009AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/browser-tools/
          Source: chrome.exe, 00000009.00000003.1354463061.0000085800604000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
          Source: chrome.exe, 00000009.00000002.1396950272.000001CC51480000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
          Source: chrome.exe, 00000009.00000002.1411168364.0000085C01700000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1407883132.0000085C00B74000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408128930.0000085C00C98000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/tips/
          Source: MSBuild.exe, 00000002.00000002.1607359648.00000000040BE000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1407136038.0000085C00858000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1406415559.0000085C005B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1405835480.0000085C0037C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408393327.0000085C00D80000.00000004.00001000.00020000.00000000.sdmp, glf379.2.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
          Source: chrome.exe, 00000009.00000002.1406415559.0000085C005B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico0A
          Source: chrome.exe, 00000009.00000002.1406097434.0000085C00414000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&amp;tab=ri&amp;ogbl
          Source: chrome.exe, 00000009.00000002.1406097434.0000085C00414000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354626492.0000085C01984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1406368204.0000085C00598000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354859909.0000085C01948000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
          Source: chrome.exe, 00000009.00000003.1355033181.0000085C01A98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354463061.0000085800604000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search
          Source: chrome.exe, 00000009.00000002.1406045757.0000085C00404000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/
          Source: chromecache_76.10.drString found in binary or memory: https://www.googleapis.com/auth/plus.me
          Source: chromecache_76.10.drString found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
          Source: chrome.exe, 00000009.00000003.1355033181.0000085C01A98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311740953.000008580048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311861200.0000085800498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311942110.00000858004B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311984423.00000858004C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311891535.00000858004AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
          Source: chrome.exe, 00000009.00000003.1354463061.0000085800604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1355033181.0000085C01A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
          Source: chrome.exe, 00000009.00000003.1311740953.000008580048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311861200.0000085800498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311942110.00000858004B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311984423.00000858004C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311891535.00000858004AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.managerForcedOn_PlusAddressAndroidOpenGmsCoreManagementP
          Source: chrome.exe, 00000009.00000003.1311740953.000008580048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311861200.0000085800498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311942110.00000858004B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311984423.00000858004C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1311891535.00000858004AC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.managerPlusAddressOfferCreationIfPasswordFieldIsNotVisib
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v4/token
          Source: chrome.exe, 00000009.00000002.1405488353.0000085C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
          Source: chrome.exe, 00000009.00000002.1407111307.0000085C0083C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354709429.0000085C01530000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1410453749.0000085C01530000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
          Source: chromecache_78.10.drString found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
          Source: chromecache_78.10.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
          Source: chromecache_78.10.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
          Source: chrome.exe, 00000009.00000003.1354763718.0000085C019A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
          Source: chrome.exe, 00000009.00000003.1354879499.0000085C019B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354596290.0000085C01578000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1412159386.0000085C01938000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354763718.0000085C019A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
          Source: chrome.exe, 00000009.00000002.1409125051.0000085C01084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354626492.0000085C01984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1406368204.0000085C00598000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354859909.0000085C01948000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1405259092.0000085C00184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.eebVy_fNKiM.2019.O/rt=j/m=q_dnp
          Source: chrome.exe, 00000009.00000003.1354684824.0000085C01994000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354709429.0000085C01520000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354879499.0000085C019B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354657642.0000085C0198C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1412081946.0000085C0191C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1406097434.0000085C00414000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354626492.0000085C01984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1406368204.0000085C00598000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354859909.0000085C01948000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.sDa5bc0wD58.L.W.O/m=qmd
          Source: MSBuild.exe, 00000002.00000002.1609359089.0000000004930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
          Source: MSBuild.exe, 00000002.00000002.1609359089.0000000004930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
          Source: MSBuild.exe, 00000002.00000002.1609359089.0000000004930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
          Source: MSBuild.exe, 00000002.00000002.1609359089.0000000004930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
          Source: MSBuild.exe, 00000002.00000002.1609359089.0000000004930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/:
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?feature=ytca
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J
          Source: chrome.exe, 00000009.00000002.1408670585.0000085C00E7E000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1406750154.0000085C006BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408976555.0000085C00FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
          Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
          Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
          Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
          Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
          Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
          Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
          Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
          Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
          Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
          Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
          Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
          Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
          Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
          Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
          Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
          Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49723 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49724 version: TLS 1.2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00410A90 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,malloc,StrCmpCW,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,2_2_00410A90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00406480 memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,CreateProcessA,Sleep,CloseDesktop,2_2_00406480

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
          Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
          Source: 00000002.00000002.1605264200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF372EC0_2_00007FF67CF372EC
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF126400_2_00007FF67CF12640
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF37A6C0_2_00007FF67CF37A6C
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF2A29C0_2_00007FF67CF2A29C
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF1C2C00_2_00007FF67CF1C2C0
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF13ED00_2_00007FF67CF13ED0
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF25AD00_2_00007FF67CF25AD0
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF24AD00_2_00007FF67CF24AD0
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF16EE00_2_00007FF67CF16EE0
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF397080_2_00007FF67CF39708
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF1F7100_2_00007FF67CF1F710
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF1DD600_2_00007FF67CF1DD60
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF201700_2_00007FF67CF20170
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF311D40_2_00007FF67CF311D4
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF24DE00_2_00007FF67CF24DE0
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF251F00_2_00007FF67CF251F0
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF25E000_2_00007FF67CF25E00
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF1F4400_2_00007FF67CF1F440
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF224500_2_00007FF67CF22450
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF240600_2_00007FF67CF24060
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF278800_2_00007FF67CF27880
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF208E00_2_00007FF67CF208E0
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF1D9200_2_00007FF67CF1D920
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF1BB400_2_00007FF67CF1BB40
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF313580_2_00007FF67CF31358
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF12B700_2_00007FF67CF12B70
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF147900_2_00007FF67CF14790
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF21FA00_2_00007FF67CF21FA0
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF21BB00_2_00007FF67CF21BB0
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF1D3F00_2_00007FF67CF1D3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00404A202_2_00404A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_004186302_2_00418630
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0041B7702_2_0041B770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0041B3002_2_0041B300
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0041C1002_2_0041C100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_004193D02_2_004193D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0041A7D02_2_0041A7D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00410D00 appears 42 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 0040F5B0 appears 135 times
          Source: 2.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
          Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
          Source: 00000002.00000002.1605264200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
          Source: FNLJD8Q3.exeStatic PE information: Section: .bss ZLIB complexity 1.0003622159090908
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/26@8/6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00411250 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,2_2_00411250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\WIOGEJ1S.htmJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9140:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03
          Source: FNLJD8Q3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: chrome.exe, 00000009.00000002.1411955057.0000085C018BC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 45;
          Source: chrome.exe, 00000009.00000002.1412475022.0000085C01A34000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '756F6A466879157E';
          Source: chrome.exe, 00000009.00000002.1409444977.0000085C011B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1405692360.0000085C002F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1407362518.0000085C0095C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'AD411B741D0DA012' AND metrics.metric_value > 0;
          Source: chrome.exe, 00000009.00000002.1407136038.0000085C008AE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
          Source: chrome.exe, 00000009.00000002.1411955057.0000085C018BC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 120;
          Source: chrome.exe, 00000009.00000002.1409444977.0000085C011B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1405692360.0000085C002F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1408900083.0000085C00F88000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'B4CFE8741404B691' AND metrics.metric_value > 0;
          Source: chrome.exe, 00000009.00000002.1412475022.0000085C01A34000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '19E16122849E343B';
          Source: chrome.exe, 00000009.00000002.1412035297.0000085C018E8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(id) FROM metrics WHERE metrics.metric_hash = '64BD7CCE5A95BF00';
          Source: gdbi5pppz.2.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: chrome.exe, 00000009.00000002.1412475022.0000085C01A34000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '79964621D357AB88';
          Source: chrome.exe, 00000009.00000002.1408876412.0000085C00F6C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '534661B278B11BD';
          Source: FNLJD8Q3.exeReversingLabs: Detection: 38%
          Source: FNLJD8Q3.exeVirustotal: Detection: 39%
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeFile read: C:\Users\user\Desktop\FNLJD8Q3.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\FNLJD8Q3.exe "C:\Users\user\Desktop\FNLJD8Q3.exe"
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2380,i,12614543058951041071,778037290261149111,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2472 /prefetch:3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\zmoh4" & exit
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 11
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\zmoh4" & exitJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2380,i,12614543058951041071,778037290261149111,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2472 /prefetch:3Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 11Jump to behavior
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
          Source: FNLJD8Q3.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: FNLJD8Q3.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_004108E0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_004108E0
          Source: FNLJD8Q3.exeStatic PE information: section name: .gxfg
          Source: FNLJD8Q3.exeStatic PE information: section name: .retplne
          Source: FNLJD8Q3.exeStatic PE information: section name: _RDATA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_004108E0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_004108E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeEvasive API call chain: GetSystemTime,DecisionNodes
          Source: C:\Windows\SysWOW64\timeout.exe TID: 9188Thread sleep count: 91 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF311D4 FindFirstFileExW,0_2_00007FF67CF311D4
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF31358 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF67CF31358
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00414E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,2_2_00414E70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00407210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,2_2_00407210
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0040B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,2_2_0040B6B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00415EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose,2_2_00415EB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00408360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose,2_2_00408360
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00413FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,2_2_00413FD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_004013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,2_2_004013F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00413580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose,2_2_00413580
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_004097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,2_2_004097B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0040ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose,2_2_0040ACD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00408C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn,2_2_00408C90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00414950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,2_2_00414950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00409560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,2_2_00409560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00413AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,2_2_00413AF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0040FDD0 GetSystemInfo,wsprintfA,2_2_0040FDD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
          Source: chrome.exe, 00000009.00000002.1408242529.0000085C00D40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware
          Source: chrome.exe, 00000009.00000002.1401485707.000001CC56185000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
          Source: chrome.exe, 00000009.00000002.1401485707.000001CC561F2000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1352102380.000001CC561FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790LogicalS
          Source: chrome.exe, 00000009.00000002.1401485707.000001CC5623F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTdeVMWare
          Source: MSBuild.exe, 00000002.00000002.1605562607.0000000001508000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1605562607.0000000001564000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: chrome.exe, 00000009.00000002.1401485707.000001CC561F2000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1352102380.000001CC561FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cessors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA
          Source: chrome.exe, 00000009.00000003.1354486339.000001CC52391000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1400358444.000001CC52391000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V dguiuiuvwdqsfkm Bus
          Source: chrome.exe, 00000009.00000003.1354486339.000001CC52383000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot*F
          Source: chrome.exe, 00000009.00000002.1401485707.000001CC561BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V dguiuiuvwdqsfkm Bus Pipes
          Source: chrome.exe, 00000009.00000003.1352050175.000001CC56215000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1401485707.000001CC561F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
          Source: chrome.exe, 00000009.00000003.1355580185.000001CC56252000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost
          Source: chrome.exe, 00000009.00000003.1352050175.000001CC56215000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1401485707.000001CC561F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition
          Source: chrome.exe, 00000009.00000003.1355505094.000001CC562D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total
          Source: chrome.exe, 00000009.00000003.1352001332.000001CC56252000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818I
          Source: chrome.exe, 00000009.00000002.1409550050.0000085C01234000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: gle\Chrome\User Data\Default\Download Service\Files\21abf2e3-eeca-436a-8e7b-0eb003e8c149USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=72386b88-ed4d-4941-a74b-aeeb16ae9e89
          Source: chrome.exe, 00000009.00000002.1400358444.000001CC52383000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ::$DATAeHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot*F
          Source: chrome.exe, 00000009.00000003.1352050175.000001CC56215000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1401485707.000001CC561F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipes
          Source: chrome.exe, 00000009.00000002.1401485707.000001CC56185000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processori
          Source: chrome.exe, 00000009.00000002.1401485707.000001CC56185000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processorl
          Source: chrome.exe, 00000009.00000002.1401485707.000001CC561F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration ServiceC
          Source: chrome.exe, 00000009.00000002.1400358444.000001CC52324000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
          Source: chrome.exe, 00000009.00000002.1409550050.0000085C01234000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=72386b88-ed4d-4941-a74b-aeeb16ae9e89
          Source: chrome.exe, 00000009.00000003.1355408005.000001CC57D71000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Tra
          Source: chrome.exe, 00000009.00000003.1352050175.000001CC56215000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1401485707.000001CC561F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V HypervisorB
          Source: chrome.exe, 00000009.00000002.1401485707.000001CC561F2000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1352102380.000001CC561FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: aded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Ru
          Source: chrome.exe, 00000009.00000002.1400358444.000001CC52343000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor(
          Source: chrome.exe, 00000009.00000003.1351793021.000001CC5629A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842
          Source: chrome.exe, 00000009.00000002.1400358444.000001CC52324000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus PipesicdL&
          Source: chrome.exe, 00000009.00000003.1352050175.000001CC56215000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1401485707.000001CC561F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionll
          Source: chrome.exe, 00000009.00000002.1401485707.000001CC56185000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual Processor
          Source: chrome.exe, 00000009.00000002.1411351999.0000085C0177C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware Virtual USB Mouse
          Source: chrome.exe, 00000009.00000002.1401485707.000001CC561F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
          Source: chrome.exe, 00000009.00000003.1352050175.000001CC56215000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1401485707.000001CC561F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
          Source: chrome.exe, 00000009.00000002.1400358444.000001CC52324000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
          Source: chrome.exe, 00000009.00000002.1400358444.000001CC52324000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
          Source: chrome.exe, 00000009.00000003.1351617243.000001CC562CA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1355474189.000001CC562D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Coun
          Source: chrome.exe, 00000009.00000003.1313616667.0000085C002D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware20,1(
          Source: chrome.exe, 00000009.00000003.1352050175.000001CC56215000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1401485707.000001CC561F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Servicen
          Source: chrome.exe, 00000009.00000002.1400358444.000001CC5234F000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354486339.000001CC5234C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partitionz
          Source: chrome.exe, 00000009.00000003.1352050175.000001CC56215000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1401485707.000001CC561F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor)
          Source: chrome.exe, 00000009.00000002.1394292259.000001CC4E7E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: chrome.exe, 00000009.00000003.1355442168.000001CC562E5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1351246674.000001CC56262000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1351526991.000001CC562E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Se
          Source: chrome.exe, 00000009.00000002.1400358444.000001CC52324000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
          Source: chrome.exe, 00000009.00000002.1400358444.000001CC5234F000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.1354486339.000001CC5234C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipesl
          Source: chrome.exe, 00000009.00000003.1351735168.000001CC562B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hyperviso
          Source: chrome.exe, 00000009.00000002.1400358444.000001CC52324000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root PartitionT
          Source: chrome.exe, 00000009.00000002.1401485707.000001CC561BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
          Source: chrome.exe, 00000009.00000003.1351246674.000001CC56262000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 14Runtime Count 1min9716Runtime Count Infinite3094Hyper-V Virtu
          Source: chrome.exe, 00000009.00000003.1352050175.000001CC56215000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1401485707.000001CC561F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partition.dll
          Source: chrome.exe, 00000009.00000002.1394292259.000001CC4E883000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partitionll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF2AB04 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF67CF2AB04
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_004108E0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_004108E0
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF2E2EC GetProcessHeap,0_2_00007FF67CF2E2EC
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF286F4 SetUnhandledExceptionFilter,0_2_00007FF67CF286F4
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF2AB04 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF67CF2AB04
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF28704 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF67CF28704
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF28088 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF67CF28088

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
          Searches for specific processes (likely to inject)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00411250 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,2_2_00411250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00411310 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,2_2_00411310
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41E000Jump to behavior
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000Jump to behavior
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 425000Jump to behavior
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 426000Jump to behavior
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 427000Jump to behavior
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 428000Jump to behavior
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1326008Jump to behavior
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\zmoh4" & exitJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 11Jump to behavior
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF39520 cpuid 0_2_00007FF67CF39520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,GetLocaleInfoA,LocalFree,2_2_0040FC20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 0_2_00007FF67CF28570 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF67CF28570
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00417210 EntryPoint,lstrlenW,GetWindowsDirectoryW,GetComputerNameW,GetFullPathNameA,GetUserNameW,GetFileType,GetModuleFileNameA,GetTempPathW,2_2_00417210
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0040FBC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,2_2_0040FBC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Vidar stealer
          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8152, type: MEMORYSTR
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum
          Source: MSBuild.exe, 00000002.00000002.1606712996.0000000003ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \ElectronCash\wallets\
          Source: MSBuild.exe, 00000002.00000002.1606712996.0000000003ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum\wallets\
          Source: MSBuild.exe, 00000002.00000002.1606712996.0000000003ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
          Source: MSBuild.exe, 00000002.00000002.1606712996.0000000003ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: exodus.conf.json
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: info.seco
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ElectrumLTC
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: passphrase.json
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Ethereum\
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Ethereum\
          Source: MSBuild.exe, 00000002.00000002.1605562607.0000000001564000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \MultiDoge\
          Source: MSBuild.exe, 00000002.00000002.1606712996.0000000003ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: seed.seco
          Source: MSBuild.exe, 00000002.00000002.1605562607.00000000015B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
          Source: MSBuild.exe, 00000002.00000002.1606712996.0000000003ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum-LTC\wallets\
          Tries to harvest and steal Bitcoin Wallet information
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\ConfigurationJump to behavior
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\key4.dbJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default\key4.dbJump to behavior
          Tries to harvest and steal ftp login credentials
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
          Tries to steal Crypto Currency Wallets
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
          Source: Yara matchFile source: 00000002.00000002.1605562607.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8152, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Attempt to bypass Chrome Application-Bound Encryption
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
          Yara detected Vidar stealer
          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8152, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		2
          OS Credential Dumping          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          Create Account          		1
          Extra Window Memory Injection          		1
          Obfuscated Files or Information          		1
          Credentials in Registry          		1
          Account Discovery          		Remote Desktop Protocol4
          Data from Local System          		21
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)411
          Process Injection          		1
          Software Packing          		Security Account Manager4
          File and Directory Discovery          		SMB/Windows Admin Shares1
          Screen Capture          		1
          Remote Access Software          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS45
          System Information Discovery          		Distributed Component Object ModelInput Capture3
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Extra Window Memory Injection          		LSA Secrets21
          Security Software Discovery          		SSHKeylogging14
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Masquerading          		Cached Domain Credentials1
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Virtualization/Sandbox Evasion          		DCSync12
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job411
          Process Injection          		Proc Filesystem1
          System Owner/User Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639974 Sample: FNLJD8Q3.exe Startdate: 16/03/2025 Architecture: WINDOWS Score: 100 30 t.p.formaxprime.co.uk 2->30 32 t.me 2->32 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 5 other signatures 2->54 9 FNLJD8Q3.exe 1 2->9         started        signatures3 process4 signatures5 56 Writes to foreign memory regions 9->56 58 Allocates memory in foreign processes 9->58 60 Injects a PE file into a foreign processes 9->60 12 MSBuild.exe 30 9->12         started        16 conhost.exe 9->16         started        process6 dnsIp7 42 t.p.formaxprime.co.uk 78.47.63.132, 443, 49724, 49725 HETZNER-ASDE Germany 12->42 44 t.me 149.154.167.99, 443, 49723 TELEGRAMRU United Kingdom 12->44 46 127.0.0.1 unknown unknown 12->46 62 Attempt to bypass Chrome Application-Bound Encryption 12->62 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->64 66 Found many strings related to Crypto-Wallets (likely being stolen) 12->66 68 5 other signatures 12->68 18 chrome.exe 12->18         started        21 cmd.exe 1 12->21         started        signatures8 process9 dnsIp10 34 192.168.2.4, 138, 443, 49708 unknown unknown 18->34 23 chrome.exe 18->23         started        26 conhost.exe 21->26         started        28 timeout.exe 1 21->28         started        process11 dnsIp12 36 www.google.com 142.250.184.196, 443, 49744, 49745 GOOGLEUS United States 23->36 38 plus.l.google.com 142.250.186.174, 443, 49762 GOOGLEUS United States 23->38 40 2 other IPs or domains 23->40

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.