Edit tour

Windows Analysis Report
NWpNjnx.exe

Overview

General Information

Sample name:	NWpNjnx.exe
Analysis ID:	1643068
MD5:	177388c310e9cce7ca37bbab73edc032
SHA1:	c1dde2e0b91d0aec48400eef1a00ea590f4f038a
SHA256:	f51b6bd07d0be72e48f8277fc937885a0912d56d937966f182a204427267f8f0
Tags:	176-113-115-7exeuser-JAMESWT_MHT
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Attempt to bypass Chrome Application-Bound Encryption

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Monitors registry run keys for changes

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Detected non-DNS traffic on DNS port

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Browser Started with Remote Debugging

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

NWpNjnx.exe (PID: 8512 cmdline: "C:\Users\user\Desktop\NWpNjnx.exe" MD5: 177388C310E9CCE7CA37BBAB73EDC032)

chrome.exe (PID: 2072 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 4068 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2332,i,11926905524139979339,10828025431271423253,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2568 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7732 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6524 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6992 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2448,i,8754246349209548584,10503215830756298871,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3084 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 8156 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7740 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 3600 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2396,i,13745689592266742683,13129913647732731796,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2480 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 8364 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2396,i,13745689592266742683,13129913647732731796,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5364 /prefetch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5620 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6584 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 3528 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7160 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 860 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 4956 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 3628 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 4172 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 3752 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5196 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

msedge.exe (PID: 8712 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2636 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2488 --field-trial-handle=2340,i,2587389878926192451,2990105616809838340,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9164 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8724 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=992 --field-trial-handle=2412,i,16395255640135883772,14137685151121912344,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1260 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 4136 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2640 --field-trial-handle=2452,i,1961410066156080185,15470953524769477924,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6208 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8364 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=2360,i,18301246024878363182,2756229517446973756,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8760 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 804 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2596 --field-trial-handle=2352,i,6541447083727747937,7400720925629244277,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7452 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2196 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=2348,i,687132200064469701,4580685076148190025,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8748 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1092 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2404 --field-trial-handle=2280,i,17704277969141967471,10006883037445517965,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6180 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1600 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=2340,i,13878332601536474959,2812580655429299359,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5248 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7424 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1988,i,1760164721029637801,2658846490141056001,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7032 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5852 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1964,i,17155506128084257532,3398633539599173768,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3932 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6792 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=2064,i,3132128271035991470,12309965145868920418,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5368 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9000 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=2004,i,5163077432638225654,8362902616666834378,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9204 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3308 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=2004,i,11658584872999196824,11487833335808583967,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8204 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7172 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2056,i,9332751546683616399,2193557983551615240,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1416813978.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000003.1465072272.0000000000C60000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000003.1416733537.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: NWpNjnx.exe PID: 8512	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: NWpNjnx.exe PID: 8512	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\NWpNjnx.exe", ParentImage: C:\Users\user\Desktop\NWpNjnx.exe, ParentProcessId: 8512, ParentProcessName: NWpNjnx.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 2072, ProcessName: chrome.exe

Suricata Signatures

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-19T14:01:18.189792+0100	2044247	1	Malware Command and Control Activity Detected	78.47.63.132	443	192.168.2.5	49724	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-19T14:01:21.467488+0100	2051831	1	Malware Command and Control Activity Detected	78.47.63.132	443	192.168.2.5	49725	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-19T14:01:16.410088+0100	2049087	1	A Network Trojan was detected	192.168.2.5	49723	78.47.63.132	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-19T14:01:37.330409+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49733	78.47.63.132	443	TCP
2025-03-19T14:03:15.808046+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49738	78.47.63.132	443	TCP
2025-03-19T14:03:17.858890+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49740	78.47.63.132	443	TCP
2025-03-19T14:03:18.979099+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49742	78.47.63.132	443	TCP
2025-03-19T14:03:21.703467+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49744	78.47.63.132	443	TCP
2025-03-19T14:05:56.980904+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49796	78.47.63.132	443	TCP
2025-03-19T14:05:58.883543+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49799	78.47.63.132	443	TCP
2025-03-19T14:06:00.430530+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49800	78.47.63.132	443	TCP
2025-03-19T14:06:04.294241+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49804	78.47.63.132	443	TCP
2025-03-19T14:07:07.607208+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49876	78.47.63.132	443	TCP
2025-03-19T14:07:12.692524+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49886	78.47.63.132	443	TCP
2025-03-19T14:07:15.731325+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49888	78.47.63.132	443	TCP
2025-03-19T14:07:19.538458+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49893	78.47.63.132	443	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-19T14:03:17.858890+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	49740	78.47.63.132	443	TCP
2025-03-19T14:03:18.979099+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	49742	78.47.63.132	443	TCP
2025-03-19T14:03:21.703467+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	49744	78.47.63.132	443	TCP
2025-03-19T14:05:58.883543+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	49799	78.47.63.132	443	TCP
2025-03-19T14:06:00.430530+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	49800	78.47.63.132	443	TCP
2025-03-19T14:06:04.294241+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	49804	78.47.63.132	443	TCP
2025-03-19T14:07:12.692524+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	49886	78.47.63.132	443	TCP
2025-03-19T14:07:15.731325+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	49888	78.47.63.132	443	TCP
2025-03-19T14:07:19.538458+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	49893	78.47.63.132	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-19T14:01:14.933702+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.5	49722	78.47.63.132	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: NWpNjnx.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: NWpNjnx.exe	Virustotal: Detection: 46%			Perma Link
Source: NWpNjnx.exe	ReversingLabs: Detection: 61%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: NWpNjnx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49906 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49916 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49924 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64831 version: TLS 1.2

Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 35MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.5:49723 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49733 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.5:49722 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49744 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49744 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49740 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49740 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49738 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 78.47.63.132:443 -> 192.168.2.5:49725
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49796 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49742 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49742 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 78.47.63.132:443 -> 192.168.2.5:49724
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49800 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49800 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49804 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49804 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49799 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49799 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49876 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49886 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49886 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49888 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49888 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49893 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49893 -> 78.47.63.132:443

Source: global traffic

TCP traffic: 192.168.2.5:64704 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET /g_etcontent HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 78.47.63.132 78.47.63.132
Source: Joe Sandbox View	IP Address: 150.171.28.12 150.171.28.12

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.120
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.120
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.120
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.120
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.120
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.120
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.120
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.120
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.37.123
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.37.123
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.37.123
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.37.123
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.37.123
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.120
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /g_etcontent HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0Host: y.p.formaxprime.co.ukConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiJo8sBCIWgzQEI9s/OAQiB1s4BCNLgzgEIr+TOAQji5M4BCIvlzgE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiJo8sBCIWgzQEI9s/OAQiB1s4BCNLgzgEIr+TOAQji5M4BCIvlzgE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEI9s/OAQiA1s4BCNLgzgEIr+TOAQji5M4BCIblzgEIi+XOAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEI9s/OAQiA1s4BCNLgzgEIr+TOAQji5M4BCIblzgEIi+XOAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.4d8db7952bfb6ade56ed.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.4sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=879D94632F5642A1AE1469991DCACFF5.RefC=2025-03-19T13:06:06Z; USRLOC=; MUID=1CA60C579F866EB020F519E39EE96F81; MUIDB=1CA60C579F866EB020F519E39EE96F81; _EDGE_S=F=1&SID=2CBC6A67861563D4157B7FD38767621C; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.948ffa5ea2d441a35f55.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.4sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=879D94632F5642A1AE1469991DCACFF5.RefC=2025-03-19T13:06:06Z; USRLOC=; MUID=1CA60C579F866EB020F519E39EE96F81; MUIDB=1CA60C579F866EB020F519E39EE96F81; _EDGE_S=F=1&SID=2CBC6A67861563D4157B7FD38767621C; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.08ddc3af8246ad2193cd.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.1ed6fad3ee8a8960478c.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.9045e741496681aaf1c6.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.d4d522637b36f4979540.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.1ed6fad3ee8a8960478c.js HTTP/1.1Host: assets2.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.d4d522637b36f4979540.js HTTP/1.1Host: assets2.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8

Source: chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437838865.0000417400DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000003.2693915130.00001B9C01014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2702521863.00001B9C00328000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3501605561.000021CC00340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 00000008.00000003.2693915130.00001B9C01014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2702521863.00001B9C00328000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3501605561.000021CC00340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437838865.0000417400DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084590609.000021CC0115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085520760.000021CC01308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437838865.0000417400DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3067846242.00001B9C014A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084590609.000021CC0115C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437838865.0000417400DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085114380.000021CC01274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.3067846242.00001B9C014A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085854738.000021CC013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com:443 equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: y.p.formaxprime.co.uk
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: assets2.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: browser.events.data.msn.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ek689rqqimozm7y5x47yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0Host: y.p.formaxprime.co.ukContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433235978.00004174001F3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024193411.000021CC00210000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 0000000B.00000002.3439374935.0000417400FD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3440043131.00004174010CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current?cup2key=8:z7Jz-gk-_5G45HVFnUIrCae5DUb06Hske-pOoL-2qbQ&cup2
Source: chrome.exe, 0000000E.00000002.4026500320.000021CC008B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: NWpNjnx.exe, 00000000.00000003.5681159331.0000000000C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: NWpNjnx.exe, 00000000.00000003.5270737477.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5317955680.0000000005CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsm=
Source: NWpNjnx.exe, 00000000.00000003.4348353031.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4344870907.0000000005E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsof
Source: NWpNjnx.exe, 00000000.00000003.5820733454.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5777763815.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6150129156.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6105221434.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.c
Source: NWpNjnx.exe, 00000000.00000003.2600818051.0000000005740000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4204329742.0000000005740000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5270737477.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.2639651608.0000000005740000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5588002655.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.2600903784.0000000005744000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.2666551343.0000000005740000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.2628326989.0000000005740000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6328717596.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431448866.0000000005745000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3424853074.0000000005740000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6108816453.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5679785621.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238625127.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6413634369.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4210148016.0000000005740000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5780611660.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5223962569.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5600773182.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6248651206.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6171018383.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: NWpNjnx.exe, 00000000.00000003.4252979027.0000000005740000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4247602901.0000000005740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/#n
Source: NWpNjnx.exe, 00000000.00000003.4252979027.0000000005740000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4247602901.0000000005740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/8n
Source: NWpNjnx.exe, 00000000.00000003.2666551343.0000000005740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/U
Source: NWpNjnx.exe, 00000000.00000003.5052468348.0000000005CBD000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4210148016.000000000585B000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431409175.000000000567E000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4204329742.000000000585B000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.2666551343.0000000005736000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: NWpNjnx.exe, 00000000.00000003.5519108164.0000000000C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1d27ece28d4be
Source: NWpNjnx.exe, 00000000.00000003.4203969032.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2e9b37236089c
Source: NWpNjnx.exe, 00000000.00000003.3430474761.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431239796.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?69e5c82a4d333
Source: NWpNjnx.exe, 00000000.00000003.5055125934.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5052468348.0000000005CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a9652f377748e
Source: NWpNjnx.exe, 00000000.00000003.2630503747.0000000005740000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.2632430940.0000000005740000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.2628326989.0000000005740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b756591ea6b60
Source: NWpNjnx.exe, 00000000.00000003.5143917325.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?de944df71ae16
Source: NWpNjnx.exe, 00000000.00000003.5681159331.0000000000C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ff2a18ff31486
Source: NWpNjnx.exe, 00000000.00000003.4245452248.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5519108164.0000000000C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabM
Source: NWpNjnx.exe, 00000000.00000003.4245452248.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabU
Source: NWpNjnx.exe, 00000000.00000003.5519108164.0000000000C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabr
Source: NWpNjnx.exe, 00000000.00000003.4915935627.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4245452248.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4203969032.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5143917325.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabt
Source: NWpNjnx.exe, 00000000.00000003.3432599542.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431239796.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3430474761.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab~k
Source: NWpNjnx.exe, 00000000.00000003.6259760887.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6171018383.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6248651206.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6226180168.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6237595221.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6193849761.0000000005CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootst
Source: NWpNjnx.exe, 00000000.00000003.6150129156.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6105221434.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?08
Source: NWpNjnx.exe, 00000000.00000003.6050064577.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6039662595.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0855c627a4
Source: NWpNjnx.exe, 00000000.00000003.6050064577.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6039662595.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5885503840.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5998562742.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5953502482.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0b7d0f52d8
Source: NWpNjnx.exe, 00000000.00000003.5291046182.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1942ba8a00
Source: NWpNjnx.exe, 00000000.00000003.5024430253.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4996104438.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4992510414.0000000005E87000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5020961574.0000000005E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1e3a50fedf
Source: NWpNjnx.exe, 00000000.00000003.5998562742.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5953502482.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?25edc05200
Source: NWpNjnx.exe, 00000000.00000003.5024430253.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5020961574.0000000005E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2b791a36cb
Source: NWpNjnx.exe, 00000000.00000003.6050064577.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6039662595.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5820733454.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5777763815.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5598590712.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5885503840.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5696922520.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5998562742.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5953502482.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2cf3075c82
Source: NWpNjnx.exe, 00000000.00000003.4203969032.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2e9b372360
Source: NWpNjnx.exe, 00000000.00000003.6152423350.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6153943997.0000000005CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4289083a52
Source: NWpNjnx.exe, 00000000.00000003.6108816453.0000000005CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?53e806bb73
Source: NWpNjnx.exe, 00000000.00000003.4252979027.0000000005736000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4247602901.0000000005736000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7f74cfc152
Source: NWpNjnx.exe, 00000000.00000003.6152423350.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6171018383.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6153943997.0000000005CEE000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6226180168.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6237595221.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6108816453.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6193849761.0000000005CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8c15c987d7
Source: NWpNjnx.exe, 00000000.00000003.6259760887.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6291171371.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6171018383.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6248651206.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6226180168.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6237595221.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6193849761.0000000005CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8ca804=
Source: NWpNjnx.exe, 00000000.00000003.6152423350.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6153943997.0000000005CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8ca804e83a
Source: NWpNjnx.exe, 00000000.00000003.5777763815.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9018fde58b
Source: NWpNjnx.exe, 00000000.00000003.5325507647.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5228370936.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5291046182.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?91ab3a5c52
Source: NWpNjnx.exe, 00000000.00000003.4348353031.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4344870907.0000000005E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?afc990dec6
Source: NWpNjnx.exe, 00000000.00000003.4252979027.0000000005736000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4247602901.0000000005736000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b99ab26729
Source: NWpNjnx.exe, 00000000.00000003.6050064577.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6039662595.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6150129156.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6105221434.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5998562742.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c3954b942e
Source: NWpNjnx.exe, 00000000.00000003.5325507647.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d603eab973
Source: NWpNjnx.exe, 00000000.00000003.5143917325.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?de944df71a
Source: NWpNjnx.exe, 00000000.00000003.6050064577.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6039662595.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6105221434.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5998562742.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e8c01df07e
Source: NWpNjnx.exe, 00000000.00000003.6050064577.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f68efaf9bf
Source: NWpNjnx.exe, 00000000.00000003.5696922520.0000000005DE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ff2a18ff31
Source: chrome.exe, 0000000B.00000002.3435770106.0000417400928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4023505488.000021CC00104000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082047819.000021CC00C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026905072.000021CC00980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
Source: chrome.exe, 00000008.00000002.3063684074.00001B9C010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3439951396.00004174010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084152598.000021CC010BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: chrome.exe, 00000008.00000002.2930805170.00001B9C000D5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431976791.00004174000AF000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4023210058.000021CC0009B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 0000000E.00000002.4019678087.000002C5D981D000.00000004.08000000.00040000.00000000.sdmp, chrome.exe, 0000000E.00000002.4083568578.000021CC00FA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: chrome.exe, 00000008.00000002.3060206221.00001B9C00DE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437770924.0000417400DA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082477299.000021CC00DA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 0000000E.00000002.4088272332.000021CC01814000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/update2/re
Source: chrome.exe, 0000000E.00000002.4083851134.000021CC01014000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/update2/response
Source: chrome.exe, 00000008.00000002.3060334301.00001B9C00DEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437919529.0000417400DF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082567644.000021CC00DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: NWpNjnx.exe, 00000000.00000003.4348353031.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5325507647.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4920158159.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4916354325.0000000005E87000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5228370936.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4344870907.0000000005E87000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5291046182.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: chrome.exe, 0000000E.00000002.4083121906.000021CC00EA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433235978.00004174001F3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024193411.000021CC00210000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000008.00000002.2930631986.00001B9C00054000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431719117.0000417400030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4023082307.000021CC00030000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000008.00000002.3165250854.00001B9C017F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2996534501.00001B9C00730000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3064441698.00001B9C011C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435022187.0000417400780000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3434795192.0000417400720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4083506256.000021CC00F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026110350.000021CC007B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024193411.000021CC00210000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433235978.00004174001F3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AccountChooser
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433235978.00004174001F3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024193411.000021CC00210000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433235978.00004174001F3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433235978.00004174001F3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024193411.000021CC00210000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 0000000E.00000002.4024371980.000021CC00308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 0000000E.00000002.4024371980.000021CC00308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 0000000E.00000002.4024371980.000021CC00308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433235978.00004174001F3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000008.00000002.2930525119.00001B9C00004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431850562.000041740005C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4023161657.000021CC0005C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433235978.00004174001F3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024193411.000021CC00210000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433235978.00004174001F3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024193411.000021CC00210000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433235978.00004174001F3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/samlredirect
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000008.00000002.2996534501.00001B9C00730000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3434795192.0000417400720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026110350.000021CC007B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 0000000B.00000002.3432236303.00004174000CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://adroll.com
Source: chrome.exe, 0000000B.00000002.3432236303.00004174000CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://akpytela.cz
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 0000000B.00000002.3432236303.00004174000CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apex-football.com
Source: chrome.exe, 0000000E.00000002.4086081699.000021CC01414000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138495823.000021CC019A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138233448.000021CC0190C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msedge.exe, 0000001B.00000002.4345668997.0000021591545000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comse0
Source: chrome.exe, 00000008.00000002.3058190349.00001B9C00968000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435392704.0000417400864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026500320.000021CC008B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
Source: chrome.exe, 0000000B.00000002.3432236303.00004174000CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bluems.com
Source: NWpNjnx.exe, 00000000.00000003.5976885603.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6086048272.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5956340773.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4915935627.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4290805761.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4245452248.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5681159331.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5823409043.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3430474761.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5714943791.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431239796.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6006082067.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3432599542.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5789894574.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4203969032.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4351554184.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4290805761.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5143917325.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5680996689.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: NWpNjnx.exe, 00000000.00000003.5976885603.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6086048272.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5956340773.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4915935627.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4290805761.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4245452248.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5681159331.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5823409043.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3430474761.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5714943791.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431239796.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6006082067.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3432599542.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5789894574.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4203969032.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4351554184.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4290805761.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5143917325.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5680996689.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: chrome.exe, 00000008.00000002.2932234824.00001B9C00584000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3063538084.00001B9C01014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2702245671.00001B9C014AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2702482294.00001B9C015B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4025495541.000021CC00604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3501495907.000021CC01604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4087408562.000021CC01630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4083900855.000021CC01020000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058814559.00001B9C00B58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3059251515.00001B9C00CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437287641.0000417400CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436538394.0000417400B44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4081777975.000021CC00BA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082371712.000021CC00D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086911351.000021CC01514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 0000000E.00000002.4083121906.000021CC00EA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: NWpNjnx.exe, 00000000.00000003.5419792599.0000000005D08000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3059623454.00001B9C00D9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4083121906.000021CC00EA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: NWpNjnx.exe, 00000000.00000003.5419792599.0000000005D08000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3059623454.00001B9C00D9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4083121906.000021CC00EA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 0000000E.00000002.4084106230.000021CC010A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4023927706.000021CC001BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000000E.00000002.3924911360.000002C5D8287000.00000004.08000000.00040000.00000000.sdmp, chrome.exe, 0000000E.00000002.4088315899.000021CC01828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084494406.000021CC01140000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000008.00000003.2702351426.00001B9C01504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3441171292.00004174011D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3441229018.00004174011E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3442786053.0000417401310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085190346.000021CC0128C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3499208496.000021CC01414000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3502573019.000021CC01404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084106230.000021CC010A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000000E.00000003.3478560987.000021C800504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000008.00000003.2678902317.00001B9800404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2930386018.00001B9800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3174421343.0000417000404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431354569.0000417000630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4022875921.000021C800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477630142.000021C800404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 0000000E.00000003.3478560987.000021C800504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000008.00000003.2678902317.00001B9800404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2930386018.00001B9800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3174421343.0000417000404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431354569.0000417000630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4022875921.000021C800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477630142.000021C800404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000008.00000003.2679164861.00001B98004CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3175064274.00004170004CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477986196.000021C8004CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000008.00000003.2678902317.00001B9800404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2930386018.00001B9800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3174421343.0000417000404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431354569.0000417000630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4022875921.000021C800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477630142.000021C800404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000000B.00000002.3435260917.0000417400804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026319594.000021CC00840000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 00000008.00000002.2930525119.00001B9C00004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431604102.0000417400004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026319594.000021CC00840000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000008.00000002.2930557168.00001B9C00024000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433126886.00004174001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4023927706.000021CC001BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000008.00000002.3058330745.00001B9C00998000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435860359.000041740097C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026948594.000021CC0098C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/category/extensions
Source: chrome.exe, 00000008.00000002.3058330745.00001B9C00998000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435860359.000041740097C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026948594.000021CC0098C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/category/themes
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 0000000E.00000002.4083078855.000021CC00E91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.goog
Source: chrome.exe, 00000008.00000003.2667395902.00007698000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000A.00000003.2736742825.00003578000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3172705825.00001940000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000002.3413105860.0000022577165000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000D.00000003.3410266659.000048A8000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3475866558.00007558000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.3531561006.00004160000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.3596538096.00002A88000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.3600002385.0000026D7CE55000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.3667820878.000030C8000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.3669287004.00000207D31C8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.3721453546.00006FD8000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.3722734235.000001C74D619000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.3796953103.00005CA8000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000002.3798456252.000001D60E0FA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000016.00000003.3854826024.00003700000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000016.00000002.3855941496.000001C695177000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000017.00000003.3927181339.00001360000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000003.3988655532.00003540000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000018.00000002.3991106168.00000211E0599000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000019.00000003.4043156760.00007BB8000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000008.00000002.3058094420.00001B9C00918000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2930557168.00001B9C00024000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2931168347.00001B9C00198000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3057843595.00001B9C00850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3057596150.00001B9C00798000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3064180515.00001B9C01184000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433126886.00004174001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436658319.0000417400B78000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3438188575.0000417400E20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435633056.0000417400900000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435807967.0000417400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084590609.000021CC0115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026948594.000021CC0098C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4023847354.000021CC00190000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026200908.000021CC00804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3498489888.000021CC00414000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024740222.000021CC00418000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4023927706.000021CC001BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000008.00000002.2930962926.00001B9C00120000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3439328413.0000417400FC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437838865.0000417400DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3432576441.00004174000F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod
Source: chrome.exe, 00000008.00000002.3057624497.00001B9C007A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435060195.00004174007A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026238326.000021CC0080C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 0000000B.00000002.3435060195.00004174007A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=bP
Source: chrome.exe, 00000008.00000002.3057763840.00001B9C00804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435296696.0000417400824000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026398851.000021CC00878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000008.00000002.3057763840.00001B9C00804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435296696.0000417400824000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026398851.000021CC00878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000008.00000002.3057843595.00001B9C00850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435392704.0000417400864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026500320.000021CC008B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: NWpNjnx.exe, 00000000.00000003.5976885603.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6086048272.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5956340773.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4915935627.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4290805761.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4245452248.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5681159331.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5823409043.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3430474761.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5714943791.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431239796.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6006082067.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3432599542.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5789894574.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4203969032.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4351554184.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4290805761.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5143917325.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5680996689.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: NWpNjnx.exe, 00000000.00000003.5976885603.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6086048272.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5956340773.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4915935627.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4290805761.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4245452248.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5681159331.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5823409043.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3430474761.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5714943791.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431239796.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6006082067.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3432599542.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5789894574.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4203969032.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4351554184.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4290805761.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5143917325.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5680996689.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: chrome.exe, 0000000E.00000002.4027228035.000021CC00A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogl
Source: chrome.exe, 0000000E.00000002.4027228035.000021CC00A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogl.com/cs
Source: chrome.exe, 00000008.00000002.2930750453.00001B9C000A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4023771550.000021CC00174000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/clientupdate-aus/1
Source: chrome.exe, 00000008.00000002.2930750453.00001B9C000A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4023771550.000021CC00174000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/clientupdate-aus/1Cache-Control:
Source: chrome.exe, 0000000E.00000002.4025103559.000021CC0050E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/cdt1
Source: chrome.exe, 0000000E.00000002.4024856428.000021CC00450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: chrome.exe, 0000000B.00000002.3433558396.00004174002F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026200908.000021CC00804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084590609.000021CC0115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085520760.000021CC01308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 00000008.00000002.3058550867.00001B9C00A24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437594779.0000417400D3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437521992.0000417400D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437594779.0000417400D3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437521992.0000417400D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084590609.000021CC0115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084349375.000021CC0110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085520760.000021CC01308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.3058550867.00001B9C00A24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3068726454.00001B9C01538000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437594779.0000417400D3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437521992.0000417400D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4023887111.000021CC001A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000008.00000003.2678902317.00001B9800404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2930386018.00001B9800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3174421343.0000417000404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431354569.0000417000630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4022875921.000021C800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477630142.000021C800404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 00000008.00000002.3058550867.00001B9C00A24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2931751122.00001B9C003EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437594779.0000417400D3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437521992.0000417400D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4023887111.000021CC001A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085114380.000021CC01274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058814559.00001B9C00B58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3059251515.00001B9C00CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437287641.0000417400CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436538394.0000417400B44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4081777975.000021CC00BA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082371712.000021CC00D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086911351.000021CC01514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058814559.00001B9C00B58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3059251515.00001B9C00CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437287641.0000417400CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436538394.0000417400B44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4081777975.000021CC00BA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082371712.000021CC00D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086911351.000021CC01514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084590609.000021CC0115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085520760.000021CC01308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 00000008.00000002.3063851335.00001B9C01100000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3439951396.00004174010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437521992.0000417400D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082047819.000021CC00C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3439951396.00004174010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437521992.0000417400D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085114380.000021CC01274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.3063851335.00001B9C01100000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3061007293.00001B9C00E3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3057698110.00001B9C007D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3439951396.00004174010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437521992.0000417400D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082047819.000021CC00C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3063851335.00001B9C01100000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3439951396.00004174010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437521992.0000417400D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085114380.000021CC01274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082047819.000021CC00C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058814559.00001B9C00B58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3059251515.00001B9C00CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437287641.0000417400CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436538394.0000417400B44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4081777975.000021CC00BA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082371712.000021CC00D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086911351.000021CC01514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084590609.000021CC0115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085520760.000021CC01308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3439951396.00004174010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3439951396.00004174010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085114380.000021CC01274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3439951396.00004174010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3439951396.00004174010A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085114380.000021CC01274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058814559.00001B9C00B58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3059251515.00001B9C00CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437287641.0000417400CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436538394.0000417400B44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4081777975.000021CC00BA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082371712.000021CC00D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086911351.000021CC01514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000E.00000002.4023887111.000021CC001A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.googleen_US
Source: chrome.exe, 0000000E.00000002.4023887111.000021CC001A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.googleen_USocument/:
Source: chrome.exe, 0000000B.00000002.3433558396.00004174002F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 0000000B.00000002.3433558396.00004174002F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 0000000B.00000002.3433558396.00004174002F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 0000000B.00000002.3433558396.00004174002F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 0000000B.00000002.3433558396.00004174002F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000008.00000002.3057596150.00001B9C00798000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433558396.00004174002F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026200908.000021CC00804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000008.00000002.3057596150.00001B9C00798000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433558396.00004174002F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026200908.000021CC00804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000008.00000002.3057596150.00001B9C00798000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433558396.00004174002F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026200908.000021CC00804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000008.00000002.3057596150.00001B9C00798000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433558396.00004174002F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026200908.000021CC00804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000008.00000002.3057596150.00001B9C00798000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433558396.00004174002F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026200908.000021CC00804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 0000000B.00000002.3433558396.00004174002F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084590609.000021CC0115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085520760.000021CC01308000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026200908.000021CC00804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437243283.0000417400C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3062481000.00001B9C00F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3067846242.00001B9C014A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437243283.0000417400C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082567644.000021CC00DC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084590609.000021CC0115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085854738.000021CC013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085520760.000021CC01308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000008.00000002.3062481000.00001B9C00F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2policy
Source: chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437243283.0000417400C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437243283.0000417400C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085114380.000021CC01274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: NWpNjnx.exe, 00000000.00000003.5419792599.0000000005D08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: NWpNjnx.exe, 00000000.00000003.5419792599.0000000005D08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: NWpNjnx.exe, 00000000.00000003.5419792599.0000000005D08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chrome.exe, 0000000B.00000002.3432236303.00004174000CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://elnacional.cat
Source: chrome.exe, 0000000B.00000002.3432236303.00004174000CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://explorefledge.com
Source: chrome.exe, 00000008.00000003.2702973201.00001B9C01760000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3164950832.00001B9C0169C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3165090304.00001B9C01738000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3502262420.000021CC0170C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3501966796.000021CC016E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3502142694.000021CC0167C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.google.com/icons?selected=Material
Source: chrome.exe, 0000000E.00000002.4083121906.000021CC00EA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: chrome.exe, 00000008.00000003.2678902317.00001B9800404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2930386018.00001B9800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3174421343.0000417000404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431354569.0000417000630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4022875921.000021C800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477630142.000021C800404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic/intro?20
Source: chrome.exe, 00000008.00000003.2678902317.00001B9800404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2930386018.00001B9800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3174421343.0000417000404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431354569.0000417000630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4022875921.000021C800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477630142.000021C800404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic2
Source: chrome.exe, 00000008.00000003.2679164861.00001B98004CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3175064274.00004170004CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477986196.000021C8004CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000008.00000003.2678902317.00001B9800404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2930386018.00001B9800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3174421343.0000417000404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431354569.0000417000630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4022875921.000021C800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477630142.000021C800404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000008.00000003.2679164861.00001B98004CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3175064274.00004170004CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477986196.000021C8004CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000E.00000003.3477986196.000021C8004CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000008.00000003.2678902317.00001B9800404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2930386018.00001B9800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3174421343.0000417000404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431354569.0000417000630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4022875921.000021C800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477630142.000021C800404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000008.00000003.2679164861.00001B98004CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3175064274.00004170004CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477986196.000021C8004CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000008.00000003.2679164861.00001B98004CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3175064274.00004170004CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477986196.000021C8004CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Pre
Source: chrome.exe, 0000000E.00000003.3477986196.000021C8004CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000008.00000002.2930525119.00001B9C00004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431604102.0000417400004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4023003347.000021CC00004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001B.00000002.4351085235.000003F000300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000008.00000002.3058064513.00001B9C00904000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435633056.0000417400900000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026775662.000021CC0096C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000008.00000003.2678902317.00001B9800404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2930386018.00001B9800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3174421343.0000417000404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431354569.0000417000630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4022875921.000021C800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477630142.000021C800404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: NWpNjnx.exe, 00000000.00000003.5143917325.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: msedge.exe, 0000001B.00000003.4298973705.000003F000354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000008.00000002.3059375831.00001B9C00D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058899229.00001B9C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3164950832.00001B9C016C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436658319.0000417400B78000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437455230.0000417400D04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082416337.000021CC00D38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4081819621.000021CC00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4087754461.000021CC01770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 0000000E.00000002.4024892606.000021CC00460000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138495823.000021CC019A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138233448.000021CC0190C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000008.00000002.2932234824.00001B9C00584000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3063538084.00001B9C01014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4025495541.000021CC00604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4083900855.000021CC01020000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/gen204
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3067846242.00001B9C014A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437838865.0000417400DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437521992.0000417400D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084590609.000021CC0115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085854738.000021CC013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085520760.000021CC01308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/
Source: chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437838865.0000417400DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437521992.0000417400D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/:
Source: chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437838865.0000417400DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437521992.0000417400D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/J
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437838865.0000417400DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437521992.0000417400D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085114380.000021CC01274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default
Source: chrome.exe, 0000000E.00000002.4084590609.000021CC0115C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/ies
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084590609.000021CC0115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085520760.000021CC01308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/
Source: chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437243283.0000417400C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437521992.0000417400D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 0000000E.00000002.4024892606.000021CC00460000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138495823.000021CC019A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138233448.000021CC0190C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437243283.0000417400C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437521992.0000417400D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084590609.000021CC0115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085520760.000021CC01308000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084152598.000021CC010BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.3068726454.00001B9C01538000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437243283.0000417400C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437521992.0000417400D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084645934.000021CC01194000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437243283.0000417400C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437521992.0000417400D30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085114380.000021CC01274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: msedge.exe, 0000001B.00000002.4351085235.000003F000300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 0000001B.00000002.4351085235.000003F000300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: msedge.exe, 0000001B.00000002.4351085235.000003F000300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/Y
Source: chrome.exe, 00000008.00000002.3165061013.00001B9C016F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058691077.00001B9C00A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436337740.0000417400AC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4087843689.000021CC01798000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4080021540.000021CC00A8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000008.00000002.3062433154.00001B9C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3059375831.00001B9C00D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058691077.00001B9C00A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436337740.0000417400AC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437723368.0000417400D64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4080845705.000021CC00B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4083506256.000021CC00F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000008.00000002.3062433154.00001B9C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3059375831.00001B9C00D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058691077.00001B9C00A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436337740.0000417400AC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437723368.0000417400D64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4080845705.000021CC00B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4083506256.000021CC00F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000008.00000003.2678902317.00001B9800404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2930386018.00001B9800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3174421343.0000417000404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431354569.0000417000630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4022875921.000021C800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477630142.000021C800404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 00000008.00000002.3062433154.00001B9C00F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3059375831.00001B9C00D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058691077.00001B9C00A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436337740.0000417400AC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437723368.0000417400D64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4080845705.000021CC00B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4083506256.000021CC00F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000008.00000003.2701918313.00001B9C01208000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3059042445.00001B9C00C10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436994862.0000417400C34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085229270.000021CC0129C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082047819.000021CC00C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024193411.000021CC00210000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: msedge.exe, 0000001B.00000002.4351085235.000003F000300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 0000000E.00000002.4086081699.000021CC01414000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138495823.000021CC019A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138233448.000021CC0190C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 0000000E.00000002.4023360835.000021CC000D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 0000000E.00000002.4086081699.000021CC01414000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138495823.000021CC019A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138233448.000021CC0190C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 0000000E.00000002.4086081699.000021CC01414000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138495823.000021CC019A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138233448.000021CC0190C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000008.00000002.3164452898.00001B9C01574000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3164640841.00001B9C015E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3064114540.00001B9C01168000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3442845222.000041740132B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3439677578.0000417401070000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437359996.0000417400CF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3440865691.000041740119C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086455671.000021CC0148C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086377784.000021CC01470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086159541.000021CC01430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 0000000E.00000002.4085953867.000021CC013E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086159541.000021CC01430000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086759979.000021CC014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3498364734.000021CC00A2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000008.00000002.3164452898.00001B9C01574000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2693522249.00001B9C00BD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3164640841.00001B9C015E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3164667360.00001B9C015F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3442845222.000041740132B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436457543.0000417400B24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3440865691.000041740119C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086538788.000021CC014A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086159541.000021CC01430000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3498364734.000021CC00A2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000008.00000002.3164452898.00001B9C01574000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3164640841.00001B9C015E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3440865691.000041740119C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086377784.000021CC01470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086159541.000021CC01430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000008.00000002.3164452898.00001B9C01574000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2693522249.00001B9C00BD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3164640841.00001B9C015E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3442845222.000041740132B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3440865691.000041740119C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086538788.000021CC014A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086377784.000021CC01470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086159541.000021CC01430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000008.00000002.3164452898.00001B9C01574000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3164640841.00001B9C015E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3067231778.00001B9C01404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3442845222.000041740132B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3440923701.00004174011A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436918006.0000417400C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3440865691.000041740119C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086377784.000021CC01470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085775514.000021CC01384000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086159541.000021CC01430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000008.00000002.3164452898.00001B9C01574000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3164640841.00001B9C015E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3064114540.00001B9C01168000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3442845222.000041740132B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437359996.0000417400CF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3440865691.000041740119C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086377784.000021CC01470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086159541.000021CC01430000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084152598.000021CC010BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000008.00000002.3068190243.00001B9C014D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3164667360.00001B9C015F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3442845222.000041740132B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435022187.0000417400780000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3439677578.0000417401070000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3443101499.0000417401338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436457543.0000417400B24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3440865691.000041740119C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086538788.000021CC014A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085953867.000021CC013E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086159541.000021CC01430000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086759979.000021CC014FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084152598.000021CC010BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3498364734.000021CC00A2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000008.00000002.2932234824.00001B9C00584000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3063538084.00001B9C01014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2702482294.00001B9C015B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4025495541.000021CC00604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3501495907.000021CC01604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4083900855.000021CC01020000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/calendar/
Source: chrome.exe, 00000008.00000002.3058128744.00001B9C00940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435807967.0000417400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4027013238.000021CC009B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google/
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433235978.00004174001F3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://people.googleapis.com/
Source: chrome.exe, 00000008.00000003.2701918313.00001B9C01208000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3059042445.00001B9C00C10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3059188353.00001B9C00C78000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436994862.0000417400C34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085229270.000021CC0129C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082047819.000021CC00C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082180110.000021CC00C9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000008.00000002.2996534501.00001B9C00730000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435060195.00004174007A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026356574.000021CC00850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 0000000E.00000002.4026356574.000021CC00850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 0000000B.00000002.3432376028.00004174000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433792031.00004174003F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3498489888.000021CC00414000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024740222.000021CC00418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 0000000B.00000002.3432236303.00004174000CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://samplicio.us
Source: chrome.exe, 0000000E.00000002.4023621883.000021CC00138000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4023161657.000021CC0005C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
Source: chrome.exe, 00000008.00000002.3060334301.00001B9C00DEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437919529.0000417400DF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082567644.000021CC00DC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000008.00000003.2678902317.00001B9800404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2930386018.00001B9800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3174421343.0000417000404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431354569.0000417000630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4022875921.000021C800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477630142.000021C800404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 00000008.00000002.3059375831.00001B9C00D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058899229.00001B9C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3164950832.00001B9C016C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436658319.0000417400B78000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437455230.0000417400D04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082416337.000021CC00D38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4081819621.000021CC00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4087169543.000021CC01564000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000E.00000002.4024371980.000021CC00308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 0000000E.00000002.4024892606.000021CC00460000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138495823.000021CC019A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138233448.000021CC0190C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: NWpNjnx.exe, 00000000.00000003.1338599581.00000000047C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199832267488
Source: NWpNjnx.exe, 00000000.00000003.1338599581.00000000047C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199832267488dqu220Mozilla/5.0
Source: chrome.exe, 00000008.00000003.2702803715.00001B9C00540000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2932183498.00001B9C0054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3434497615.00004174005A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4025495541.000021CC00634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome?p=desktop_tab_groups
Source: NWpNjnx.exe, 00000000.00000003.1364785635.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.1364785635.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.1338599581.00000000047C0000.00000004.00001000.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.1364844197.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g_etcontent
Source: NWpNjnx.exe, 00000000.00000003.1338599581.00000000047C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g_etcontentdqu220Mozilla/5.0
Source: chrome.exe, 00000008.00000002.3060334301.00001B9C00DEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437919529.0000417400DF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082567644.000021CC00DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: chrome.exe, 0000000B.00000002.3432236303.00004174000CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://torneos.gg
Source: chrome.exe, 0000000B.00000002.3432236303.00004174000CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tya-dev.com
Source: NWpNjnx.exe, 00000000.00000003.1364785635.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.1364785635.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: NWpNjnx.exe, 00000000.00000003.5976885603.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6086048272.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5956340773.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4915935627.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4290805761.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4245452248.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5681159331.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5823409043.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3430474761.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5714943791.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431239796.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6006082067.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3432599542.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5789894574.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4203969032.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4351554184.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4290805761.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5143917325.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5680996689.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: NWpNjnx.exe, 00000000.00000003.5976885603.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6086048272.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5956340773.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4915935627.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4290805761.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4245452248.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5681159331.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5823409043.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3430474761.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5714943791.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431239796.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.6006082067.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3432599542.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5789894574.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4203969032.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4351554184.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4290805761.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5143917325.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5680996689.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: NWpNjnx.exe, 00000000.00000003.5419792599.0000000005D08000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3059623454.00001B9C00D9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4083121906.000021CC00EA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: chrome.exe, 00000008.00000002.2931547628.00001B9C002F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024371980.000021CC00308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000008.00000002.3060525603.00001B9C00E04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024371980.000021CC00308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 0000000E.00000002.4024371980.000021CC00308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 0000000E.00000002.4084106230.000021CC010A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085059107.000021CC01258000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082524231.000021CC00DB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082833359.000021CC00E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082658453.000021CC00DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000008.00000002.3063881788.00001B9C01110000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4087890006.000021CC017D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000008.00000002.3165404845.00001B9C01834000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4086911351.000021CC01514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 00000008.00000002.3058128744.00001B9C00940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435807967.0000417400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4027013238.000021CC009B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/#safe
Source: chrome.exe, 00000008.00000002.3058330745.00001B9C00998000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435860359.000041740097C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026948594.000021CC0098C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/browser-features/
Source: chrome.exe, 00000008.00000002.3058330745.00001B9C00998000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435860359.000041740097C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026948594.000021CC0098C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/browser-tools/
Source: chrome.exe, 00000008.00000003.2678902317.00001B9800404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2930386018.00001B9800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3174421343.0000417000404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431354569.0000417000630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4022875921.000021C800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477630142.000021C800404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000008.00000002.3058746315.00001B9C00B20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3063881788.00001B9C01110000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3059288066.00001B9C00CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437638671.0000417400D48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436337740.0000417400AC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082416337.000021CC00D38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084302729.000021CC010EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4080522465.000021CC00B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: NWpNjnx.exe, 00000000.00000003.5419792599.0000000005D08000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3062328568.00001B9C00F08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2702803715.00001B9C00540000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2932183498.00001B9C0054C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3063044435.00001B9C00FC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3057763840.00001B9C00804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3434196396.0000417400498000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3434497615.00004174005A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3435296696.0000417400824000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085114380.000021CC01274000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4025495541.000021CC00634000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026398851.000021CC00878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024245060.000021CC0023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: chrome.exe, 0000000E.00000002.4085114380.000021CC01274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.icoe
Source: chrome.exe, 0000000E.00000002.4024892606.000021CC00460000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138495823.000021CC019A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138233448.000021CC0190C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 0000000E.00000002.4138233448.000021CC0190C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000008.00000003.2678902317.00001B9800404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2930386018.00001B9800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3174421343.0000417000404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431354569.0000417000630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4022875921.000021C800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477630142.000021C800404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000008.00000002.2931884225.00001B9C00469000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3434724917.00004174006A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4025057719.000021CC004A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000008.00000002.3060525603.00001B9C00E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433339679.0000417400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024193411.000021CC00210000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000008.00000003.2678902317.00001B9800404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2930386018.00001B9800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.3174421343.0000417000404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3431354569.0000417000630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4022875921.000021C800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3477630142.000021C800404000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433235978.00004174001F3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024193411.000021CC00210000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433235978.00004174001F3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024193411.000021CC00210000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433235978.00004174001F3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024193411.000021CC00210000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000008.00000002.2931421930.00001B9C00214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433235978.00004174001F3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4024193411.000021CC00210000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 0000000E.00000002.4024371980.000021CC00308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 0000000E.00000002.4024371980.000021CC00308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 0000000E.00000002.4026398851.000021CC00878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000008.00000002.3068190243.00001B9C014D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
Source: chrome.exe, 0000000E.00000002.4138233448.000021CC0190C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000008.00000002.3165705623.00001B9C018EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3164896953.00001B9C01660000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3165672482.00001B9C018BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3165766337.00001B9C01924000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3165848972.00001B9C01974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3165736231.00001B9C0190C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138392686.000021CC01978000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4087890006.000021CC017C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138495823.000021CC019C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138337824.000021CC01960000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138233448.000021CC0190C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 0000000E.00000002.4086081699.000021CC01414000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138495823.000021CC019A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138233448.000021CC0190C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.YoBm8xXuGOY.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 0000000E.00000002.4086081699.000021CC01414000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138495823.000021CC019A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4138233448.000021CC0190C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.NMINDki6kLA.L.W.O/m=qmd
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084590609.000021CC0115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085520760.000021CC01308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437838865.0000417400DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3067846242.00001B9C014A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437838865.0000417400DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4084590609.000021CC0115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085854738.000021CC013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085520760.000021CC01308000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437838865.0000417400DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000008.00000002.3067584386.00001B9C01454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3433754796.00004174003DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3437838865.0000417400DBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3436018744.00004174009BD000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4082946872.000021CC00E68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4085114380.000021CC01274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: NWpNjnx.exe, 00000000.00000003.1364785635.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk
Source: NWpNjnx.exe, 00000000.00000003.4203969032.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk$
Source: NWpNjnx.exe, 00000000.00000003.2659706018.0000000005740000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5519108164.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.2632430940.0000000005746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/
Source: NWpNjnx.exe, 00000000.00000003.1384728164.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/-(
Source: NWpNjnx.exe, 00000000.00000003.3430474761.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431239796.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/.
Source: NWpNjnx.exe, 00000000.00000003.3430474761.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431239796.0000000000C78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk//
Source: NWpNjnx.exe, 00000000.00000003.2628326989.0000000005740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/1n
Source: NWpNjnx.exe, 00000000.00000003.4212663973.0000000005CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/CKc
Source: NWpNjnx.exe, 00000000.00000003.1384728164.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.1399704507.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/E
Source: NWpNjnx.exe, 00000000.00000003.5681159331.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5143917325.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5519108164.0000000000C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/O
Source: NWpNjnx.exe, 00000000.00000003.1399704507.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/P
Source: NWpNjnx.exe, 00000000.00000003.2667247982.0000000005674000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.2659191940.0000000005674000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431130474.000000000567B000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431409175.000000000567E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/Storage
Source: NWpNjnx.exe, 00000000.00000003.1416813978.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.1384728164.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.1399704507.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/U
Source: NWpNjnx.exe, 00000000.00000003.2667247982.0000000005674000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.2659191940.0000000005674000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431130474.000000000567B000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431409175.000000000567E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/Visited
Source: NWpNjnx.exe, 00000000.00000003.4245452248.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4203969032.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/Y
Source: NWpNjnx.exe, 00000000.00000003.5143917325.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/a
Source: NWpNjnx.exe, 00000000.00000003.1384728164.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/b
Source: NWpNjnx.exe, 00000000.00000003.1416813978.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.1399704507.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/h
Source: NWpNjnx.exe, 00000000.00000003.2614541880.000000000568A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/heavy_ad_intervention_opt_out.db
Source: NWpNjnx.exe, 00000000.00000003.2633259025.000000000569C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/q
Source: NWpNjnx.exe, 00000000.00000003.2628326989.0000000005740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/r
Source: NWpNjnx.exe, 00000000.00000003.1384728164.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/s
Source: NWpNjnx.exe, 00000000.00000003.1416733537.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/uPS
Source: NWpNjnx.exe, 00000000.00000003.5681159331.0000000000C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk/z
Source: NWpNjnx.exe, 00000000.00000003.1384728164.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.ukO
Source: NWpNjnx.exe, 00000000.00000003.1399704507.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.ukb
Source: NWpNjnx.exe, 00000000.00000003.4915935627.0000000000C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.ukl
Source: NWpNjnx.exe, 00000000.00000003.1416813978.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4915935627.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4245452248.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.1399704507.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5681159331.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4238517016.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3430474761.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.1465072272.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3431239796.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4203969032.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4351554184.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.4290805761.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5143917325.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5519108164.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.3432599542.0000000000C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.ukm
Source: NWpNjnx.exe, 00000000.00000003.1416813978.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5681159331.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5143917325.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, NWpNjnx.exe, 00000000.00000003.5519108164.0000000000C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://y.p.formaxprime.co.uk~

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 64725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 64777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 64794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 64749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64804
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 64718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 64773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 64796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 64767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64779
Source: unknown	Network traffic detected: HTTP traffic on port 64738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64772
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64773
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 64810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64791
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64785
Source: unknown	Network traffic detected: HTTP traffic on port 64804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64787
Source: unknown	Network traffic detected: HTTP traffic on port 64733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 64779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 64717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 64833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64738
Source: unknown	Network traffic detected: HTTP traffic on port 64763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64733
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64747
Source: unknown	Network traffic detected: HTTP traffic on port 64819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64749
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64741
Source: unknown	Network traffic detected: HTTP traffic on port 64825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64743
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64745
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64759
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64753
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64770
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64768
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64765
Source: unknown	Network traffic detected: HTTP traffic on port 64735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64767
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64817
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 64753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 64715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64810
Source: unknown	Network traffic detected: HTTP traffic on port 64799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64707
Source: unknown	Network traffic detected: HTTP traffic on port 64758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 64829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64821
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64713
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64715
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64718
Source: unknown	Network traffic detected: HTTP traffic on port 64765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64717
Source: unknown	Network traffic detected: HTTP traffic on port 64759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64833
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64711
Source: unknown	Network traffic detected: HTTP traffic on port 64720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64725
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64727
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 64787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 64802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64723
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64731 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49906 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49916 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:49924 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.5:64831 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: NWpNjnx.exe	Static PE information: section name:
Source: NWpNjnx.exe	Static PE information: section name: .idata
Source: NWpNjnx.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\NWpNjnx.exe

Process Stats: CPU usage > 49%

Source: NWpNjnx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: NWpNjnx.exe	Static PE information: Section: ZLIB complexity 0.9981296345338984
Source: NWpNjnx.exe	Static PE information: Section: izkxxufy ZLIB complexity 0.9945784252058555

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@165/55@46/16

Source: C:\Users\user\Desktop\NWpNjnx.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\QTV28T4N.htm

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\690856bf-dda4-4de7-8257-2d0b09452109.tmp

Jump to behavior

Source: C:\Users\user\Desktop\NWpNjnx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome.exe, 00000008.00000002.3058418152.00001B9C009C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.3438188575.0000417400E4E000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.4026775662.000021CC0097A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: NWpNjnx.exe, 00000000.00000003.2629990115.000000000587A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: NWpNjnx.exe	Virustotal: Detection: 46%
Source: NWpNjnx.exe	ReversingLabs: Detection: 61%

Source: unknown	Process created: C:\Users\user\Desktop\NWpNjnx.exe "C:\Users\user\Desktop\NWpNjnx.exe"
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2332,i,11926905524139979339,10828025431271423253,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2568 /prefetch:3
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2448,i,8754246349209548584,10503215830756298871,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3084 /prefetch:3
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2396,i,13745689592266742683,13129913647732731796,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2480 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2396,i,13745689592266742683,13129913647732731796,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5364 /prefetch:8
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2488 --field-trial-handle=2340,i,2587389878926192451,2990105616809838340,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1988,i,1760164721029637801,2658846490141056001,262144 /prefetch:3
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=992 --field-trial-handle=2412,i,16395255640135883772,14137685151121912344,262144 /prefetch:3
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2640 --field-trial-handle=2452,i,1961410066156080185,15470953524769477924,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1964,i,17155506128084257532,3398633539599173768,262144 /prefetch:3
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=2360,i,18301246024878363182,2756229517446973756,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=2064,i,3132128271035991470,12309965145868920418,262144 /prefetch:3
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2596 --field-trial-handle=2352,i,6541447083727747937,7400720925629244277,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=2004,i,5163077432638225654,8362902616666834378,262144 /prefetch:3
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=2348,i,687132200064469701,4580685076148190025,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=2004,i,11658584872999196824,11487833335808583967,262144 /prefetch:3
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2404 --field-trial-handle=2280,i,17704277969141967471,10006883037445517965,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2056,i,9332751546683616399,2193557983551615240,262144 /prefetch:3
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=2340,i,13878332601536474959,2812580655429299359,262144 /prefetch:3
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2332,i,11926905524139979339,10828025431271423253,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2568 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2448,i,8754246349209548584,10503215830756298871,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3084 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2396,i,13745689592266742683,13129913647732731796,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2480 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2396,i,13745689592266742683,13129913647732731796,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5364 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2488 --field-trial-handle=2340,i,2587389878926192451,2990105616809838340,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1988,i,1760164721029637801,2658846490141056001,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=992 --field-trial-handle=2412,i,16395255640135883772,14137685151121912344,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2640 --field-trial-handle=2452,i,1961410066156080185,15470953524769477924,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1964,i,17155506128084257532,3398633539599173768,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2452 --field-trial-handle=2360,i,18301246024878363182,2756229517446973756,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=2064,i,3132128271035991470,12309965145868920418,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2596 --field-trial-handle=2352,i,6541447083727747937,7400720925629244277,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=2004,i,5163077432638225654,8362902616666834378,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=2348,i,687132200064469701,4580685076148190025,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=2004,i,11658584872999196824,11487833335808583967,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2404 --field-trial-handle=2280,i,17704277969141967471,10006883037445517965,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2056,i,9332751546683616399,2193557983551615240,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=2340,i,13878332601536474959,2812580655429299359,262144 /prefetch:3

Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Section loaded: cabinet.dll	Jump to behavior

Source: C:\Users\user\Desktop\NWpNjnx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: NWpNjnx.exe

Static file information: File size 1755648 > 1048576

Source: NWpNjnx.exe

Static PE information: Raw size of izkxxufy is bigger than: 0x100000 < 0x199e00

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: NWpNjnx.exe

Static PE information: real checksum: 0x1b6343 should be: 0x1ad62e

Source: NWpNjnx.exe	Static PE information: section name:
Source: NWpNjnx.exe	Static PE information: section name: .idata
Source: NWpNjnx.exe	Static PE information: section name:
Source: NWpNjnx.exe	Static PE information: section name: izkxxufy
Source: NWpNjnx.exe	Static PE information: section name: wicyaxky
Source: NWpNjnx.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\NWpNjnx.exe	Code function: 0_3_0490F7C0 push es; iretd	0_3_0490F884
Source: C:\Users\user\Desktop\NWpNjnx.exe	Code function: 0_3_04905013 push edx; ret	0_3_04905092
Source: C:\Users\user\Desktop\NWpNjnx.exe	Code function: 0_3_0490B518 pushad ; ret	0_3_0490B519
Source: C:\Users\user\Desktop\NWpNjnx.exe	Code function: 0_3_04909E35 pushad ; iretd	0_3_04909E73
Source: C:\Users\user\Desktop\NWpNjnx.exe	Code function: 0_3_04911825 push ds; iretd	0_3_049118E4
Source: C:\Users\user\Desktop\NWpNjnx.exe	Code function: 0_3_0490C12B push cs; iretd	0_3_0490C12C
Source: C:\Users\user\Desktop\NWpNjnx.exe	Code function: 0_3_0490155B push eax; iretd	0_3_04901565
Source: C:\Users\user\Desktop\NWpNjnx.exe	Code function: 0_3_04911865 push ds; iretd	0_3_049118E4

Source: NWpNjnx.exe	Static PE information: section name: entropy: 7.976908298623632
Source: NWpNjnx.exe	Static PE information: section name: izkxxufy entropy: 7.954151437053642

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\NWpNjnx.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Window searched: window name: Regmonclass	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5A20F0 second address: 5A210D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F0DD50CA451h 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5A210D second address: 5A2113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 58A278 second address: 58A27C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 58A27C second address: 58A28C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0DD50C2126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 58A28C second address: 58A290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 58A290 second address: 58A29A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0DD50C2126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 58A29A second address: 58A2BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0DD50CA459h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 58A2BB second address: 58A2C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5A1097 second address: 5A109B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5A1503 second address: 5A1523 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F0DD50C212Fh 0x0000000e jnl 00007F0DD50C2126h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5A1523 second address: 5A152F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 push eax 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5A168C second address: 5A1692 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5A53C7 second address: 5A53CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5A55BD second address: 5A564E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0DD50C212Ah 0x0000000e popad 0x0000000f xor dword ptr [esp], 1BED1D6Ah 0x00000016 clc 0x00000017 push 00000003h 0x00000019 mov dword ptr [ebp+122D1A6Bh], ebx 0x0000001f push 00000000h 0x00000021 mov dword ptr [ebp+122D1AE1h], edi 0x00000027 mov ecx, dword ptr [ebp+122D29D9h] 0x0000002d push 00000003h 0x0000002f sub dword ptr [ebp+122D3029h], edi 0x00000035 push F8256747h 0x0000003a jg 00007F0DD50C2134h 0x00000040 xor dword ptr [esp], 38256747h 0x00000047 push 00000000h 0x00000049 push ebx 0x0000004a call 00007F0DD50C2128h 0x0000004f pop ebx 0x00000050 mov dword ptr [esp+04h], ebx 0x00000054 add dword ptr [esp+04h], 0000001Ah 0x0000005c inc ebx 0x0000005d push ebx 0x0000005e ret 0x0000005f pop ebx 0x00000060 ret 0x00000061 mov ecx, edi 0x00000063 lea ebx, dword ptr [ebp+1244C2F6h] 0x00000069 push eax 0x0000006a pushad 0x0000006b pushad 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5A56A1 second address: 5A56F7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0DD50CA448h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D1896h], esi 0x00000013 push 00000000h 0x00000015 mov di, ax 0x00000018 call 00007F0DD50CA449h 0x0000001d push esi 0x0000001e push ecx 0x0000001f je 00007F0DD50CA446h 0x00000025 pop ecx 0x00000026 pop esi 0x00000027 push eax 0x00000028 jmp 00007F0DD50CA450h 0x0000002d mov eax, dword ptr [esp+04h] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F0DD50CA454h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5A56F7 second address: 5A56FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5A56FD second address: 5A57D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA44Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d jnc 00007F0DD50CA456h 0x00000013 jmp 00007F0DD50CA450h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jmp 00007F0DD50CA44Ah 0x00000021 pop eax 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007F0DD50CA448h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 0000001Ah 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c mov dword ptr [ebp+122D1B63h], eax 0x00000042 push 00000003h 0x00000044 call 00007F0DD50CA451h 0x00000049 mov dx, 9CB6h 0x0000004d pop esi 0x0000004e push 00000000h 0x00000050 pushad 0x00000051 jo 00007F0DD50CA44Ch 0x00000057 mov edx, dword ptr [ebp+122D297Dh] 0x0000005d jne 00007F0DD50CA449h 0x00000063 popad 0x00000064 push 00000003h 0x00000066 xor esi, dword ptr [ebp+122D2A59h] 0x0000006c push FA15DEB1h 0x00000071 jmp 00007F0DD50CA44Eh 0x00000076 xor dword ptr [esp], 3A15DEB1h 0x0000007d mov dword ptr [ebp+122D2EBEh], ecx 0x00000083 lea ebx, dword ptr [ebp+1244C301h] 0x00000089 jmp 00007F0DD50CA450h 0x0000008e push eax 0x0000008f push eax 0x00000090 push edx 0x00000091 push esi 0x00000092 pushad 0x00000093 popad 0x00000094 pop esi 0x00000095 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5A57D2 second address: 5A57D7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C32DB second address: 5C32F1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0DD50CA446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop edi 0x0000000e jbe 00007F0DD50CA45Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C32F1 second address: 5C3323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DD50C212Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0DD50C212Ch 0x00000011 jmp 00007F0DD50C2130h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C3323 second address: 5C333F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DD50CA456h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C34A8 second address: 5C34AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C35DD second address: 5C35EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0DD50CA446h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C35EC second address: 5C35FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DD50C212Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C35FD second address: 5C3612 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA44Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C3612 second address: 5C3616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C3616 second address: 5C3631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DD50CA451h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C379B second address: 5C379F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C379F second address: 5C37AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F0DD50CA446h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C37AD second address: 5C37B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C3C1D second address: 5C3C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C3C28 second address: 5C3C4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2135h 0x00000007 jmp 00007F0DD50C212Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C3C4F second address: 5C3C54 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C3EEA second address: 5C3EEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C3EEE second address: 5C3F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F0DD50CA44Ah 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C3F02 second address: 5C3F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C3F08 second address: 5C3F2F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F0DD50CA44Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0DD50CA44Eh 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C4080 second address: 5C4096 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C4096 second address: 5C409C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C409C second address: 5C40A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C40A0 second address: 5C40AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F0DD50CA446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C41DE second address: 5C41E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C41E2 second address: 5C41F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F0DD50CA446h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C41F0 second address: 5C41F6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C41F6 second address: 5C420F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA44Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C420F second address: 5C4244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 ja 00007F0DD50C2126h 0x0000000e jmp 00007F0DD50C2134h 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0DD50C2130h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C43A4 second address: 5C43BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DD50CA452h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C43BC second address: 5C43D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0DD50C2137h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C43D8 second address: 5C43FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA454h 0x00000007 jp 00007F0DD50CA452h 0x0000000d je 00007F0DD50CA446h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C4573 second address: 5C4578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5BC083 second address: 5BC093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F0DD50CA446h 0x0000000a jl 00007F0DD50CA446h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C4CE6 second address: 5C4CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DD50C212Ch 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C4CFA second address: 5C4D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C507F second address: 5C5083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C934D second address: 5C9397 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA451h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F0DD50CA454h 0x00000010 pushad 0x00000011 jmp 00007F0DD50CA44Dh 0x00000016 jnc 00007F0DD50CA446h 0x0000001c popad 0x0000001d popad 0x0000001e mov eax, dword ptr [esp+04h] 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push esi 0x00000026 pop esi 0x00000027 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C82B4 second address: 5C82B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5C94AC second address: 5C94B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5CC77C second address: 5CC798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DD50C2136h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D119B second address: 5D11CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA450h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0DD50CA452h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 js 00007F0DD50CA446h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D1457 second address: 5D14AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2137h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jl 00007F0DD50C2139h 0x00000012 jmp 00007F0DD50C2133h 0x00000017 jmp 00007F0DD50C2138h 0x0000001c jo 00007F0DD50C212Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D18FC second address: 5D1902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D1902 second address: 5D1906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D1906 second address: 5D190C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D3B78 second address: 5D3B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D3B7E second address: 5D3B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D3B83 second address: 5D3B9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D3B9A second address: 5D3B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D3B9E second address: 5D3BD5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0DD50C2126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007F0DD50C2136h 0x00000010 pop ebx 0x00000011 popad 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push ebx 0x00000017 push eax 0x00000018 jne 00007F0DD50C2126h 0x0000001e pop eax 0x0000001f pop ebx 0x00000020 mov eax, dword ptr [eax] 0x00000022 push esi 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D400D second address: 5D4014 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D4829 second address: 5D482D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D482D second address: 5D4833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D4833 second address: 5D4838 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D4838 second address: 5D4872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebx 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F0DD50CA448h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 or dword ptr [ebp+122D2ECBh], esi 0x0000002a push eax 0x0000002b pushad 0x0000002c jns 00007F0DD50CA448h 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D4C9C second address: 5D4CB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2130h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D4E16 second address: 5D4E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D5382 second address: 5D5413 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jno 00007F0DD50C2126h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F0DD50C2128h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov edi, 57644B83h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007F0DD50C2128h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 jmp 00007F0DD50C212Ah 0x0000004d push 00000000h 0x0000004f push 00000000h 0x00000051 push ebp 0x00000052 call 00007F0DD50C2128h 0x00000057 pop ebp 0x00000058 mov dword ptr [esp+04h], ebp 0x0000005c add dword ptr [esp+04h], 00000019h 0x00000064 inc ebp 0x00000065 push ebp 0x00000066 ret 0x00000067 pop ebp 0x00000068 ret 0x00000069 xchg eax, ebx 0x0000006a je 00007F0DD50C2134h 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D5413 second address: 5D5419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D5419 second address: 5D5429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 jnp 00007F0DD50C2126h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D5CF8 second address: 5D5D4B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b mov edi, dword ptr [ebp+122D38B7h] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F0DD50CA448h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d or dword ptr [ebp+122D2EBEh], edx 0x00000033 xchg eax, ebx 0x00000034 jo 00007F0DD50CA45Ch 0x0000003a pushad 0x0000003b jmp 00007F0DD50CA44Eh 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D5D4B second address: 5D5D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D5D56 second address: 5D5D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D5D5A second address: 5D5D64 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D796A second address: 5D7974 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0DD50CA446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D83DD second address: 5D8466 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0DD50C2135h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jl 00007F0DD50C2136h 0x00000014 jmp 00007F0DD50C2130h 0x00000019 jg 00007F0DD50C2128h 0x0000001f popad 0x00000020 nop 0x00000021 clc 0x00000022 push 00000000h 0x00000024 jmp 00007F0DD50C2131h 0x00000029 mov dword ptr [ebp+12470AAFh], edi 0x0000002f push 00000000h 0x00000031 movzx esi, ax 0x00000034 jmp 00007F0DD50C2138h 0x00000039 xchg eax, ebx 0x0000003a jmp 00007F0DD50C212Dh 0x0000003f push eax 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 pop eax 0x00000045 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D81A4 second address: 5D81CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA44Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0DD50CA458h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D8EBC second address: 5D8F2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2136h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F0DD50C2128h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov edi, dword ptr [ebp+122D2C59h] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 or dword ptr [ebp+122D24F8h], esi 0x00000036 xor dword ptr [ebp+122D24F8h], ebx 0x0000003c push eax 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F0DD50C2139h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D8F2F second address: 5D8F33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D9913 second address: 5D9917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D9917 second address: 5D9922 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5DC089 second address: 5DC08D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5DF935 second address: 5DF939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5DFB6D second address: 5DFBF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 movzx ebx, si 0x00000009 push dword ptr fs:[00000000h] 0x00000010 mov dword ptr [ebp+1245256Dh], eax 0x00000016 mov dword ptr fs:[00000000h], esp 0x0000001d mov ebx, dword ptr [ebp+12449D74h] 0x00000023 mov eax, dword ptr [ebp+122D0C31h] 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007F0DD50C2128h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 00000018h 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 mov bx, di 0x00000046 push FFFFFFFFh 0x00000048 jmp 00007F0DD50C2132h 0x0000004d jmp 00007F0DD50C2130h 0x00000052 nop 0x00000053 push edx 0x00000054 jp 00007F0DD50C212Ch 0x0000005a pop edx 0x0000005b push eax 0x0000005c push esi 0x0000005d push ecx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E2B3D second address: 5E2B42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E1D7E second address: 5E1D84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E1D84 second address: 5E1E14 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F0DD50CA448h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 push dword ptr fs:[00000000h] 0x0000002c mov ebx, edx 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 mov ebx, esi 0x00000037 mov eax, dword ptr [ebp+122D07EDh] 0x0000003d call 00007F0DD50CA452h 0x00000042 mov ebx, dword ptr [ebp+122D2B51h] 0x00000048 pop ebx 0x00000049 clc 0x0000004a push FFFFFFFFh 0x0000004c push 00000000h 0x0000004e push edx 0x0000004f call 00007F0DD50CA448h 0x00000054 pop edx 0x00000055 mov dword ptr [esp+04h], edx 0x00000059 add dword ptr [esp+04h], 00000014h 0x00000061 inc edx 0x00000062 push edx 0x00000063 ret 0x00000064 pop edx 0x00000065 ret 0x00000066 or bx, 4D8Ah 0x0000006b nop 0x0000006c push eax 0x0000006d push edx 0x0000006e jns 00007F0DD50CA448h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E2CD6 second address: 5E2CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E1E14 second address: 5E1E19 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E3A93 second address: 5E3AAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DD50C2138h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E3AAF second address: 5E3AE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jnp 00007F0DD50CA44Ch 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D264Fh], esi 0x00000017 add bl, 0000007Ah 0x0000001a push 00000000h 0x0000001c mov di, C954h 0x00000020 mov dword ptr [ebp+12470CBAh], edi 0x00000026 xchg eax, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jl 00007F0DD50CA446h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E3AE6 second address: 5E3AEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E4A18 second address: 5E4A1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E4A1D second address: 5E4A84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 sub bl, 00000061h 0x0000000b push 00000000h 0x0000000d jmp 00007F0DD50C2131h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F0DD50C2128h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e jnc 00007F0DD50C2139h 0x00000034 mov di, 4EEDh 0x00000038 push eax 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E4A84 second address: 5E4A8E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E3C3B second address: 5E3C41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E5A1C second address: 5E5A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E3C41 second address: 5E3C46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E3C46 second address: 5E3C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DD50CA44Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0DD50CA44Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E4BC4 second address: 5E4BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E6B59 second address: 5E6BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007F0DD50CA450h 0x0000000c popad 0x0000000d nop 0x0000000e mov ebx, 758EDDF6h 0x00000013 mov bl, C7h 0x00000015 push 00000000h 0x00000017 mov dword ptr [ebp+122D3758h], esi 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push edi 0x00000022 call 00007F0DD50CA448h 0x00000027 pop edi 0x00000028 mov dword ptr [esp+04h], edi 0x0000002c add dword ptr [esp+04h], 0000001Dh 0x00000034 inc edi 0x00000035 push edi 0x00000036 ret 0x00000037 pop edi 0x00000038 ret 0x00000039 sub dword ptr [ebp+122D1E42h], ecx 0x0000003f xchg eax, esi 0x00000040 push esi 0x00000041 pushad 0x00000042 pushad 0x00000043 popad 0x00000044 jmp 00007F0DD50CA458h 0x00000049 popad 0x0000004a pop esi 0x0000004b push eax 0x0000004c pushad 0x0000004d push edx 0x0000004e jg 00007F0DD50CA446h 0x00000054 pop edx 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E4CBE second address: 5E4CCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E6BDB second address: 5E6BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E4CCE second address: 5E4CD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E7ADB second address: 5E7ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E7ADF second address: 5E7AE9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E99E1 second address: 5E99E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E99E7 second address: 5E99EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5EBD5E second address: 5EBD8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 pushad 0x0000000a movsx edx, cx 0x0000000d mov dx, cx 0x00000010 popad 0x00000011 push 00000000h 0x00000013 xor ebx, dword ptr [ebp+1246B095h] 0x00000019 push 00000000h 0x0000001b mov bh, 7Fh 0x0000001d xchg eax, esi 0x0000001e pushad 0x0000001f jnc 00007F0DD50CA44Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5EBD8D second address: 5EBD91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5EBD91 second address: 5EBDA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jc 00007F0DD50CA454h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E8C18 second address: 5E8C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0DD50C2126h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E7C8F second address: 5E7C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5ECE1B second address: 5ECE42 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jno 00007F0DD50C2126h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F0DD50C2136h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5ECE42 second address: 5ECEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0DD50CA455h 0x0000000a popad 0x0000000b nop 0x0000000c mov bl, 8Fh 0x0000000e call 00007F0DD50CA455h 0x00000013 movsx edi, cx 0x00000016 pop ebx 0x00000017 push 00000000h 0x00000019 movsx ebx, cx 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007F0DD50CA448h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 jnc 00007F0DD50CA456h 0x0000003e mov bx, di 0x00000041 xchg eax, esi 0x00000042 pushad 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E6D1B second address: 5E6D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E6D20 second address: 5E6DB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F0DD50CA44Fh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jl 00007F0DD50CA446h 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 push ecx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a pop ecx 0x0000001b popad 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007F0DD50CA448h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 jmp 00007F0DD50CA44Ch 0x0000003c push dword ptr fs:[00000000h] 0x00000043 mov dword ptr fs:[00000000h], esp 0x0000004a mov edi, dword ptr [ebp+12452E6Eh] 0x00000050 mov eax, dword ptr [ebp+122D0E79h] 0x00000056 jmp 00007F0DD50CA455h 0x0000005b push FFFFFFFFh 0x0000005d mov dword ptr [ebp+12453118h], edx 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 jng 00007F0DD50CA446h 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5E6DB6 second address: 5E6DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5EAD7E second address: 5EAD88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0DD50CA446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5ED0AF second address: 5ED0B4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 597A95 second address: 597A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 597A9D second address: 597AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 597AA1 second address: 597AA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 597AA7 second address: 597ABB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 jmp 00007F0DD50C212Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 597ABB second address: 597AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5F582B second address: 5F5845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F0DD50C212Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5F5845 second address: 5F584D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5F584D second address: 5F5859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5F5859 second address: 5F585F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5FED8E second address: 5FED9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0DD50C2126h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5FF4DE second address: 5FF546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0DD50CA44Ch 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jmp 00007F0DD50CA452h 0x00000011 jmp 00007F0DD50CA44Dh 0x00000016 jmp 00007F0DD50CA457h 0x0000001b jne 00007F0DD50CA464h 0x00000021 jmp 00007F0DD50CA458h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5FF6A0 second address: 5FF6AE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0DD50C2126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5FF6AE second address: 5FF6B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5FF806 second address: 5FF830 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2135h 0x00000007 jbe 00007F0DD50C212Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5FF830 second address: 5FF836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5FF836 second address: 5FF847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F0DD50C212Ch 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5FFB25 second address: 5FFB29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5FFB29 second address: 5FFB2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5FFE1B second address: 5FFE21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5FFE21 second address: 5FFE26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5FFE26 second address: 5FFE3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DD50CA453h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5FFE3F second address: 5FFE7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0DD50C2126h 0x0000000a popad 0x0000000b jmp 00007F0DD50C2133h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007F0DD50C2137h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5FFFCE second address: 5FFFED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DD50CA455h 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6065AF second address: 6065B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6065B5 second address: 6065DE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0DD50CA446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jnp 00007F0DD50CA446h 0x00000014 pushad 0x00000015 popad 0x00000016 jo 00007F0DD50CA446h 0x0000001c push esi 0x0000001d pop esi 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jp 00007F0DD50CA446h 0x00000027 push esi 0x00000028 pop esi 0x00000029 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6065DE second address: 6065F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2134h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D23E4 second address: 5D23EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D287D second address: 5D288D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DD50C212Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D2A52 second address: 5D2A6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA456h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D2A6C second address: 5D2A76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0DD50C2126h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D2A76 second address: 5D2A8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D2A8C second address: 5D2AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DD50C2133h 0x00000009 popad 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e jmp 00007F0DD50C212Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0DD50C2137h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D2AD0 second address: 5D2AE7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0DD50CA446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D2AE7 second address: 5D2AED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D2AED second address: 5D2AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D36EE second address: 5D36F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D36F7 second address: 5D36FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D36FB second address: 5D372A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0DD50C2126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007F0DD50C2133h 0x00000018 popad 0x00000019 jo 00007F0DD50C212Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D372A second address: 5D373F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 jnp 00007F0DD50CA467h 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F0DD50CA446h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D373F second address: 5D3766 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2135h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007F0DD50C2128h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D3766 second address: 5D376B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D37DD second address: 5D37F8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0DD50C212Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F0DD50C2128h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D37F8 second address: 5D3848 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F0DD50CA446h 0x00000009 jg 00007F0DD50CA446h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F0DD50CA448h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d lea eax, dword ptr [ebp+124791D6h] 0x00000033 mov dh, 1Fh 0x00000035 nop 0x00000036 pushad 0x00000037 push esi 0x00000038 jmp 00007F0DD50CA44Ah 0x0000003d pop esi 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D3848 second address: 5D384C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D384C second address: 5D385E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F0DD50CA448h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D385E second address: 5D3878 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DD50C2136h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6068DF second address: 6068E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6068E6 second address: 606909 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0DD50C212Ch 0x00000008 jmp 00007F0DD50C2132h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 606909 second address: 60690F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 606A51 second address: 606A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DD50C212Ah 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 606E5E second address: 606E63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 606FE8 second address: 606FEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 607132 second address: 60713E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jbe 00007F0DD50CA446h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 60AC74 second address: 60AC7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 60AC7A second address: 60AC7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 60AC7E second address: 60AC82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 60AC82 second address: 60AC88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 60FEDD second address: 60FF10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2139h 0x00000007 jmp 00007F0DD50C2136h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6101E9 second address: 61020E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA44Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0DD50CA44Ah 0x0000000e jmp 00007F0DD50CA44Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61020E second address: 61022E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F0DD50C2126h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61022E second address: 610232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6103B6 second address: 6103CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61074B second address: 610777 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA44Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0DD50CA458h 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 610A5B second address: 610A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 610A5F second address: 610A64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 610EC0 second address: 610EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 617352 second address: 617398 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0DD50CA44Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jno 00007F0DD50CA45Bh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 push edi 0x00000018 pop edi 0x00000019 pop esi 0x0000001a jmp 00007F0DD50CA457h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 617398 second address: 61739F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 616086 second address: 61608F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61608F second address: 6160A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DD50C212Eh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6160A6 second address: 6160AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6160AA second address: 6160AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6165E8 second address: 6165EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6165EE second address: 6165F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6165F7 second address: 6165FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61676D second address: 61678D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2138h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61678D second address: 616791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 616791 second address: 61679B instructions: 0x00000000 rdtsc 0x00000002 js 00007F0DD50C2126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61679B second address: 6167A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6167A1 second address: 6167A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 615D34 second address: 615D3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 615D3A second address: 615D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 je 00007F0DD50C2126h 0x0000000f ja 00007F0DD50C2126h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 615D51 second address: 615D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 615D58 second address: 615D5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 615D5E second address: 615D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DD50CA458h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 615D7A second address: 615D7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61D5C9 second address: 61D5CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61D5CD second address: 61D5E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2130h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61D5E1 second address: 61D5EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F0DD50CA448h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61D5EF second address: 61D5F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61D5F5 second address: 61D610 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA451h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61D610 second address: 61D616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61D616 second address: 61D61A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61D61A second address: 61D660 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0DD50C2126h 0x00000008 jmp 00007F0DD50C2132h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jne 00007F0DD50C2128h 0x00000018 jmp 00007F0DD50C2131h 0x0000001d push edi 0x0000001e pushad 0x0000001f popad 0x00000020 pop edi 0x00000021 jng 00007F0DD50C212Eh 0x00000027 pushad 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61CE8E second address: 61CE97 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61CFF1 second address: 61CFF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61CFF5 second address: 61D00D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F0DD50CA44Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61D00D second address: 61D013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 61D013 second address: 61D017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 595EB1 second address: 595EB7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 621010 second address: 621014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 62564C second address: 625652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 625652 second address: 625657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 625657 second address: 62565D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 62565D second address: 625661 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 625661 second address: 62566E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 62566E second address: 625691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DD50CA44Dh 0x00000009 popad 0x0000000a jmp 00007F0DD50CA451h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D3291 second address: 5D329B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0DD50C2126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D329B second address: 5D3300 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA44Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b jno 00007F0DD50CA44Ch 0x00000011 pop edi 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F0DD50CA448h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d push 00000004h 0x0000002f mov di, bx 0x00000032 nop 0x00000033 pushad 0x00000034 js 00007F0DD50CA448h 0x0000003a pushad 0x0000003b popad 0x0000003c pushad 0x0000003d pushad 0x0000003e popad 0x0000003f jnc 00007F0DD50CA446h 0x00000045 popad 0x00000046 popad 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D3300 second address: 5D3307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 62609D second address: 6260A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6260A5 second address: 6260A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 62C6D6 second address: 62C6DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 62C6DC second address: 62C6E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 62C6E0 second address: 62C6E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 62C94E second address: 62C952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 62C952 second address: 62C969 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F0DD50CA44Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 62CAD2 second address: 62CAF1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F0DD50C2135h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 62CAF1 second address: 62CAF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 62CAF5 second address: 62CB0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DD50C2130h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 63006C second address: 630074 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 630074 second address: 630084 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 636629 second address: 636633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0DD50CA446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 636633 second address: 636638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 636799 second address: 6367BA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0DD50CA455h 0x00000008 jmp 00007F0DD50CA44Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 jnp 00007F0DD50CA446h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 636A95 second address: 636A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 636A99 second address: 636A9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 636A9D second address: 636AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 636AAB second address: 636AB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 636AB0 second address: 636AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 636AB6 second address: 636ABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 63760B second address: 637618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F0DD50C2142h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 63D223 second address: 63D240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnc 00007F0DD50CA446h 0x0000000b jmp 00007F0DD50CA450h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 63D397 second address: 63D39D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 63D67A second address: 63D67E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 63D67E second address: 63D682 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6424EA second address: 6424FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0DD50CA446h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6424FC second address: 642501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 64A9CC second address: 64A9DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 jnc 00007F0DD50CA446h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 64AB5D second address: 64AB9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2138h 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0DD50C212Eh 0x00000016 pushad 0x00000017 push edx 0x00000018 pop edx 0x00000019 pushad 0x0000001a popad 0x0000001b jp 00007F0DD50C2126h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 64ACE1 second address: 64AD00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DD50CA455h 0x00000009 jp 00007F0DD50CA446h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 64AD00 second address: 64AD06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 64AD06 second address: 64AD1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0DD50CA44Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 64AD1C second address: 64AD4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0DD50C2132h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F0DD50C212Eh 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 653B23 second address: 653B37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F0DD50CA44Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 592964 second address: 592968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 660318 second address: 66031C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6625AF second address: 6625C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F0DD50C2132h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6625C8 second address: 6625CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6625CE second address: 6625D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6625D2 second address: 6625D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6625D8 second address: 6625EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DD50C212Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 665FC7 second address: 665FCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 665FCB second address: 665FF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F0DD50C2134h 0x0000000e jmp 00007F0DD50C212Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 665FF4 second address: 665FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 665FF9 second address: 666018 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2131h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0DD50C212Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 665A2D second address: 665A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 665A32 second address: 665A37 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 665A37 second address: 665A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0DD50CA446h 0x0000000a pop esi 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 66AB9E second address: 66ABA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 58D82E second address: 58D851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0DD50CA446h 0x0000000a jmp 00007F0DD50CA459h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 58D851 second address: 58D85B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0DD50C2126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6726A3 second address: 6726A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 679CFC second address: 679D02 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 679D02 second address: 679D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 679D08 second address: 679D0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 679E74 second address: 679E8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0DD50CA44Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 679E8A second address: 679E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 679E90 second address: 679E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 679E99 second address: 679E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 679E9F second address: 679EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 67A240 second address: 67A256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0DD50C2126h 0x0000000a pushad 0x0000000b popad 0x0000000c jnl 00007F0DD50C2126h 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 67A4EE second address: 67A4F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 67B1F5 second address: 67B221 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push edi 0x0000000b jmp 00007F0DD50C2136h 0x00000010 jng 00007F0DD50C2126h 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 67B221 second address: 67B225 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 680736 second address: 68073C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 68073C second address: 680755 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA455h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 680755 second address: 68075A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 68075A second address: 68079F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnc 00007F0DD50CA46Fh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0DD50CA44Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6805C3 second address: 6805D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0DD50C2126h 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6805D1 second address: 6805D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6805D8 second address: 6805E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F0DD50C2126h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 69A786 second address: 69A78A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 69A78A second address: 69A7A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0DD50C2135h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 69A7A5 second address: 69A7AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 69A7AA second address: 69A7B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 69A628 second address: 69A64A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0DD50CA446h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0DD50CA455h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 69C866 second address: 69C86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 69C3E4 second address: 69C3E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 69C3E8 second address: 69C401 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0DD50C2126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push edx 0x0000000e pop edx 0x0000000f jg 00007F0DD50C2126h 0x00000015 popad 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 69C401 second address: 69C40E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jp 00007F0DD50CA44Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 69C40E second address: 69C421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F0DD50C2138h 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F0DD50C2126h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 69C5BB second address: 69C5C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6A6C87 second address: 6A6C8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6A7740 second address: 6A7773 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F0DD50CA454h 0x00000015 jnc 00007F0DD50CA446h 0x0000001b push eax 0x0000001c pop eax 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push esi 0x00000021 pop esi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6A7773 second address: 6A7777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6A78B0 second address: 6A78D9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0DD50CA446h 0x00000008 jp 00007F0DD50CA446h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F0DD50CA456h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6A7A40 second address: 6A7A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6A7B87 second address: 6A7BEF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0DD50CA45Ah 0x00000008 jmp 00007F0DD50CA454h 0x0000000d jmp 00007F0DD50CA455h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F0DD50CA456h 0x0000001e jmp 00007F0DD50CA44Fh 0x00000023 popad 0x00000024 push edx 0x00000025 jng 00007F0DD50CA446h 0x0000002b push edx 0x0000002c pop edx 0x0000002d pop edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6A7BEF second address: 6A7C00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F0DD50C2126h 0x00000009 jc 00007F0DD50C2126h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6A95C4 second address: 6A95CE instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0DD50CA446h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6AADBA second address: 6AADE9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0DD50C2145h 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F0DD50C2126h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6AADE9 second address: 6AADED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 6B1204 second address: 6B120C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D08A4 second address: 49D08DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F0DD50CA451h 0x0000000b or ax, 9B56h 0x00000010 jmp 00007F0DD50CA451h 0x00000015 popfd 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx edi, cx 0x0000001e mov edi, esi 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D08DD second address: 49D08E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D08E3 second address: 49D0942 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0DD50CA44Bh 0x00000012 and si, 153Eh 0x00000017 jmp 00007F0DD50CA459h 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F0DD50CA450h 0x00000023 jmp 00007F0DD50CA455h 0x00000028 popfd 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0942 second address: 49D0950 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 mov al, dl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0950 second address: 49D09B7 instructions: 0x00000000 rdtsc 0x00000002 call 00007F0DD50CA44Dh 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a movsx edi, si 0x0000000d popad 0x0000000e mov ebp, esp 0x00000010 jmp 00007F0DD50CA458h 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F0DD50CA44Dh 0x0000001f jmp 00007F0DD50CA44Bh 0x00000024 popfd 0x00000025 jmp 00007F0DD50CA458h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4970068 second address: 497006E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 497006E second address: 4970074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4970074 second address: 4970078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4970078 second address: 497007C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 497007C second address: 49700C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007F0DD50C2131h 0x00000013 pop esi 0x00000014 pushfd 0x00000015 jmp 00007F0DD50C2131h 0x0000001a add ecx, 5F1B90B6h 0x00000020 jmp 00007F0DD50C2131h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49700C7 second address: 4970138 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0DD50CA457h 0x00000008 jmp 00007F0DD50CA458h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ebx, 69047450h 0x0000001a pushfd 0x0000001b jmp 00007F0DD50CA459h 0x00000020 or cx, 54D6h 0x00000025 jmp 00007F0DD50CA451h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4970274 second address: 497028E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2136h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 497028E second address: 49702B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA44Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0DD50CA450h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49702B2 second address: 49702B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49702B8 second address: 4970309 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0DD50CA453h 0x00000009 or ax, 2BCEh 0x0000000e jmp 00007F0DD50CA459h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007F0DD50CA451h 0x0000001d xchg eax, edi 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4970309 second address: 4970310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4970310 second address: 4970325 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DD50CA451h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4970325 second address: 4970329 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4970329 second address: 497034E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0DD50CA458h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 497034E second address: 49703C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esi, esi 0x0000000b pushad 0x0000000c mov eax, ebx 0x0000000e pushfd 0x0000000f jmp 00007F0DD50C2131h 0x00000014 and ah, 00000026h 0x00000017 jmp 00007F0DD50C2131h 0x0000001c popfd 0x0000001d popad 0x0000001e mov dword ptr [esp+10h], esi 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F0DD50C212Ch 0x00000029 add ah, FFFFFFC8h 0x0000002c jmp 00007F0DD50C212Bh 0x00000031 popfd 0x00000032 push eax 0x00000033 push edx 0x00000034 call 00007F0DD50C2136h 0x00000039 pop ecx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49703C4 second address: 49703F4 instructions: 0x00000000 rdtsc 0x00000002 mov dh, 6Eh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+14h], esi 0x0000000b jmp 00007F0DD50CA44Ah 0x00000010 push dword ptr [edi] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0DD50CA457h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49703F4 second address: 4970446 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, CAh 0x00000005 movzx ecx, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebp 0x0000000c pushad 0x0000000d mov al, CFh 0x0000000f mov dh, 71h 0x00000011 popad 0x00000012 mov dword ptr [esp], ebx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F0DD50C2138h 0x0000001c sub cx, 9F48h 0x00000021 jmp 00007F0DD50C212Bh 0x00000026 popfd 0x00000027 mov ah, 86h 0x00000029 popad 0x0000002a call 00007F0DD50C2129h 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4970446 second address: 4970462 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA458h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4970462 second address: 49704C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0DD50C2131h 0x00000009 jmp 00007F0DD50C212Bh 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 pushad 0x00000014 call 00007F0DD50C2132h 0x00000019 mov di, ax 0x0000001c pop esi 0x0000001d mov ax, di 0x00000020 popad 0x00000021 mov eax, dword ptr [esp+04h] 0x00000025 pushad 0x00000026 mov ebx, 6759C998h 0x0000002b popad 0x0000002c mov eax, dword ptr [eax] 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 push ebx 0x00000032 pop esi 0x00000033 call 00007F0DD50C212Fh 0x00000038 pop esi 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49704C5 second address: 49704CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49704CB second address: 49704CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4970594 second address: 497061B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA44Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F0E46F899C3h 0x0000000f pushad 0x00000010 push ebx 0x00000011 pushfd 0x00000012 jmp 00007F0DD50CA44Eh 0x00000017 adc al, 00000038h 0x0000001a jmp 00007F0DD50CA44Bh 0x0000001f popfd 0x00000020 pop eax 0x00000021 popad 0x00000022 call dword ptr [76880B60h] 0x00000028 mov eax, 7709E5E0h 0x0000002d ret 0x0000002e jmp 00007F0DD50CA44Fh 0x00000033 mov eax, dword ptr [eax+54h] 0x00000036 pushad 0x00000037 call 00007F0DD50CA454h 0x0000003c push eax 0x0000003d pop ebx 0x0000003e pop esi 0x0000003f mov dx, 1A12h 0x00000043 popad 0x00000044 test eax, eax 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 call 00007F0DD50CA452h 0x0000004e pop esi 0x0000004f pushad 0x00000050 popad 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 497061B second address: 4970621 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4970621 second address: 4970625 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E09DE second address: 49E0A10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2139h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0DD50C212Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 mov bl, 02h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0A10 second address: 49E0AAB instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007F0DD50CA455h 0x0000000d sbb ch, 00000056h 0x00000010 jmp 00007F0DD50CA451h 0x00000015 popfd 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F0DD50CA44Eh 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 call 00007F0DD50CA44Eh 0x00000025 pushad 0x00000026 popad 0x00000027 pop esi 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F0DD50CA457h 0x0000002f sbb si, 4CEEh 0x00000034 jmp 00007F0DD50CA459h 0x00000039 popfd 0x0000003a mov ah, 60h 0x0000003c popad 0x0000003d popad 0x0000003e push dword ptr [ebp+0Ch] 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0AAB second address: 49E0AAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0AAF second address: 49E0AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0AB5 second address: 49E0AD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 movsx ebx, cx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push dword ptr [ebp+08h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0DD50C212Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0AD2 second address: 49E0AD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0AD6 second address: 49E0ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0ADC second address: 49E0B22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0DD50CA44Ch 0x00000008 call 00007F0DD50CA452h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push 76CE492Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0DD50CA458h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0B22 second address: 49E0B31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4980A50 second address: 4980AAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0DD50CA451h 0x00000008 movzx esi, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F0DD50CA456h 0x00000016 sbb si, D858h 0x0000001b jmp 00007F0DD50CA44Bh 0x00000020 popfd 0x00000021 mov bx, ax 0x00000024 popad 0x00000025 mov dword ptr [esp], ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F0DD50CA44Ch 0x00000031 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4980AAB second address: 4980AAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4980AAF second address: 4980AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4980AB5 second address: 4980AF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F0DD50C2130h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0DD50C2137h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4980AF3 second address: 4980B0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DD50CA454h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D082F second address: 49D083E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D083E second address: 49D0858 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0DD50CA44Bh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0858 second address: 49D085C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D085C second address: 49D0860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0860 second address: 49D0866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D05DB second address: 49D0651 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA459h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [ebp-04h], 00000000h 0x0000000d jmp 00007F0DD50CA44Eh 0x00000012 mov edx, dword ptr [ebp+0Ch] 0x00000015 jmp 00007F0DD50CA450h 0x0000001a mov eax, dword ptr [ebp+08h] 0x0000001d pushad 0x0000001e mov ax, F25Dh 0x00000022 mov ah, 57h 0x00000024 popad 0x00000025 mov esi, eax 0x00000027 pushad 0x00000028 jmp 00007F0DD50CA44Bh 0x0000002d push esi 0x0000002e jmp 00007F0DD50CA44Fh 0x00000033 pop esi 0x00000034 popad 0x00000035 sub esi, edx 0x00000037 pushad 0x00000038 mov edx, esi 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0651 second address: 49D0694 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0DD50C212Ah 0x00000008 sub ecx, 6E6F0C48h 0x0000000e jmp 00007F0DD50C212Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov cl, byte ptr [edx] 0x00000019 jmp 00007F0DD50C2136h 0x0000001e mov byte ptr [esi+edx], cl 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0694 second address: 49D0698 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0698 second address: 49D069E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D069E second address: 49D06A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D06A3 second address: 49D073B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F0DD50C2130h 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d inc edx 0x0000000e jmp 00007F0DD50C2131h 0x00000013 test cl, cl 0x00000015 jmp 00007F0DD50C212Eh 0x0000001a jne 00007F0DD50C20B6h 0x00000020 jmp 00007F0DD50C2130h 0x00000025 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000002c pushad 0x0000002d mov ax, 192Dh 0x00000031 mov cx, 1B29h 0x00000035 popad 0x00000036 mov ecx, dword ptr [ebp-10h] 0x00000039 jmp 00007F0DD50C2134h 0x0000003e mov dword ptr fs:[00000000h], ecx 0x00000045 jmp 00007F0DD50C2130h 0x0000004a pop ecx 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e mov ecx, edx 0x00000050 push edi 0x00000051 pop eax 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D073B second address: 49D0760 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA452h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0DD50CA44Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0760 second address: 49D076F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D076F second address: 49D07AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA459h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007F0DD50CA44Eh 0x0000000f pop ebx 0x00000010 pushad 0x00000011 jmp 00007F0DD50CA44Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D07AF second address: 49D07B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D07B3 second address: 49D07D1 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 leave 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0DD50CA452h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D07D1 second address: 49D07E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D07E0 second address: 49D07F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DD50CA454h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D07F8 second address: 49D082F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b retn 0008h 0x0000000e nop 0x0000000f mov eax, esi 0x00000011 pop esi 0x00000012 pop edi 0x00000013 pop ebx 0x00000014 pop ebp 0x00000015 retn 0004h 0x00000018 lea ecx, dword ptr [ebp-50h] 0x0000001b push 0041FD48h 0x00000020 call 00007F0DD50BB432h 0x00000025 push ebp 0x00000026 push ebx 0x00000027 push edi 0x00000028 push esi 0x00000029 mov esi, ecx 0x0000002b mov ebx, dword ptr [esp+14h] 0x0000002f push ebx 0x00000030 call 00007F0DD96834B1h 0x00000035 mov edi, edi 0x00000037 pushad 0x00000038 movzx ecx, di 0x0000003b mov edi, 161AD114h 0x00000040 popad 0x00000041 push esp 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F0DD50C2132h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D000E second address: 49D0020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DD50CA44Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0020 second address: 49D0024 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0024 second address: 49D0048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F0DD50CA449h 0x0000000d pushad 0x0000000e call 00007F0DD50CA44Dh 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 mov dl, ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0048 second address: 49D00F6 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0DD50C212Fh 0x00000008 and ax, 122Eh 0x0000000d jmp 00007F0DD50C2139h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 mov dx, 5142h 0x0000001c pushfd 0x0000001d jmp 00007F0DD50C2133h 0x00000022 xor cx, A83Eh 0x00000027 jmp 00007F0DD50C2139h 0x0000002c popfd 0x0000002d popad 0x0000002e mov eax, dword ptr [esp+04h] 0x00000032 jmp 00007F0DD50C2131h 0x00000037 mov eax, dword ptr [eax] 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c pushfd 0x0000003d jmp 00007F0DD50C212Dh 0x00000042 and eax, 36883526h 0x00000048 jmp 00007F0DD50C2131h 0x0000004d popfd 0x0000004e rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D00F6 second address: 49D012A instructions: 0x00000000 rdtsc 0x00000002 mov bx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, 47C720F3h 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 call 00007F0DD50CA452h 0x00000019 pop ecx 0x0000001a call 00007F0DD50CA44Bh 0x0000001f pop esi 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D012A second address: 49D015E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2136h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0DD50C2137h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D01FE second address: 49D0204 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0204 second address: 49D0208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0284 second address: 49D0294 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 sub edx, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0294 second address: 49D029A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D029A second address: 49D02C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA454h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0DD50CA44Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D02C3 second address: 49D02D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D02D2 second address: 49D0309 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA459h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 dec edi 0x0000000a pushad 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f popad 0x00000010 lea ebx, dword ptr [edi+01h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0DD50CA44Eh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0309 second address: 49D030F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D030F second address: 49D0313 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0313 second address: 49D033E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov al, byte ptr [edi+01h] 0x0000000b jmp 00007F0DD50C2139h 0x00000010 inc edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D033E second address: 49D0342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0342 second address: 49D0355 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0355 second address: 49D035B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D035B second address: 49D0387 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test al, al 0x0000000a jmp 00007F0DD50C2137h 0x0000000f jne 00007F0E46F0A829h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0387 second address: 49D038E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov al, bh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D038E second address: 49D0394 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0394 second address: 49D0398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0398 second address: 49D039C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D039C second address: 49D0402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, edx 0x0000000a jmp 00007F0DD50CA451h 0x0000000f shr ecx, 02h 0x00000012 jmp 00007F0DD50CA44Eh 0x00000017 rep movsd 0x00000019 rep movsd 0x0000001b rep movsd 0x0000001d rep movsd 0x0000001f pushad 0x00000020 mov ebx, esi 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 popad 0x00000027 mov ecx, edx 0x00000029 pushad 0x0000002a mov dx, si 0x0000002d push ecx 0x0000002e call 00007F0DD50CA459h 0x00000033 pop ecx 0x00000034 pop ebx 0x00000035 popad 0x00000036 and ecx, 03h 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c pushad 0x0000003d popad 0x0000003e mov di, 343Ah 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0402 second address: 49D045F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, 36h 0x00000005 push edx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rep movsb 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0DD50C212Bh 0x00000013 and al, FFFFFF8Eh 0x00000016 jmp 00007F0DD50C2139h 0x0000001b popfd 0x0000001c push eax 0x0000001d push edx 0x0000001e pushfd 0x0000001f jmp 00007F0DD50C212Eh 0x00000024 jmp 00007F0DD50C2135h 0x00000029 popfd 0x0000002a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D045F second address: 49D0497 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000000f pushad 0x00000010 call 00007F0DD50CA459h 0x00000015 mov di, cx 0x00000018 pop ecx 0x00000019 mov ah, dh 0x0000001b popad 0x0000001c mov eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0497 second address: 49D049D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D049D second address: 49D04A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D04A1 second address: 49D0533 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [ebp-10h] 0x0000000b pushad 0x0000000c mov cx, dx 0x0000000f mov ebx, 590B560Eh 0x00000014 popad 0x00000015 mov dword ptr fs:[00000000h], ecx 0x0000001c jmp 00007F0DD50C2135h 0x00000021 pop ecx 0x00000022 pushad 0x00000023 jmp 00007F0DD50C212Ch 0x00000028 mov ebx, eax 0x0000002a popad 0x0000002b pop edi 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F0DD50C212Ah 0x00000033 add esi, 2C0DDFB8h 0x00000039 jmp 00007F0DD50C212Bh 0x0000003e popfd 0x0000003f mov esi, 28010BEFh 0x00000044 popad 0x00000045 pop esi 0x00000046 jmp 00007F0DD50C2132h 0x0000004b pop ebx 0x0000004c jmp 00007F0DD50C2130h 0x00000051 leave 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0533 second address: 49D0537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49D0537 second address: 49D053D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D6827 second address: 5D682D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D69E7 second address: 5D6A16 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0DD50C2126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007F0DD50C2132h 0x00000010 pop esi 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0DD50C212Bh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 5D6A16 second address: 5D6A20 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0DD50CA446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49A08E1 second address: 49A08E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49A08E5 second address: 49A08EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49A08EB second address: 49A08F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49A08F1 second address: 49A08F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49A08F5 second address: 49A0965 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F0DD50C2130h 0x00000011 push eax 0x00000012 pushad 0x00000013 mov esi, edx 0x00000015 pushad 0x00000016 jmp 00007F0DD50C2133h 0x0000001b jmp 00007F0DD50C2138h 0x00000020 popad 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 jmp 00007F0DD50C2130h 0x00000028 mov ebp, esp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49A0965 second address: 49A0969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49A0969 second address: 49A096F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49A096F second address: 49A097E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DD50CA44Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4990011 second address: 4990017 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4990017 second address: 499001B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 499001B second address: 4990031 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0DD50C212Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4990031 second address: 4990089 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA459h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0DD50CA44Ch 0x00000013 sbb si, C848h 0x00000018 jmp 00007F0DD50CA44Bh 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 call 00007F0DD50CA456h 0x00000025 pop esi 0x00000026 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 4990089 second address: 49900C8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0DD50C212Bh 0x00000008 add cl, 0000003Eh 0x0000000b jmp 00007F0DD50C2139h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F0DD50C212Dh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0021 second address: 49E003C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA457h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E003C second address: 49E0042 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0042 second address: 49E0046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0116 second address: 49E0132 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2138h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0132 second address: 49E0148 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA44Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub edi, edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0148 second address: 49E016D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0DD50C212Eh 0x0000000a add cx, 7918h 0x0000000f jmp 00007F0DD50C212Bh 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E016D second address: 49E0173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0173 second address: 49E01CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b inc edi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0DD50C2134h 0x00000013 add si, 9AA8h 0x00000018 jmp 00007F0DD50C212Bh 0x0000001d popfd 0x0000001e mov dl, ah 0x00000020 popad 0x00000021 and dword ptr [ebp-04h], 00000000h 0x00000025 pushad 0x00000026 mov bh, 1Fh 0x00000028 movzx eax, bx 0x0000002b popad 0x0000002c test ebx, ebx 0x0000002e pushad 0x0000002f mov ah, bh 0x00000031 movzx ecx, dx 0x00000034 popad 0x00000035 je 00007F0E4787501Eh 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E01CF second address: 49E01D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E01D5 second address: 49E01DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E01DB second address: 49E01DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E01DF second address: 49E021C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2135h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-00000110h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 call 00007F0DD50C2133h 0x00000019 pop esi 0x0000001a mov di, 1C0Ch 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E021C second address: 49E027F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA452h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0DD50CA44Dh 0x00000013 or eax, 3A5A4996h 0x00000019 jmp 00007F0DD50CA451h 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F0DD50CA450h 0x00000025 sbb cx, 51B8h 0x0000002a jmp 00007F0DD50CA44Bh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E027F second address: 49E0285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0314 second address: 49E0318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0318 second address: 49E0335 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2139h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0335 second address: 49E037E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 8562h 0x00000007 pushfd 0x00000008 jmp 00007F0DD50CA453h 0x0000000d or si, C65Eh 0x00000012 jmp 00007F0DD50CA459h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov eax, dword ptr [ebp-00000110h] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E037E second address: 49E0382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0382 second address: 49E0386 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0386 second address: 49E038C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E038C second address: 49E03BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA452h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebx], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0DD50CA457h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E03BD second address: 49E03D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DD50C2134h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E03D5 second address: 49E03F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA44Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea ecx, dword ptr [ebp-0000010Ch] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E03F2 second address: 49E03F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E03F6 second address: 49E03FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E03FA second address: 49E0400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0400 second address: 49E0406 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E043E second address: 49E04F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0DD50C212Fh 0x00000009 and cx, B69Eh 0x0000000e jmp 00007F0DD50C2139h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F0DD50C2130h 0x0000001a adc ax, 6898h 0x0000001f jmp 00007F0DD50C212Bh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 mov dword ptr [ebp-00000118h], eax 0x0000002e jmp 00007F0DD50C2136h 0x00000033 test eax, eax 0x00000035 jmp 00007F0DD50C2130h 0x0000003a je 00007F0E47874D26h 0x00000040 pushad 0x00000041 pushfd 0x00000042 jmp 00007F0DD50C212Eh 0x00000047 or eax, 04296D58h 0x0000004d jmp 00007F0DD50C212Bh 0x00000052 popfd 0x00000053 push eax 0x00000054 push edx 0x00000055 mov cx, 44A5h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E04F1 second address: 49E0500 instructions: 0x00000000 rdtsc 0x00000002 mov si, 8621h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0500 second address: 49E0508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0508 second address: 49E0558 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0DD50CA44Eh 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F0DD50CA44Bh 0x0000000f jmp 00007F0DD50CA453h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c jmp 00007F0DD50CA452h 0x00000021 mov si, 5F51h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0558 second address: 49E05B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2137h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov edi, ecx 0x0000000d movzx eax, bx 0x00000010 popad 0x00000011 lea ecx, dword ptr [ebx+04h] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushfd 0x00000018 jmp 00007F0DD50C212Fh 0x0000001d add eax, 240D219Eh 0x00000023 jmp 00007F0DD50C2139h 0x00000028 popfd 0x00000029 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E05B1 second address: 49E05C6 instructions: 0x00000000 rdtsc 0x00000002 mov si, 9967h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 mov al, bh 0x0000000b pop esi 0x0000000c popad 0x0000000d push 00000027h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E05C6 second address: 49E05CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E05CC second address: 49E05D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E05D2 second address: 49E05D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E05D6 second address: 49E05F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA451h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E06AA second address: 49E06B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E06B0 second address: 49E06C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0DD50CA44Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E06C9 second address: 49E06CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0DD8 second address: 49E0DDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0E71 second address: 49E0E77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0E77 second address: 49E0E98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA44Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0DD50CA44Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0E98 second address: 49E0E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0E9E second address: 49E0EBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0DD50CA450h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0BB2 second address: 49E0BB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0BB6 second address: 49E0BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49E0BBC second address: 49E0C0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C2136h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d jmp 00007F0DD50C212Eh 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jmp 00007F0DD50C2138h 0x0000001d mov bx, ax 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49F006E second address: 49F0085 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0DD50CA44Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49F0085 second address: 49F0109 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50C212Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c call 00007F0DD50C2134h 0x00000011 mov cx, 3801h 0x00000015 pop esi 0x00000016 mov di, 3732h 0x0000001a popad 0x0000001b mov ecx, dword ptr [ebp+08h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F0DD50C2132h 0x00000027 sub ah, 00000048h 0x0000002a jmp 00007F0DD50C212Bh 0x0000002f popfd 0x00000030 pushfd 0x00000031 jmp 00007F0DD50C2138h 0x00000036 sbb ecx, 67D37EA8h 0x0000003c jmp 00007F0DD50C212Bh 0x00000041 popfd 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49F0109 second address: 49F012E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA459h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49F012E second address: 49F0132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49F0132 second address: 49F0138 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49F0138 second address: 49F014D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0DD50C2131h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49F014D second address: 49F0151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49F0151 second address: 49F0165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F0E469D4C0Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49F0165 second address: 49F017B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0DD50CA452h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWpNjnx.exe	RDTSC instruction interceptor: First address: 49F017B second address: 49F0181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\NWpNjnx.exe	Special instruction interceptor: First address: 42A56E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\NWpNjnx.exe	Special instruction interceptor: First address: 65441E instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\NWpNjnx.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\NWpNjnx.exe	Window / User API: threadDelayed 1034	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Window / User API: threadDelayed 809	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Window / User API: threadDelayed 882	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Window / User API: threadDelayed 1657	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Window / User API: threadDelayed 868	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Window / User API: threadDelayed 1379	Jump to behavior

Source: C:\Users\user\Desktop\NWpNjnx.exe TID: 8532	Thread sleep count: 1034 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe TID: 8532	Thread sleep time: -2069034s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe TID: 8528	Thread sleep count: 809 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe TID: 8528	Thread sleep time: -1618809s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe TID: 8536	Thread sleep count: 882 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe TID: 8536	Thread sleep time: -1764882s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe TID: 8544	Thread sleep count: 1657 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe TID: 8544	Thread sleep time: -3315657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe TID: 8548	Thread sleep count: 868 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe TID: 8548	Thread sleep time: -1736868s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe TID: 8552	Thread sleep count: 1379 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe TID: 8552	Thread sleep time: -2759379s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe TID: 8544	Thread sleep count: 275 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe TID: 8544	Thread sleep time: -550275s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe, 0000000E.00000002.3866135595.000002C5D4865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual ProcessorR
Source: chrome.exe, 00000008.00000002.2791986952.0000019FBD46B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual ProcessorQ
Source: chrome.exe, 00000008.00000002.2791986952.0000019FBD46B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2791523853.0000019FB9E25000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.3925381397.000002C5D8328000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9E0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partitiont(2}
Source: chrome.exe, 0000000E.00000002.3866135595.000002C5D47D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor?
Source: chrome.exe, 0000000E.00000003.3525496078.000002C5D83A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: redo Data Kernel Mode3226Out - Teredo Data User Mode3228Out - Teredo Data Kernel Mode6468Hyper-V Dynamic Memory Integration Service6470Maximum Memory, Mbytes1848Bluetooth Radio1850Classic ACL bytes written/sec1852LE ACL bytes written/sec1854SCO bytes written/sec1856Classic ACL bytes read/sec1858LE ACL bytes read/sec1860SCO bytes read/sec1862Classic ACL Connections1864LE ACL Connections1866SCO Connections1868Sideband SCO Connections1870ACL flush events/sec1872LE ACL write credits1874Classic ACL write credits1876LE Scan Duty Cycle (%) - Uncoded 1M Phy1878LE Scan Window - Uncoded 1M Phy1880LE Scan Interval - Uncoded 1M Phy1882Page Scan Duty Cycle (%)1884Page Scan Window1886Page Scan Interval1888Inquiry Scan Duty Cycle (%)1890Inquiry Scan Window1892Inquiry Scan Interval1894LE Scan Duty Cycle (%) - Coded Phy1896LE Scan Window - Coded Phy1898LE Scan Interval - Coded Phy1900Bluetooth Device1902Classic ACL bytes written/sec1904LE ACL bytes written/sec1906SCO bytes written/sec1908Classic ACL bytes read/sec1910LE ACL bytes read/sec1912SCO bytes read/sec3814ServiceModelService 4.0.0.03816Calls
Source: chrome.exe, 00000008.00000002.2791986952.0000019FBD46B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes^
Source: chrome.exe, 0000000E.00000002.3925381397.000002C5D8328000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionn
Source: chrome.exe, 0000000E.00000002.3866135595.000002C5D47D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipest
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9E0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: chrome.exe, 00000008.00000002.2791986952.0000019FBD46B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2791523853.0000019FB9E25000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.3729447455.000002C5D0B18000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.3866135595.000002C5D4865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: chrome.exe, 00000008.00000002.2790632814.0000019FB6127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition.dllk9
Source: chrome.exe, 00000008.00000002.2791986952.0000019FBD46B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.3925381397.000002C5D8328000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: chrome.exe, 00000008.00000002.2791986952.0000019FBD46B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.3925381397.000002C5D82EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: chrome.exe, 0000000E.00000002.3866135595.000002C5D4865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processormui
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9E0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9E25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor +
Source: chrome.exe, 0000000E.00000002.3866135595.000002C5D4865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V ctjubbqgxoldmhe Busp
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: chrome.exe, 00000008.00000002.2790632814.0000019FB6127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partition
Source: chrome.exe, 00000008.00000002.2790632814.0000019FB60E5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.3866135595.000002C5D4865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V ctjubbqgxoldmhe Bus Pipes
Source: chrome.exe, 00000008.00000003.2730825426.0000019FBD4CF000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2732959843.0000019FBD4D2000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2734155626.0000019FBD4D2000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2730523323.0000019FBD4B3000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2792208015.0000019FBD4D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Router Solicitation3218Out - Teredo Bubble3220Out - Teredo Data3222In - Teredo Data User Mode3224In - Teredo Data Kernel Mode3226Out - Teredo Data User Mode3228Out - Teredo Data Kernel Mode6468Hyper-V Dynamic Memory Integration Service6470Maximum Memory, Mbytes1848Bluetooth Radio1850Classic ACL bytes written/sec1852LE ACL bytes written/sec1854SCO bytes written/sec1856Classic ACL bytes read/sec1858LE ACL bytes read/sec1860SCO bytes read/sec1862Classic ACL Connections1864LE ACL Connections1866SCO Connections1868Sideband SCO Connections1870ACL flush events/sec1872LE ACL write credits1874Classic ACL write credits1876LE Scan Duty Cycle (%) - Uncoded 1M Phy1878LE Scan Window - Uncoded 1M Phy1880LE Scan Interval - Uncoded 1M Phy1882Page Scan Duty Cycle (%)1884Page Scan Window1886Page Scan Interval1888Inquiry Scan Duty Cycle (%)1890Inquiry Scan Window1892Inquiry Scan Interval1894LE Scan Duty Cycle (%) - Coded Phy1896LE Scan Window - Coded Phy1898LE Scan Interval - Coded Phy1900Bluetooth Device1902Classic ACL bytes written/sec1904LE ACL bytes written/sec1906SCO bytes written/sec1908Classic ACL bytes read/sec1910LE ACL bytes read/sec1912SCO bytes read/sec3814ServiceModelService 4.0.0.03816CallsU
Source: chrome.exe, 0000000E.00000002.3866135595.000002C5D47D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition@
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9E25000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.3866135595.000002C5D47D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionll
Source: chrome.exe, 0000000E.00000002.4088609501.000021CC01884000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Virtual USB Mouse
Source: chrome.exe, 00000008.00000002.2791986952.0000019FBD4A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: chrome.exe, 0000000E.00000002.3866135595.000002C5D47D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9E25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: chrome.exe, 0000000E.00000003.3525496078.000002C5D83A3000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3524015668.000002C5D839A000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3523627985.000002C5D8370000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags
Source: chrome.exe, 00000008.00000002.3064999581.00001B9C01224000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=ccaf046f-2ef2-40fd-9efc-7aad9ded39be
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9E25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor1
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9E25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9E0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical ProcessorG
Source: chrome.exe, 0000000E.00000003.3524410619.000002C5D8370000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000003.3523627985.000002C5D8370000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )3180Compaction write latency (100 ns)3184Compacted Container Fill Ratio (%)3188Compactions failed due to ineligible container3190Compactions failed due to max fragmentation3192Container Move Retry Count3194Container moves failed due to ineligible container3196Compaction Failure Count3198Container Move Failure Count3200Dirty metadata pages3202Dirty table list entries3204Delete Queue entries9698Storage Management WSP Spaces Runtime9700Runtime Count 4ms9702Runtime Count 16ms9704Runtime Count 64ms9706Runtime Count 256ms9708Runtime Count 1s9710Runtime Count 4s9712Runtime Count 16s9714Runtime Count 1min9716Runtime Count Infinite3094Hyper-V Virtual Machine Bus Pipes3096Reads/sec3098Writes/sec3100Bytes Read/sec3102Bytes Written/sec9616SMB Direct Connection9618Stalls (Send Credit)/sec9620Stalls (Send Queue)/sec9622Stalls (RDMA Registrations)/sec9624Sends/sec9626Remote Invalidations/sec9628Memory Regions9630Bytes Received/sec9632Bytes Sent/sec9634Bytes RDMA Read/sec9636Bytes RDMA Written/sec9638Stalls (RDMA Read)/sec9640Receives/sec9642RDMA Registrations/sec9644SCQ Notification Events/sec9646RCQ Notification Events/sec9648Spurious RCQ Notification Events9650Spurious SCQ Notification Events9504Offline Files9506Bytes Received9508Bytes Transmitted9510Bytes Transmitted/sec9514Bytes Received/sec9518Client Side Caching9520SMB BranchCache Bytes Requested9522SMB BranchCache Bytes Received9524SMB BranchCache Bytes Published9526SMB BranchCache Bytes Requested From Server9528SMB BranchCache Hashes Requested9530SMB BranchCache Hashes Received9532SMB BranchCache Hash Bytes Received9534Prefetch Operations Queued9536Prefetch Bytes Read From Cache9538Prefetch Bytes Read From Server9540Application Bytes Read From Cache9542Application Bytes Read From Server9544Application Bytes Read From Server (Not Cached)3260Teredo Relay3262In - Teredo Relay Total Packets: Success + Error3264In - Teredo Relay Success Packets: Total3266In - Teredo Relay Success Packets: Bubbles3268In - Teredo Relay Success Packets: Data Packets3270In - Teredo Relay Error Packets: Total3272In - Teredo Relay Error Packets: Header Error3274In - Teredo Relay Error Packets: Source Error3276In - Teredo Relay Error Packets: Destination Error3278Out - Teredo Relay Total Packets: Success + Error3280Out - Teredo Relay Success Packets3282Out - Teredo Relay Success Packets: Bubbles3284Out - Teredo Relay Success Packets: Data Packets3286Out - Teredo Relay Error Packets3288Out - Teredo Relay Error Packets: Header Error3290Out - Teredo Relay Error Packets: Source Error3292Out - Teredo Relay Error Packets: Destination Error3294In - Teredo Relay Total Packets: Success + Error / sec3296Out - Teredo Relay Total Packets: Success + Error / sec3298In - Teredo Relay Success Packets: Data Packets User Mode3300In - Teredo Relay Success Packets: Data Packets Kernel Mode3302Out - Teredo Relay Success Packets: Data Packets User Mode3304Out - Teredo Relay Success Packets: Data Packets Kernel Mode3306IPHTTPS Session3308Packets receive
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: chrome.exe, 0000000E.00000002.4086973314.000021CC01538000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=bab94cd5-b56f-4161-92cb-ecb5ad3548b2
Source: chrome.exe, 00000008.00000003.2729982703.0000019FBD542000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2792332551.0000019FBD55D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 T
Source: chrome.exe, 0000000E.00000002.3866135595.000002C5D47D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partitiond
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9DFC000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2791523853.0000019FB9E00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: chrome.exe, 0000000E.00000002.3729447455.000002C5D0BCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partitionb"*I7
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9E25000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.3925381397.000002C5D82EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: chrome.exe, 0000000E.00000002.4085813974.000021CC01394000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: chrome.exe, 00000008.00000003.2733045359.0000019FBD4A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: chrome.exe, 0000000E.00000002.3925381397.000002C5D82EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisorr
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9E0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: chrome.exe, 0000000B.00000002.3416339062.000001FFC6893000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: chrome.exe, 0000000E.00000002.3866135595.000002C5D4865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service(
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9E25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V ctjubbqgxoldmhe Bus
Source: chrome.exe, 00000008.00000002.2791986952.0000019FBD46B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisori
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9DAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service/
Source: chrome.exe, 0000000E.00000002.4081819621.000021CC00BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=bab94cd5-b56f-4161-92cb-ecb5ad3548b2
Source: chrome.exe, 0000000E.00000002.3866135595.000002C5D4865000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.3925381397.000002C5D8328000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: chrome.exe, 0000000E.00000003.3525858410.000002C5D835D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count SnapshotORWA
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: chrome.exe, 00000008.00000003.2733415863.0000019FBD57D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Mon
Source: chrome.exe, 00000008.00000002.2791986952.0000019FBD46B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processorn
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: chrome.exe, 0000000E.00000003.3526151244.000002C5D834C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: chrome.exe, 0000000E.00000002.3925381397.000002C5D82EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: chrome.exe, 0000000E.00000002.3866135595.000002C5D47D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processorr
Source: chrome.exe, 00000008.00000002.2791986952.0000019FBD46B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.3925381397.000002C5D8328000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9E25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor.sysCr
Source: chrome.exe, 00000008.00000002.3064999581.00001B9C01224000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=ccaf046f-2ef2-40fd-9efc-7aad9ded39be
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9E0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: chrome.exe, 00000008.00000003.2734022458.0000019FBD53F000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.2730302561.0000019FBD527000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec487
Source: chrome.exe, 0000000E.00000002.3925381397.000002C5D8328000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partitionlll
Source: msedge.exe, 0000001B.00000003.4294059866.000003F000300000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: NWpNjnx.exe, 00000000.00000003.6637572587.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: chrome.exe, 00000008.00000002.2790632814.0000019FB608C000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000E.00000002.3729447455.000002C5D0B18000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000001B.00000002.4343756295.000002158F642000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9E0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processortmp
Source: chrome.exe, 00000008.00000002.2791523853.0000019FB9E0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: chrome.exe, 0000000E.00000002.3866135595.000002C5D4865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor(t
Source: chrome.exe, 0000000E.00000002.3866135595.000002C5D4865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration ServiceL}]H
Source: chrome.exe, 0000000E.00000002.4081819621.000021CC00BB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=bab94cd5-b56f-4161-92cb-ecb5ad3548b20
Source: chrome.exe, 0000000E.00000002.3866135595.000002C5D4822000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisorr
Source: chrome.exe, 0000000E.00000002.3866135595.000002C5D4865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processorc.sys^usH
Source: chrome.exe, 0000000E.00000002.3866135595.000002C5D47D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes.

Source: C:\Users\user\Desktop\NWpNjnx.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\NWpNjnx.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\NWpNjnx.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\NWpNjnx.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\NWpNjnx.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\NWpNjnx.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\NWpNjnx.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\NWpNjnx.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\NWpNjnx.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\NWpNjnx.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\NWpNjnx.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: NTICE
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: SICE
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\NWpNjnx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\NWpNjnx.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\NWpNjnx.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\NWpNjnx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000003.1416813978.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1465072272.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1416733537.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NWpNjnx.exe PID: 8512, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NWpNjnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\NWpNjnx.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Source: Yara match

File source: Process Memory Space: NWpNjnx.exe PID: 8512, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\NWpNjnx.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000003.1416813978.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1465072272.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1416733537.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NWpNjnx.exe PID: 8512, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	2 OS Credential Dumping	1 Query Registry	Remote Services	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	24 Virtualization/Sandbox Evasion	LSASS Memory	631 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	1 Process Injection	Security Account Manager	24 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	223 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
NWpNjnx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NWpNjnx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
NWpNjnx.exe