Edit tour

Windows Analysis Report
jPKFh06jHI.exe

Overview

General Information

Sample name:	jPKFh06jHI.exe renamed because original name is a hash value
Original sample name:	9baf61196c985b17067f787d6373f142.exe
Analysis ID:	1658540
MD5:	9baf61196c985b17067f787d6373f142
SHA1:	1dda434580f65aff8e0f9dbcd20a3e46c56db89e
SHA256:	12dab9b1e693d996b00cd7812e3aa160fe3d85bd3441eb5655fd5f5d853984be
Tags:	exeuser-abuse_ch
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Monitors registry run keys for changes

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Suspicious Copy From or To System Directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

jPKFh06jHI.exe (PID: 6824 cmdline: "C:\Users\user\Desktop\jPKFh06jHI.exe" MD5: 9BAF61196C985B17067F787D6373F142)

cmd.exe (PID: 6904 cmdline: "C:\Windows\System32\cmd.exe" /c copy Decide.jar Decide.jar.bat & Decide.jar.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7028 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7052 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7112 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7100 cmdline: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6172 cmdline: cmd /c md 714380 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 6312 cmdline: extrac32 /Y /E Hiv.jar MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 6156 cmdline: findstr /V "prague" Mean MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6176 cmdline: cmd /c copy /b 714380\Wake.com + Valuable + Concert + Cap + Continuously + Portable + Electro + Volleyball + Alien + Convicted + Acids + Assumes 714380\Wake.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 5732 cmdline: cmd /c copy /b ..\Revelation.jar + ..\Keyboard.jar + ..\Ellis.jar + ..\Leaves.jar + ..\Grass.jar T MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Wake.com (PID: 5716 cmdline: Wake.com T MD5: 62D09F076E6E0240548C2F837536A46A)

chrome.exe (PID: 3696 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5124 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2292,i,16634395396908281,15865996952827246330,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2440 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

msedge.exe (PID: 8156 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7772 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2492 --field-trial-handle=2220,i,16376653140617758097,345704766534090837,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

choice.exe (PID: 1264 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

msedge.exe (PID: 7780 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7428 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2112,i,13478726597598513471,14813124092062783513,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3792 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6936 --field-trial-handle=2112,i,13478726597598513471,14813124092062783513,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5364 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7248 --field-trial-handle=2112,i,13478726597598513471,14813124092062783513,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6880 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7184 --field-trial-handle=2112,i,13478726597598513471,14813124092062783513,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199839170361", "Botnet": "go77lh"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.2166362758.0000000003710000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Wake.com PID: 5716	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Wake.com PID: 5716	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.Wake.com.3a10000.1.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1e2ca:$str01: MachineID: 0x1d553:$str02: Work Dir: In memory 0x1e301:$str03: [Hardware] 0x1e2b3:$str04: VideoCard: 0x1dcb5:$str05: [Processes] 0x1dcc1:$str06: [Software] 0x1d5d0:$str07: information.txt 0x1e036:$str08: %s\* 0x1e083:$str08: %s\* 0x1d806:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1db9f:$str12: UseMasterPassword 0x1e30d:$str13: Soft: WinSCP 0x1ddeb:$str14: <Pass encoding="base64"> 0x1e2f0:$str15: Soft: FileZilla 0x1d5c2:$str16: passwords.txt 0x1dbca:$str17: build_id 0x1dc79:$str18: file_data

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: Wake.com T, ParentImage: C:\Users\user\AppData\Local\Temp\714380\Wake.com, ParentProcessId: 5716, ParentProcessName: Wake.com, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 3696, ProcessName: chrome.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Decide.jar Decide.jar.bat & Decide.jar.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Decide.jar Decide.jar.bat & Decide.jar.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\jPKFh06jHI.exe", ParentImage: C:\Users\user\Desktop\jPKFh06jHI.exe, ParentProcessId: 6824, ParentProcessName: jPKFh06jHI.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Decide.jar Decide.jar.bat & Decide.jar.bat, ProcessId: 6904, ProcessName: cmd.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" , CommandLine: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Decide.jar Decide.jar.bat & Decide.jar.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6904, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" , ProcessId: 7100, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-07T18:09:09.536526+0200	2028765	3	Unknown Traffic	192.168.2.7	49827	83.217.208.144	443	TCP
2025-04-07T18:09:35.301614+0200	2028765	3	Unknown Traffic	192.168.2.7	49686	49.13.158.58	443	TCP
2025-04-07T18:09:36.243179+0200	2028765	3	Unknown Traffic	192.168.2.7	49687	49.13.158.58	443	TCP
2025-04-07T18:09:37.369205+0200	2028765	3	Unknown Traffic	192.168.2.7	49688	49.13.158.58	443	TCP
2025-04-07T18:09:38.698387+0200	2028765	3	Unknown Traffic	192.168.2.7	49689	49.13.158.58	443	TCP
2025-04-07T18:09:39.821771+0200	2028765	3	Unknown Traffic	192.168.2.7	49690	49.13.158.58	443	TCP
2025-04-07T18:09:40.956144+0200	2028765	3	Unknown Traffic	192.168.2.7	49691	49.13.158.58	443	TCP
2025-04-07T18:09:42.358748+0200	2028765	3	Unknown Traffic	192.168.2.7	49692	49.13.158.58	443	TCP
2025-04-07T18:09:43.460795+0200	2028765	3	Unknown Traffic	192.168.2.7	49695	49.13.158.58	443	TCP
2025-04-07T18:09:44.426340+0200	2028765	3	Unknown Traffic	192.168.2.7	49696	49.13.158.58	443	TCP
2025-04-07T18:09:46.480614+0200	2028765	3	Unknown Traffic	192.168.2.7	49698	49.13.158.58	443	TCP
2025-04-07T18:09:54.580307+0200	2028765	3	Unknown Traffic	192.168.2.7	49726	49.13.158.58	443	TCP
2025-04-07T18:09:55.622976+0200	2028765	3	Unknown Traffic	192.168.2.7	49729	49.13.158.58	443	TCP
2025-04-07T18:09:56.736357+0200	2028765	3	Unknown Traffic	192.168.2.7	49730	49.13.158.58	443	TCP
2025-04-07T18:09:57.789214+0200	2028765	3	Unknown Traffic	192.168.2.7	49731	49.13.158.58	443	TCP
2025-04-07T18:09:59.068383+0200	2028765	3	Unknown Traffic	192.168.2.7	49732	49.13.158.58	443	TCP
2025-04-07T18:10:07.350703+0200	2028765	3	Unknown Traffic	192.168.2.7	49748	49.13.158.58	443	TCP
2025-04-07T18:10:08.343803+0200	2028765	3	Unknown Traffic	192.168.2.7	49765	49.13.158.58	443	TCP
2025-04-07T18:10:09.664174+0200	2028765	3	Unknown Traffic	192.168.2.7	49775	49.13.158.58	443	TCP
2025-04-07T18:10:10.767047+0200	2028765	3	Unknown Traffic	192.168.2.7	49783	49.13.158.58	443	TCP
2025-04-07T18:10:11.682794+0200	2028765	3	Unknown Traffic	192.168.2.7	49795	49.13.158.58	443	TCP
2025-04-07T18:10:12.987244+0200	2028765	3	Unknown Traffic	192.168.2.7	49811	49.13.158.58	443	TCP
2025-04-07T18:10:14.155318+0200	2028765	3	Unknown Traffic	192.168.2.7	49822	49.13.158.58	443	TCP
2025-04-07T18:10:16.258864+0200	2028765	3	Unknown Traffic	192.168.2.7	49825	49.13.158.58	443	TCP
2025-04-07T18:10:18.051779+0200	2028765	3	Unknown Traffic	192.168.2.7	49826	49.13.158.58	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-07T18:09:39.443034+0200	2044247	1	Malware Command and Control Activity Detected	49.13.158.58	443	192.168.2.7	49689	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-07T18:09:40.558636+0200	2051831	1	Malware Command and Control Activity Detected	49.13.158.58	443	192.168.2.7	49690	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-07T18:09:40.558450+0200	2049087	1	A Network Trojan was detected	192.168.2.7	49690	49.13.158.58	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-07T18:09:41.743038+0200	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49691	49.13.158.58	443	TCP
2025-04-07T18:09:43.168421+0200	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49692	49.13.158.58	443	TCP
2025-04-07T18:09:43.463757+0200	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49695	49.13.158.58	443	TCP
2025-04-07T18:09:44.429351+0200	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49696	49.13.158.58	443	TCP
2025-04-07T18:09:46.483474+0200	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49698	49.13.158.58	443	TCP
2025-04-07T18:09:55.640532+0200	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49726	49.13.158.58	443	TCP
2025-04-07T18:09:56.437955+0200	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49729	49.13.158.58	443	TCP
2025-04-07T18:09:56.740088+0200	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49730	49.13.158.58	443	TCP
2025-04-07T18:09:57.792091+0200	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49731	49.13.158.58	443	TCP
2025-04-07T18:09:59.071506+0200	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49732	49.13.158.58	443	TCP
2025-04-07T18:10:08.132230+0200	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49748	49.13.158.58	443	TCP
2025-04-07T18:10:08.347026+0200	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49765	49.13.158.58	443	TCP
2025-04-07T18:10:09.713581+0200	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49775	49.13.158.58	443	TCP
2025-04-07T18:10:10.791562+0200	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49783	49.13.158.58	443	TCP
2025-04-07T18:10:14.882969+0200	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49822	49.13.158.58	443	TCP
2025-04-07T18:10:16.271504+0200	2059331	1	Malware Command and Control Activity Detected	192.168.2.7	49825	49.13.158.58	443	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-07T18:09:43.463757+0200	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	49695	49.13.158.58	443	TCP
2025-04-07T18:09:44.429351+0200	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	49696	49.13.158.58	443	TCP
2025-04-07T18:09:46.483474+0200	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	49698	49.13.158.58	443	TCP
2025-04-07T18:09:56.740088+0200	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	49730	49.13.158.58	443	TCP
2025-04-07T18:09:57.792091+0200	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	49731	49.13.158.58	443	TCP
2025-04-07T18:09:59.071506+0200	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	49732	49.13.158.58	443	TCP
2025-04-07T18:10:08.347026+0200	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	49765	49.13.158.58	443	TCP
2025-04-07T18:10:09.713581+0200	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	49775	49.13.158.58	443	TCP
2025-04-07T18:10:10.791562+0200	2859636	1	Malware Command and Control Activity Detected	192.168.2.7	49783	49.13.158.58	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-07T18:09:36.985085+0200	2859378	1	Malware Command and Control Activity Detected	192.168.2.7	49687	49.13.158.58	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000C.00000003.1121450612.0000000001235000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199839170361", "Botnet": "go77lh"}

Multi AV Scanner detection for submitted file

Source: jPKFh06jHI.exe	ReversingLabs: Detection: 41%
Source: jPKFh06jHI.exe	Virustotal: Detection: 35%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 94.6%

Source: jPKFh06jHI.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 49.13.158.58:443 -> 192.168.2.7:49686 version: TLS 1.2

Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Code function: 0_2_00405B82 FindFirstFileW,FindClose,	0_2_00405B82
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Code function: 0_2_00406543 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406543
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D6DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_00D6DC54
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D7A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00D7A087
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D7A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00D7A1E2
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D6E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	12_2_00D6E472
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D7A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_00D7A570
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D766DC FindFirstFileW,FindNextFileW,FindClose,	12_2_00D766DC
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D3C622 FindFirstFileExW,	12_2_00D3C622
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D773D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_00D773D4
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D77333 FindFirstFileW,FindClose,	12_2_00D77333
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D6D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_00D6D921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\714380	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\714380\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 0MB later: 39MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.7:49690 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.7:49687 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49692 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49691 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49695 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49695 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49726 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49729 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49730 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49730 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49698 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49698 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49732 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49732 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 49.13.158.58:443 -> 192.168.2.7:49690
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 49.13.158.58:443 -> 192.168.2.7:49689
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49696 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49696 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49765 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49765 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49731 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49731 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49748 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49775 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49775 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49783 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.7:49783 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49822 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.7:49825 -> 49.13.158.58:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199839170361

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 49.13.158.58Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----3790hv3wtjw4eu3euasrHost: 49.13.158.58Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----zmy5ppzukxln7qie37q9Host: 49.13.158.58Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----b1djmym7yuk68qi5pppzHost: 49.13.158.58Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----phdbsje37900zu37qimyHost: 49.13.158.58Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ec2n7q9z58ymyu37gvsrHost: 49.13.158.58Content-Length: 5581Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----zmy5ppzukxln7qie37q9Host: 49.13.158.58Content-Length: 489Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----w47qq9rqqimozu3e3ekxHost: 49.13.158.58Content-Length: 262605Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----gvs00r1nym79rq1vs0zuHost: 49.13.158.58Content-Length: 55081Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2nop8qimgv3w47ymgd2vHost: 49.13.158.58Content-Length: 186149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----mgl68gdjmo89rim7glnoHost: 49.13.158.58Content-Length: 505Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----mohlx47yc2no8q9hvknyHost: 49.13.158.58Content-Length: 493Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----5xtjwtj5fuk68qq16f3oHost: 49.13.158.58Content-Length: 207993Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----5ppzmop8g4wln7g4wbi5Host: 49.13.158.58Content-Length: 68733Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----c2dt0r1dbsje379hdb1nHost: 49.13.158.58Content-Length: 262605Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----u3opp8glx4o8yukn7gl6Host: 49.13.158.58Content-Length: 3165Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----vaaaaimy5ph47qq9zm79Host: 49.13.158.58Content-Length: 393697Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----p8y58glxbsr9zukxtjekHost: 49.13.158.58Content-Length: 131557Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----j58glx4wbas2nyctj5pzHost: 49.13.158.58Content-Length: 6990993Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----26f3e379hdbsje37gd2dHost: 49.13.158.58Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ngdbs2nop8ymymymym7yHost: 49.13.158.58Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----5xbaai5f3eknymgd2n7gHost: 49.13.158.58Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----phvaasr1dbsrqq1ny58yHost: 49.13.158.58Content-Length: 98173Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----uknyc2vkngv37q9r9r9hHost: 49.13.158.58Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 20.189.173.17 20.189.173.17
Source: Joe Sandbox View	IP Address: 20.125.209.212 20.125.209.212
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: INF-NET-ASRU INF-NET-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49691 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49688 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49686 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49689 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49696 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49698 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49695 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49729 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49726 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49732 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49690 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49692 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49731 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49730 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49687 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49765 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49775 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49748 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49783 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49795 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49811 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49822 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49825 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49826 -> 49.13.158.58:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49827 -> 83.217.208.144:443

Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.215.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.98.62
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.158.58

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D7D889 InternetReadFile,SetEvent,GetLastError,SetEvent,

12_2_00D7D889

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 49.13.158.58Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiKo8sBCIWgzQEI9s/OAQiB1s4BCMHYzgEIydzOAQiE4M4BCKLkzgEIr+TOAQjp5M4BCLTlzgE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiKo8sBCIWgzQEI9s/OAQiB1s4BCMHYzgEIydzOAQiE4M4BCKLkzgEIr+TOAQjp5M4BCLTlzgE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.24R2mrw_td8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9vR1rNwOjC3PXOxUlyKiCwNBv2Fg/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiKo8sBCIWgzQE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.828d19e24cc86fbcd5c9.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.6sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=9\|RefA=26D134C43D904DC9AD49D1234D3879D9.RefC=2025-04-07T16:10:05Z; USRLOC=; MUID=0CD6EFCADE7267A82236FA0DDF1066E0; MUIDB=0CD6EFCADE7267A82236FA0DDF1066E0; _EDGE_S=F=1&SID=2DA37FFF2982608E24286A3828326187; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.82b01c49017b9c3eff0d.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.6sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=9\|RefA=26D134C43D904DC9AD49D1234D3879D9.RefC=2025-04-07T16:10:05Z; USRLOC=; MUID=0CD6EFCADE7267A82236FA0DDF1066E0; MUIDB=0CD6EFCADE7267A82236FA0DDF1066E0; _EDGE_S=F=1&SID=2DA37FFF2982608E24286A3828326187; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.08ddc3af8246ad2193cd.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.50229b34d72ee6ba350f.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.c28ba8b4fe1e29635352.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.900c61c8bdff8b70fdbd.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b?rn=1744042209964&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0CD6EFCADE7267A82236FA0DDF1066E0&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1744042209963&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=26d134c43d904dc9ad49d1234d3879d9&activityId=26d134c43d904dc9ad49d1234d3879d9&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=0CD6EFCADE7267A82236FA0DDF1066E0; _EDGE_S=F=1&SID=2DA37FFF2982608E24286A3828326187; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b2?rn=1744042209964&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0CD6EFCADE7267A82236FA0DDF1066E0&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=18Cc40eed45c07d2c39702c1744042211; XID=18Cc40eed45c07d2c39702c1744042211
Source: global traffic	HTTP traffic detected: GET /crx/blobs/Ad_brx3-BuL0c-lurTuHDvLGx_3o1po6xdCJ6biVPWmOWpEAIO3qQwYr84tWN8xt3Y-b4FBELB16YJo65m5b1LlifuobAPibVoX_4l94iArbx2Gsn4X-g9109tXuJL65PgYAxlKa5UnJV70rV6RKReARs98yYD2dVaKO/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 10sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 250sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=9\|RefA=26D134C43D904DC9AD49D1234D3879D9.RefC=2025-04-07T16:10:05Z; USRLOC=; MUID=0CD6EFCADE7267A82236FA0DDF1066E0; MUIDB=0CD6EFCADE7267A82236FA0DDF1066E0; _EDGE_S=F=1&SID=2DA37FFF2982608E24286A3828326187; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=d7160352-1ff5-40b2-ade2-bb67cec56eb9; ai_session=52AZS8FSqzYqkdFi9FCg8h\|1744042209959\|1744042209959; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=9\|RefA=26D134C43D904DC9AD49D1234D3879D9.RefC=2025-04-07T16:10:05Z
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1744042209963&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=26d134c43d904dc9ad49d1234d3879d9&activityId=26d134c43d904dc9ad49d1234d3879d9&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=4E2599432189459680282D863E382528&MUID=0CD6EFCADE7267A82236FA0DDF1066E0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=0CD6EFCADE7267A82236FA0DDF1066E0; _EDGE_S=F=1&SID=2DA37FFF2982608E24286A3828326187; _EDGE_V=1; SM=T
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=720&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":27,"imageId":"BB1msOZ8","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"cpt":false,"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=9\|RefA=26D134C43D904DC9AD49D1234D3879D9.RefC=2025-04-07T16:10:05Z; USRLOC=; MUID=0CD6EFCADE7267A82236FA0DDF1066E0; MUIDB=0CD6EFCADE7267A82236FA0DDF1066E0; _EDGE_S=F=1&SID=2DA37FFF2982608E24286A3828326187; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=d7160352-1ff5-40b2-ade2-bb67cec56eb9; ai_session=52AZS8FSqzYqkdFi9FCg8h\|1744042209959\|1744042209959; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=9\|RefA=26D134C43D904DC9AD49D1234D3879D9.RefC=2025-04-07T16:10:05Z

Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000010.00000003.1288509884.0000203C00314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 00000010.00000003.1288509884.0000203C00314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000010.00000002.1346373016.0000203C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: xKhthobNhGNvUPqyvDy.xKhthobNhGNvUPqyvDy
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ogads-pa.clients6.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----3790hv3wtjw4eu3euasrHost: 49.13.158.58Content-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: jPKFh06jHI.exe	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: jPKFh06jHI.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000010.00000002.1347517190.0000203C00904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: Acids.8.dr, Wake.com.1.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Acids.8.dr, Wake.com.1.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Assumes.8.dr, Wake.com.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Acids.8.dr, Wake.com.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Assumes.8.dr, Wake.com.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: jPKFh06jHI.exe	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: jPKFh06jHI.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: jPKFh06jHI.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: chrome.exe, 00000010.00000002.1347743567.0000203C009A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1344072027.0000203C000E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
Source: chrome.exe, 00000010.00000002.1350258536.0000203C0110C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: chrome.exe, 00000010.00000002.1343825432.0000203C00095000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: jPKFh06jHI.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Acids.8.dr, Wake.com.1.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Acids.8.dr, Wake.com.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Assumes.8.dr, Acids.8.dr, Wake.com.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Assumes.8.dr, Wake.com.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: jPKFh06jHI.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: jPKFh06jHI.exe	String found in binary or memory: http://ocsps.ssl.com0?
Source: chrome.exe, 00000010.00000002.1349908881.0000203C00FE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: Acids.8.dr, Wake.com.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Acids.8.dr, Wake.com.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: chrome.exe, 00000010.00000002.1349433562.0000203C00E5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: Wake.com, 0000000C.00000000.943415256.0000000000DD5000.00000002.00000001.01000000.00000008.sdmp, Convicted.8.dr, Wake.com.1.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: chromecache_453.18.dr	String found in binary or memory: http://www.broofa.com
Source: chrome.exe, 00000010.00000002.1345427213.0000203C00480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/update2/response
Source: chrome.exe, 00000010.00000002.1349464140.0000203C00E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: jPKFh06jHI.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: Wake.com, 0000000C.00000003.1121340256.00000000011A1000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121561633.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121314835.0000000001235000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121520665.000000000118B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.1
Source: Wake.com, 0000000C.00000003.1121450612.0000000001235000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2166362758.0000000003710000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121823251.0000000001256000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2167206573.00000000039C7000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2166362758.000000000378F000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2168427542.0000000003A11000.00000040.00001000.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2165101677.0000000001177000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2165101677.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121478187.0000000003733000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121593164.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://49.13.158.58
Source: Wake.com, 0000000C.00000002.2165101677.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.158.58/
Source: Wake.com, 0000000C.00000002.2165101677.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.158.58/Mg
Source: Wake.com, 0000000C.00000002.2165101677.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.158.58N
Source: Wake.com, 0000000C.00000002.2166362758.0000000003710000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121823251.0000000001256000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2168427542.0000000003A11000.00000040.00001000.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2165101677.0000000001177000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121478187.0000000003733000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121593164.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://49.13.158.58hello
Source: Wake.com, 0000000C.00000003.1121593164.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://49.13.158.58hellohttps://t.me/lw25chmgo77lhMozilla/5.0
Source: Wake.com, 0000000C.00000002.2165101677.0000000001177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://83.217.208.144/
Source: Wake.com, 0000000C.00000002.2165101677.000000000122F000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2165101677.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://83.217.208.144/Figma.exe
Source: Wake.com, 0000000C.00000002.2165101677.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://83.217.208.144/Figma.exeH
Source: Wake.com, 0000000C.00000002.2165101677.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://83.217.208.144/Figma.exev
Source: sriwln.12.dr	String found in binary or memory: https://ac.ecosia.org?q=
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000010.00000002.1343592643.0000203C0004C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000010.00000002.1346651878.0000203C007EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1351127345.0000203C01324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1272042282.0000203C007E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1346504011.0000203C00798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000010.00000002.1344665943.0000203C00204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1350258536.0000203C0110C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AccountChooser
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000010.00000002.1343916285.0000203C000B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chromecache_456.18.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_456.18.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/samlredirect
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000010.00000002.1346504011.0000203C00798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 00000010.00000002.1350848860.0000203C0124C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299573499.0000203C01558000.00000004.00000800.00020000.00000000.sdmp, chromecache_456.18.dr, chromecache_453.18.dr	String found in binary or memory: https://apis.google.com
Source: chrome.exe, 00000010.00000002.1348696422.0000203C00C14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1343916285.0000203C000B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.24R2mrw_td8.O/m=gapi_iframes
Source: msedge.exe, 0000001A.00000002.1401674444.000001ACE134E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comse
Source: 2cc80dabc69f58b6_1.28.dr	String found in binary or memory: https://assets.msn.cn/resolver/
Source: 2cc80dabc69f58b6_1.28.dr	String found in binary or memory: https://assets.msn.com/resolver/
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://bard.google.com/
Source: 2cc80dabc69f58b6_1.28.dr	String found in binary or memory: https://bit.ly/wb-precache
Source: chrome.exe, 00000010.00000002.1347876155.0000203C009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
Source: Wake.com, 0000000C.00000002.2165101677.0000000001220000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2166362758.000000000378F000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2165101677.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, jmyuai.12.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: Wake.com, 0000000C.00000002.2165101677.0000000001220000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2166362758.000000000378F000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2165101677.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, jmyuai.12.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: 2cc80dabc69f58b6_1.28.dr	String found in binary or memory: https://browser.events.data.msn.cn/
Source: 2cc80dabc69f58b6_1.28.dr	String found in binary or memory: https://browser.events.data.msn.com/
Source: Reporting and NEL.29.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: 2cc80dabc69f58b6_1.28.dr	String found in binary or memory: https://c.msn.com/
Source: chrome.exe, 00000010.00000003.1299133666.0000203C00604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1351878121.0000203C01548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com
Source: chrome.exe, 00000010.00000002.1348991157.0000203C00D18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1351741434.0000203C014C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348519314.0000203C00B90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: sriwln.12.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: offscreendocument_main.js.28.dr, service_worker_bin_prod.js.28.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mathjax/
Source: Wake.com, 0000000C.00000002.2166362758.0000000003785000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1349395091.0000203C00E44000.00000004.00000800.00020000.00000000.sdmp, Web Data.28.dr, sriwln.12.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Wake.com, 0000000C.00000002.2166362758.0000000003785000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1349395091.0000203C00E44000.00000004.00000800.00020000.00000000.sdmp, Web Data.28.dr, sriwln.12.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000010.00000002.1344111795.0000203C000F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1343493846.0000203C00004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1347630075.0000203C00964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1347809865.0000203C009B8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000002.1404726022.000032580237C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: manifest.json.28.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: chrome.exe, 00000010.00000002.1349554998.0000203C00ECC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1352335959.0000203C01828000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348776929.0000203C00C38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1349464140.0000203C00E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000010.00000002.1338289525.00000267190A7000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enm/webstore?hl=en
Source: chrome.exe, 00000010.00000002.1344111795.0000203C000F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000010.00000003.1258465643.0000203800504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000010.00000003.1298868983.0000203C01720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299890870.0000203800630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000010.00000003.1258465643.0000203800504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000010.00000003.1298868983.0000203C01720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299890870.0000203800630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000010.00000003.1258354717.00002038004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1258108524.00002038004CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1258203692.00002038004D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000010.00000003.1298868983.0000203C01720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299890870.0000203800630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000010.00000002.1346865080.0000203C0083C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 00000010.00000002.1346865080.0000203C0083C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000010.00000002.1343493846.0000203C00004000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000002.1404726022.000032580237C000.00000004.00000800.00020000.00000000.sdmp, manifest.json.28.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: msedge.exe, 0000001A.00000002.1404726022.000032580237C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/2X
Source: chrome.exe, 00000010.00000002.1348214480.0000203C00A68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/category/extensions
Source: chrome.exe, 00000010.00000002.1348122760.0000203C00A34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/category/themes
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000010.00000003.1252031008.000011C0000E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000010.00000002.1350394563.0000203C01174000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1344334138.0000203C00170000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1272577662.0000203C01170000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1347845641.0000203C009D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1343493846.0000203C00004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1344529607.0000203C001D0000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000002.1404050523.0000325802240000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.28.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000010.00000002.1347387744.0000203C008C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000010.00000002.1347387744.0000203C008C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000010.00000002.1347387744.0000203C008C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chromecache_456.18.dr	String found in binary or memory: https://clients6.google.com
Source: chrome.exe, 00000010.00000002.1347517190.0000203C00904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: chromecache_456.18.dr	String found in binary or memory: https://content.googleapis.com
Source: Wake.com, 0000000C.00000002.2165101677.0000000001220000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2166362758.000000000378F000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2165101677.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, jmyuai.12.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: Wake.com, 0000000C.00000002.2165101677.0000000001220000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2166362758.000000000378F000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2165101677.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, jmyuai.12.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: chrome.exe, 00000010.00000002.1345098711.0000203C00428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: 2cc80dabc69f58b6_0.28.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: manifest.json0.28.dr	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000010.00000003.1298868983.0000203C01720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299890870.0000203800630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1346373016.0000203C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000010.00000002.1348991157.0000203C00D18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1351741434.0000203C014C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348519314.0000203C00B90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000010.00000002.1348991157.0000203C00D18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1351741434.0000203C014C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348519314.0000203C00B90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1346373016.0000203C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000010.00000002.1348991157.0000203C00D18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1350961542.0000203C012A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348519314.0000203C00B90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000010.00000002.1350961542.0000203C012A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actionsC0A
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1346373016.0000203C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000010.00000002.1348991157.0000203C00D18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1351741434.0000203C014C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348519314.0000203C00B90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chromecache_456.18.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: manifest.json0.28.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json0.28.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json0.28.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json0.28.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json0.28.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json0.28.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json0.28.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json0.28.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json0.28.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json0.28.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: manifest.json0.28.dr	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1346373016.0000203C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: sriwln.12.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.28.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Wake.com, 0000000C.00000002.2166362758.0000000003785000.00000004.00000800.00020000.00000000.sdmp, sriwln.12.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: sriwln.12.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.log5.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log5.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 000003.log4.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_163_music.png/1.0.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: HubApps Icons.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: HubApps Icons.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_bard_light.png/1.0.1/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_hc.png/1.0.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_dark.png/1.0.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_light.png/1.0.3/asse
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_dark.png/1.0.6/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_light.png/1.0.6/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr, HubApps Icons.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gaana.png/1.0.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: HubApps Icons.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gmail.png/1.5.4/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_help.png/1.0.0/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_iHeart.png/1.0.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_instagram.png/1.4.13/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_ku_gou.png/1.0.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_last.png/1.0.3/asset
Source: 000003.log5.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_dark.png/1.1.0/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_hc.png/1.1.0/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_light.png/1.1.0/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_naver_vibe.png/1.0.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr, HubApps Icons.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_hc.png/1.1.0/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_dark.png/1.1.0/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_light.png/1.1.0/asse
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_qq.png/1.0.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_hc.png/1.1.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_dark.png/1.1.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_light.png/1.1.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: HubApps Icons.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: HubApps Icons.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_dark.png/1.3.20/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_hc.png/1.3.20/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_light.png/1.3.20/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_dark.png/1.2.19/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_hc.png/1.2.19/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_light.png/1.2.19/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_telegram.png/1.0.4/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_hc.png/1.0.5/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_dark.png/1.0.5/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_light.png/1.0.5/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tidal.png/1.0.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tik_tok_light.png/1.0.5/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: HubApps Icons.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_twitter_light.png/1.0.9/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_vk.png/1.0.3/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whats_new.png/1.0.0/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whatsapp_light.png/1.4.11/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_youtube.png/1.4.14/asset
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: chrome.exe, 00000010.00000003.1289320488.0000203C016F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1289478115.0000203C016A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1289096265.0000203C01720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.google.com/icons?selected=Material
Source: chromecache_453.18.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_453.18.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_453.18.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_453.18.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://gaana.com/
Source: sriwln.12.dr	String found in binary or memory: https://gemini.google.com/app?q=
Source: chrome.exe, 00000010.00000003.1298868983.0000203C01720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299890870.0000203800630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic/intro?20
Source: chrome.exe, 00000010.00000003.1299890870.0000203800630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic2
Source: chrome.exe, 00000010.00000003.1298868983.0000203C01720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glicbN
Source: chrome.exe, 00000010.00000003.1258203692.00002038004D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000010.00000003.1298868983.0000203C01720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299890870.0000203800630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000010.00000003.1258108524.00002038004CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000010.00000003.1258354717.00002038004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1258108524.00002038004CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1258203692.00002038004D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000010.00000003.1298868983.0000203C01720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299890870.0000203800630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000010.00000003.1258354717.00002038004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1258108524.00002038004CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1258203692.00002038004D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000010.00000003.1258108524.00002038004CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000010.00000003.1258108524.00002038004CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Pre
Source: chrome.exe, 00000010.00000003.1258108524.00002038004CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1258203692.00002038004D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: msedge.exe, 0000001A.00000002.1405136815.00003258024C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000010.00000002.1347809865.0000203C009B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000010.00000003.1298868983.0000203C01720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299890870.0000203800630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299808410.0000203C01C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://i.y.qq.com/n2/m/index.html
Source: 2cc80dabc69f58b6_1.28.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/
Source: 2cc80dabc69f58b6_1.28.dr	String found in binary or memory: https://img-s.msn.cn/tenant/amp/entityid/
Source: jmyuai.12.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: chrome.exe, 00000010.00000003.1288547289.0000203C01640000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1352056869.0000203C01640000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348776929.0000203C00C38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1349176372.0000203C00DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000010.00000002.1345257733.0000203C00440000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299443705.0000203C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299573499.0000203C01558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://latest.web.skype.com/?browsername=edge_canary_shoreline
Source: chrome.exe, 00000010.00000003.1299133666.0000203C00604000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/gen204
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://m.kugou.com/
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://m.soundcloud.com/
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://m.vk.com/
Source: chrome.exe, 00000010.00000002.1351127345.0000203C01324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1350258536.0000203C0110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1272422800.0000203C010C5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1350144150.0000203C010C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/:
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/J
Source: chrome.exe, 00000010.00000002.1350097642.0000203C01070000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1350961542.0000203C012A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1351741434.0000203C014C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1346373016.0000203C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000010.00000002.1345257733.0000203C00440000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299443705.0000203C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299573499.0000203C01558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1346373016.0000203C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://mail.google.com/mail/mu/mp/266/#tl/Inbox
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://manifestdeliveryservice.edgebrowser.microsoft-staging-falcon.io/app/page-context-demo
Source: msedge.exe, 0000001A.00000002.1405136815.00003258024C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 0000001A.00000002.1405136815.00003258024C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: Cookies.29.dr	String found in binary or memory: https://msn.comXID/
Source: Cookies.29.dr	String found in binary or memory: https://msn.comXIDv10
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://music.amazon.com
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://music.apple.com
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://music.yandex.com
Source: chrome.exe, 00000010.00000002.1352135662.0000203C0178C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348366074.0000203C00AD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348830411.0000203C00CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000010.00000002.1349046088.0000203C00D4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348332900.0000203C00AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000010.00000002.1349046088.0000203C00D4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1346779867.0000203C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348332900.0000203C00AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000010.00000003.1298868983.0000203C01720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299890870.0000203800630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 00000010.00000002.1349046088.0000203C00D4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348332900.0000203C00AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000010.00000002.1348895256.0000203C00CCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: 2cc80dabc69f58b6_1.28.dr	String found in binary or memory: https://ntp.msn.cn/edge/ntp
Source: 000003.log1.28.dr, 2cc80dabc69f58b6_0.28.dr	String found in binary or memory: https://ntp.msn.com
Source: 000003.log7.28.dr	String found in binary or memory: https://ntp.msn.com/
Source: 000003.log7.28.dr	String found in binary or memory: https://ntp.msn.com/0
Source: QuotaManager.28.dr	String found in binary or memory: https://ntp.msn.com/_default
Source: 000003.log7.28.dr, 2cc80dabc69f58b6_1.28.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp
Source: 2cc80dabc69f58b6_1.28.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: Session_13388515803731637.28.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: QuotaManager.28.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
Source: 2cc80dabc69f58b6_0.28.dr	String found in binary or memory: https://ntp.msn.comService-Worker-Allowed:
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: msedge.exe, 0000001A.00000002.1405136815.00003258024C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 00000010.00000002.1350848860.0000203C0124C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299573499.0000203C01558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.clients6.google.com
Source: chrome.exe, 00000010.00000002.1349263643.0000203C00E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000010.00000002.1350848860.0000203C0124C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299573499.0000203C01558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000010.00000002.1350848860.0000203C0124C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299573499.0000203C01558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://open.spotify.com
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://outlook.live.com/mail/0/
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: chrome.exe, 00000010.00000003.1299133666.0000203C00604000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/calendar/
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://outlook.office.com/mail/0/
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: chrome.exe, 00000010.00000002.1347876155.0000203C009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google/
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://people.googleapis.com/
Source: msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chromecache_453.18.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_456.18.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_456.18.dr	String found in binary or memory: https://plus.googleapis.com
Source: chrome.exe, 00000010.00000003.1272548326.0000203C01260000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348895256.0000203C00CCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1349019724.0000203C00D34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: chrome.exe, 00000010.00000002.1345993753.0000203C00558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000010.00000002.1345993753.0000203C00558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000010.00000002.1345257733.0000203C00440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: 2cc80dabc69f58b6_1.28.dr	String found in binary or memory: https://sb.scorecardresearch.com/
Source: chrome.exe, 00000010.00000002.1344186552.0000203C00118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
Source: chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1349464140.0000203C00E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000010.00000003.1298868983.0000203C01720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299890870.0000203800630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 00000010.00000003.1288547289.0000203C01640000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1352056869.0000203C01640000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348776929.0000203C00C38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1349176372.0000203C00DE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: 2cc80dabc69f58b6_1.28.dr	String found in binary or memory: https://srtb.msn.cn/
Source: 2cc80dabc69f58b6_1.28.dr	String found in binary or memory: https://srtb.msn.com/
Source: chrome.exe, 00000010.00000002.1345257733.0000203C00440000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299443705.0000203C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299573499.0000203C01558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: Wake.com, 0000000C.00000003.1121450612.0000000001235000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2166362758.0000000003710000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121823251.0000000001256000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2168427542.0000000003A11000.00000040.00001000.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2165101677.0000000001177000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121478187.0000000003733000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121593164.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199839170361
Source: Wake.com, 0000000C.00000003.1121593164.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199839170361go77lhMozilla/5.0
Source: chrome.exe, 00000010.00000002.1346026583.0000203C00598000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1288960343.0000203C0058C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome?p=desktop_tab_groups
Source: Wake.com, 0000000C.00000002.2172626454.0000000005CEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Wake.com, 0000000C.00000002.2172626454.0000000005CEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Wake.com, 0000000C.00000003.1121450612.0000000001235000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2166362758.0000000003710000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121823251.0000000001256000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2168427542.0000000003A11000.00000040.00001000.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2165101677.0000000001177000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121478187.0000000003733000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121593164.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/lw25chm
Source: chrome.exe, 00000010.00000002.1349464140.0000203C00E74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://tidal.com/
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://twitter.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.28.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.28.dr	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.28.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://vibe.naver.com/today
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_canary_shoreline
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_stable_shoreline
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://web.telegram.org/
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://web.whatsapp.com
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: chromecache_456.18.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: Wake.com, 0000000C.00000002.2165101677.0000000001220000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2166362758.000000000378F000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2165101677.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, jmyuai.12.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: Acids.8.dr, Wake.com.1.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.deezer.com/
Source: Wake.com, 0000000C.00000002.2166362758.0000000003785000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1349395091.0000203C00E44000.00000004.00000800.00020000.00000000.sdmp, sriwln.12.dr	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: Wake.com.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: chrome.exe, 00000010.00000002.1350797942.0000203C01238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000010.00000002.1344111795.0000203C000F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1347387744.0000203C008FE000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1347568205.0000203C00938000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1272548326.0000203C01260000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1347845641.0000203C009D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348122760.0000203C00A34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1347809865.0000203C009B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000010.00000003.1288547289.0000203C01640000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1352056869.0000203C01640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000010.00000002.1352305034.0000203C01804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: content_new.js.28.dr, content.js.28.dr	String found in binary or memory: https://www.google.com/chrome
Source: chrome.exe, 00000010.00000002.1347876155.0000203C009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/#safe
Source: chrome.exe, 00000010.00000002.1348122760.0000203C00A34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/browser-features/
Source: chrome.exe, 00000010.00000002.1348122760.0000203C00A34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/browser-tools/
Source: chrome.exe, 00000010.00000003.1299890870.0000203800630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000010.00000002.1349046088.0000203C00D4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348776929.0000203C00C38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1351825929.0000203C01510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: Wake.com, 0000000C.00000002.2166362758.0000000003785000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1346192972.0000203C006D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1347387744.0000203C008C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1346221527.0000203C006E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1344939441.0000203C003CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1349395091.0000203C00E44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1344309759.0000203C00164000.00000004.00000800.00020000.00000000.sdmp, sriwln.12.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: Web Data.28.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000010.00000002.1345257733.0000203C00440000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299443705.0000203C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299573499.0000203C01558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000010.00000003.1299573499.0000203C01558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000010.00000003.1298868983.0000203C01720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299890870.0000203800630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000010.00000002.1346166993.0000203C00660000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000010.00000002.1344665943.0000203C00204000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chromecache_456.18.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_456.18.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chrome.exe, 00000010.00000003.1298868983.0000203C01720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299890870.0000203800630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000010.00000002.1344619852.0000203C001F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000010.00000002.1350797942.0000203C01238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000010.00000002.1350797942.0000203C01238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: service_worker_bin_prod.js.28.dr	String found in binary or memory: https://www.gstatic.com/_/apps-fileview/_/js/
Source: chrome.exe, 00000010.00000002.1346931150.0000203C00864000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chromecache_453.18.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chrome.exe, 00000010.00000002.1353278705.0000203C01AE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
Source: chromecache_453.18.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_453.18.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: chrome.exe, 00000010.00000002.1352768815.0000203C01974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000010.00000003.1288631392.0000203C01680000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299443705.0000203C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299630851.0000203C019AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1352768815.0000203C01974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000010.00000002.1350848860.0000203C0124C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299573499.0000203C01558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.ke5z57QrnxY.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000010.00000002.1350848860.0000203C0124C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299573499.0000203C01558000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.Rc_yzHk8ifQ.L.W.O/m=qmd
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.iheart.com/podcast/
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.instagram.com
Source: Wake.com, 0000000C.00000002.2165101677.0000000001220000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2166362758.000000000378F000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2165101677.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, jmyuai.12.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.last.fm/
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.messenger.com
Source: Wake.com, 0000000C.00000002.2172626454.0000000005CEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: Wake.com, 0000000C.00000002.2172626454.0000000005CEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: Wake.com, 0000000C.00000002.2172626454.0000000005CEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: Wake.com, 0000000C.00000002.2172626454.0000000005CEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Wake.com, 0000000C.00000002.2172626454.0000000005CEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 2cc80dabc69f58b6_1.28.dr	String found in binary or memory: https://www.msn.com/web-notification-icon-light.png
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.office.com
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: jPKFh06jHI.exe	String found in binary or memory: https://www.ssl.com/repository0
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.tiktok.com/
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://www.youtube.com
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1346373016.0000203C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	String found in binary or memory: https://y.music.163.com/m/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 49.13.158.58:443 -> 192.168.2.7:49686 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D7F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

12_2_00D7F55C

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D7F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

12_2_00D7F7C7

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

12_2_00D7F55C

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D6A635 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

12_2_00D6A635

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D99FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

12_2_00D99FD2

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.Wake.com.3a10000.1.unpack, type: UNPACKEDPE

Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D74763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

12_2_00D74763

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D61B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

12_2_00D61B4D

Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Code function: 0_2_004033FF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		0_2_004033FF
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D6F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		12_2_00D6F20D

Source: C:\Users\user\Desktop\jPKFh06jHI.exe	File created: C:\Windows\RomaniaSuggests	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	File created: C:\Windows\ConstitutionalReceive	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	File created: C:\Windows\DirectorsAvailable	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	File created: C:\Windows\ExplanationLogging	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	File created: C:\Windows\EitherPuzzle	Jump to behavior

Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Code function: 0_2_00406A03	0_2_00406A03
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D28017	12_2_00D28017
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D0E1F0	12_2_00D0E1F0
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D1E144	12_2_00D1E144
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D222A2	12_2_00D222A2
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D022AD	12_2_00D022AD
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D3A26E	12_2_00D3A26E
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D1C624	12_2_00D1C624
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D8C8A4	12_2_00D8C8A4
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D3E87F	12_2_00D3E87F
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D36ADE	12_2_00D36ADE
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D72A05	12_2_00D72A05
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D68BFF	12_2_00D68BFF
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D1CD7A	12_2_00D1CD7A
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D2CE10	12_2_00D2CE10
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D37159	12_2_00D37159
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D09240	12_2_00D09240
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D95311	12_2_00D95311
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D096E0	12_2_00D096E0
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D21704	12_2_00D21704
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D21A76	12_2_00D21A76
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D27B8B	12_2_00D27B8B
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D09B60	12_2_00D09B60
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D27DBA	12_2_00D27DBA
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D21D20	12_2_00D21D20
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D21FE7	12_2_00D21FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\714380\Wake.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: String function: 00D1FD52 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: String function: 00D20DA0 appears 46 times

Source: jPKFh06jHI.exe, 00000000.00000003.1870216239.0000000000B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs jPKFh06jHI.exe
Source: jPKFh06jHI.exe, 00000000.00000002.1876277331.0000000000B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs jPKFh06jHI.exe

Source: jPKFh06jHI.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 12.2.Wake.com.3a10000.1.unpack, type: UNPACKEDPE

Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@89/302@30/25

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D741FA GetLastError,FormatMessageW,

12_2_00D741FA

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D62010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		12_2_00D62010
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D61A0B AdjustTokenPrivileges,CloseHandle,		12_2_00D61A0B

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D75CF5 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

12_2_00D75CF5

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D6DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

12_2_00D6DD87

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D84189 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

12_2_00D84189

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D73A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

12_2_00D73A0E

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\ELAIX04D.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03

Source: C:\Users\user\Desktop\jPKFh06jHI.exe

File created: C:\Users\user~1\AppData\Local\Temp\nszFDAB.tmp

Jump to behavior

Source: C:\Users\user\Desktop\jPKFh06jHI.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Decide.jar Decide.jar.bat & Decide.jar.bat

Source: jPKFh06jHI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\jPKFh06jHI.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\jPKFh06jHI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome.exe, 00000010.00000002.1347387744.0000203C008FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: 16phvsjmg.12.dr, w47qq9rqq.12.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: jPKFh06jHI.exe	ReversingLabs: Detection: 41%
Source: jPKFh06jHI.exe	Virustotal: Detection: 35%

Source: C:\Users\user\Desktop\jPKFh06jHI.exe

File read: C:\Users\user\Desktop\jPKFh06jHI.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jPKFh06jHI.exe "C:\Users\user\Desktop\jPKFh06jHI.exe"
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Decide.jar Decide.jar.bat & Decide.jar.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 714380
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Hiv.jar
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "prague" Mean
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 714380\Wake.com + Valuable + Concert + Cap + Continuously + Portable + Electro + Volleyball + Alien + Convicted + Acids + Assumes 714380\Wake.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Revelation.jar + ..\Keyboard.jar + ..\Ellis.jar + ..\Leaves.jar + ..\Grass.jar T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\714380\Wake.com Wake.com T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2292,i,16634395396908281,15865996952827246330,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2440 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2492 --field-trial-handle=2220,i,16376653140617758097,345704766534090837,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2112,i,13478726597598513471,14813124092062783513,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6936 --field-trial-handle=2112,i,13478726597598513471,14813124092062783513,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7248 --field-trial-handle=2112,i,13478726597598513471,14813124092062783513,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7184 --field-trial-handle=2112,i,13478726597598513471,14813124092062783513,262144 /prefetch:8
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Decide.jar Decide.jar.bat & Decide.jar.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 714380	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Hiv.jar	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "prague" Mean	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 714380\Wake.com + Valuable + Concert + Cap + Continuously + Portable + Electro + Volleyball + Alien + Convicted + Acids + Assumes 714380\Wake.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Revelation.jar + ..\Keyboard.jar + ..\Ellis.jar + ..\Leaves.jar + ..\Grass.jar T	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\714380\Wake.com Wake.com T	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2292,i,16634395396908281,15865996952827246330,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2440 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2492 --field-trial-handle=2220,i,16376653140617758097,345704766534090837,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2112,i,13478726597598513471,14813124092062783513,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6936 --field-trial-handle=2112,i,13478726597598513471,14813124092062783513,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7248 --field-trial-handle=2112,i,13478726597598513471,14813124092062783513,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7184 --field-trial-handle=2112,i,13478726597598513471,14813124092062783513,262144 /prefetch:8

Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\jPKFh06jHI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: jPKFh06jHI.exe

Static file information: File size 1122194 > 1048576

Source: C:\Users\user\Desktop\jPKFh06jHI.exe

Code function: 0_2_00405BA9 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405BA9

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D20DE6 push ecx; ret

12_2_00D20DF9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Jump to dropped file

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D926DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		12_2_00D926DD
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D1FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		12_2_00D1FC7C

Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_12-105086

Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Window / User API: threadDelayed 2728			Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Window / User API: threadDelayed 868			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

API coverage: 3.7 %

Source: C:\Users\user\Desktop\jPKFh06jHI.exe TID: 6884	Thread sleep time: -171864s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\jPKFh06jHI.exe TID: 6884	Thread sleep time: -54684s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Code function: 0_2_00405B82 FindFirstFileW,FindClose,	0_2_00405B82
Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Code function: 0_2_00406543 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406543
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D6DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_00D6DC54
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D7A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00D7A087
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D7A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00D7A1E2
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D6E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	12_2_00D6E472
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D7A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_00D7A570
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D766DC FindFirstFileW,FindNextFileW,FindClose,	12_2_00D766DC
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D3C622 FindFirstFileExW,	12_2_00D3C622
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D773D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_00D773D4
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D77333 FindFirstFileW,FindClose,	12_2_00D77333
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D6D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_00D6D921

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D05FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

12_2_00D05FC8

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\714380	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\714380\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\	Jump to behavior

Source: chrome.exe, 00000010.00000002.1337056073.00000267151A6000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: Web Data.28.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXT64VMWare
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V frbuikavxvbradr Bus Pipes
Source: Wake.com, 0000000C.00000002.2165101677.000000000122F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\9
Source: Web Data.28.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: Web Data.28.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: chrome.exe, 00000010.00000003.1300741703.0000026719E19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ime Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts
Source: chrome.exe, 00000010.00000002.1337056073.00000267151A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processorw
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partition
Source: Amcache.hve.12.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Web Data.28.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: Web Data.28.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Web Data.28.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: Web Data.28.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: chrome.exe, 00000010.00000003.1301206825.0000026719E0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
Source: chrome.exe, 00000010.00000002.1337056073.0000026715108000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: Web Data.28.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: chrome.exe, 00000010.00000002.1337056073.0000026715108000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition
Source: Web Data.28.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: Web Data.28.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: chrome.exe, 00000010.00000002.1337056073.0000026715141000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V HypervisoriC
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipess
Source: chrome.exe, 00000010.00000002.1349322140.0000203C00E14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \Google\Chrome\User Data\Defaultt=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=ba817f54-83de-46fb-962a-6ef7166f353d
Source: Web Data.28.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: chrome.exe, 00000010.00000002.1339787392.0000026719E81000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1305435741.0000026719E7B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1305161971.0000026719E7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: chrome.exe, 00000010.00000002.1337056073.00000267151A6000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1337056073.00000267151C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: chrome.exe, 00000010.00000002.1349322140.0000203C00E14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: t=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=ba817f54-83de-46fb-962a-6ef7166f353d
Source: Web Data.28.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: chrome.exe, 00000010.00000002.1337056073.0000026715108000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processort`9
Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Web Data.28.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: Web Data.28.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition*
Source: Web Data.28.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: Web Data.28.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Web Data.28.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: Web Data.28.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: Wake.com, 0000000C.00000002.2165101677.0000000001220000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2165101677.0000000001177000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2165101677.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: chrome.exe, 00000010.00000002.1337056073.0000026715108000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: Web Data.28.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: Web Data.28.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: chrome.exe, 00000010.00000002.1337056073.00000267151A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service5
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Web Data.28.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: Web Data.28.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: The counters in this collection refer to system-wide metrics about the performance of the Event Tracing for Windows subsystem.unt Infinite3094Hyper-V Virtual Machine Bus Pipes3096Reads/sec3098Writes/sec3100Bytes Read/sec3102Bytes Writt
Source: Web Data.28.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Web Data.28.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Web Data.28.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Web Data.28.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Web Data.28.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: chrome.exe, 00000010.00000002.1337056073.00000267151A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processoruis
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: chrome.exe, 00000010.00000002.1337056073.0000026715108000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partitionuiv9
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: chrome.exe, 00000010.00000003.1262563047.0000203C003C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: Web Data.28.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: chrome.exe, 00000010.00000002.1337056073.0000026715141000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V frbuikavxvbradr Bus
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: chrome.exe, 00000010.00000002.1335744029.0000026711478000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000001A.00000002.1400520523.000001ACDF442000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: chrome.exe, 00000010.00000003.1300885067.0000026719DDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1300319412.0000026719DDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition4908Virtual Processors4910VirtL
Source: chrome.exe, 00000010.00000002.1349322140.0000203C00E14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=ba817f54-83de-46fb-962a-6ef7166f353d
Source: chrome.exe, 00000010.00000002.1337056073.0000026715108000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: chrome.exe, 00000010.00000003.1300885067.0000026719DDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1300319412.0000026719DDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: essions6328Inactive Sessions6330Total Sessions4806Hyper-V Hype
Source: Web Data.28.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processorc.sysj
Source: Web Data.28.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: chrome.exe, 00000010.00000003.1300885067.0000026719DDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1300319412.0000026719DDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ount 64ms9706Runtime Count 256ms9708Runtime Count 1s9710Runtime Count 4s9712Runtime Count 16s9714Runtime Count 1min9716Runtime Count Infinite3094Hyper-V Virtual Machine Bus Pipes3096Reads/sec3098Writes/sec3100Bytes Read/sec3102Bytes Writt
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Wake.com, 0000000C.00000002.2165101677.000000000122F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1300885067.0000026719DDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1300319412.0000026719DDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4788Hyper-V Hypervisor4790Logical Processors4792
Source: Web Data.28.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor7
Source: chrome.exe, 00000010.00000002.1339787392.0000026719D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition.dll

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D7F4FF BlockInput,

12_2_00D7F4FF

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D0338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

12_2_00D0338B

Source: C:\Users\user\Desktop\jPKFh06jHI.exe

Code function: 0_2_00405BA9 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405BA9

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D25058 mov eax, dword ptr fs:[00000030h]

12_2_00D25058

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D620AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

12_2_00D620AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D32992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00D32992
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D20BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00D20BAF
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D20D45 SetUnhandledExceptionFilter,	12_2_00D20D45
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D20F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00D20F91

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

12_2_00D61B4D

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D0338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

12_2_00D0338B

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D6BBED SendInput,keybd_event,

12_2_00D6BBED

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D6ECD0 mouse_event,

12_2_00D6ECD0

Source: C:\Users\user\Desktop\jPKFh06jHI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Decide.jar Decide.jar.bat & Decide.jar.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 714380	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Hiv.jar	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "prague" Mean	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 714380\Wake.com + Valuable + Concert + Cap + Continuously + Portable + Electro + Volleyball + Alien + Convicted + Acids + Assumes 714380\Wake.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Revelation.jar + ..\Keyboard.jar + ..\Ellis.jar + ..\Leaves.jar + ..\Grass.jar T	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\714380\Wake.com Wake.com T	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D614AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

12_2_00D614AE

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D61FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

12_2_00D61FB0

Source: Wake.com, 0000000C.00000002.2163265785.0000000000DC3000.00000002.00000001.01000000.00000008.sdmp, Convicted.8.dr, Wake.com.1.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Wake.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D20A08 cpuid

12_2_00D20A08

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D5E5F4 GetLocalTime,

12_2_00D5E5F4

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D5E652 GetUserNameW,

12_2_00D5E652

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Code function: 12_2_00D3BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

12_2_00D3BCD2

Source: C:\Users\user\Desktop\jPKFh06jHI.exe

Code function: 0_2_004060B4 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_004060B4

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Wake.com PID: 5716, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Wake.com, 0000000C.00000002.2165101677.000000000122F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,bcex.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,eth.,recovery.,.kdbx,ngrave.,safepal.,ellipal.,UTC-.,bitgo.,nano.txt,bitstamp.,bittrex.,xrp.,phrase.,ripple.,doge.,cardano.,daedalus.,.kdb,phantom.*
Source: Wake.com, 0000000C.00000002.2166362758.000000000378F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: Wake.com, 0000000C.00000002.2166362758.000000000378F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: Wake.com, 0000000C.00000002.2166362758.000000000378F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Wake.com, 0000000C.00000002.2166362758.000000000378F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: Wake.com, 0000000C.00000002.2167206573.0000000003A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\
Source: Wake.com, 0000000C.00000002.2167206573.0000000003A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: Wake.com, 0000000C.00000002.2167206573.0000000003A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: Wake.com, 0000000C.00000002.2167206573.0000000003A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: Wake.com, 0000000C.00000002.2167206573.0000000003A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: Wake.com, 0000000C.00000002.2165101677.000000000122F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,bcex.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,eth.,recovery.,.kdbx,ngrave.,safepal.,ellipal.,UTC-.,bitgo.,nano.txt,bitstamp.,bittrex.,xrp.,phrase.,ripple.,doge.,cardano.,daedalus.,.kdb,phantom.*
Source: Wake.com, 0000000C.00000002.2165101677.000000000122F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,bcex.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,eth.,recovery.,.kdbx,ngrave.,safepal.,ellipal.,UTC-.,bitgo.,nano.txt,bitstamp.,bittrex.,xrp.,phrase.,ripple.,doge.,cardano.,daedalus.,.kdb,phantom.*
Source: Wake.com, 0000000C.00000002.2169810322.0000000005B8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: Wake.com, 0000000C.00000002.2167206573.0000000003A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \MultiDoge\
Source: Wake.com, 0000000C.00000002.2166362758.000000000378F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: Wake.com, 0000000C.00000002.2167206573.0000000003A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: Wake.com, 0000000C.00000002.2167206573.0000000003A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: Wake.com, 0000000C.00000002.2167206573.00000000039C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 83.217.208.144ontdesk\AppData\Roaming\Electrum-LTC\wallets\.I

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\temporary\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\security_state\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Wake.com	Binary or memory string: WIN_81
Source: Wake.com	Binary or memory string: WIN_XP
Source: Wake.com.1.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Wake.com	Binary or memory string: WIN_XPe
Source: Wake.com	Binary or memory string: WIN_VISTA
Source: Wake.com	Binary or memory string: WIN_7
Source: Wake.com	Binary or memory string: WIN_8

Source: Yara match	File source: 0000000C.00000002.2166362758.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Wake.com PID: 5716, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Wake.com PID: 5716, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D82263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		12_2_00D82263
Source: C:\Users\user\AppData\Local\Temp\714380\Wake.com	Code function: 12_2_00D81C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		12_2_00D81C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	26 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	1 Query Registry	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	12 Process Injection	111 Masquerading	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	11 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
jPKFh06jHI.exe	42%	ReversingLabs	Win32.Spyware.Vidar
jPKFh06jHI.exe	35%	Virustotal		Browse
SAMPLE	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\714380\Wake.com	0%	ReversingLabs

Source	Detection	Scanner	Label
https://49.13.158.58/	0%	Avira URL Cloud	safe
https://49.13.158.58N	0%	Avira URL Cloud	safe
https://49.13.158.58hello	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0012.t-0009.t-msedge.net	13.107.246.40	true	false	high
chrome.cloudflare-dns.com	162.159.61.3	true	false	high
ax-0003.ax-msedge.net	150.171.27.12	true	false	high
plus.l.google.com	142.251.40.206	true	false	high
ax-0002.ax-msedge.net	150.171.27.11	true	false	high
a416.dscd.akamai.net	23.204.152.207	true	false	high
a-0003.a-msedge.net	204.79.197.203	true	false	high
c-msn-pme.trafficmanager.net	20.110.205.119	true	false	high
ax-0001.ax-msedge.net	150.171.28.10	true	false	high
a233.dscd.akamai.net	23.219.161.138	true	false	high
ogads-pa.clients6.google.com	142.251.35.170	true	false	high
play.google.com	142.250.65.206	true	false	high
sb.scorecardresearch.com	108.139.47.92	true	false	high
www.google.com	142.251.40.164	true	false	high
bzib.nelreports.net	unknown	unknown	false	high
assets.msn.com	unknown	unknown	false	high
xKhthobNhGNvUPqyvDy.xKhthobNhGNvUPqyvDy	unknown	unknown	false	unknown
c.msn.com	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high
apis.google.com	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531	false		high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1744042213733&w=0&NoResponseBody=true	false		high
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true	false		high
https://ntp.msn.com/bundles/v1/edgeChromium/latest/web-worker.82b01c49017b9c3eff0d.js	false		high
https://assets.msn.com/bundles/v1/edgeChromium/latest/common.c28ba8b4fe1e29635352.js	false		high
https://49.13.158.58/	true	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199839170361	false		high
https://sb.scorecardresearch.com/b?rn=1744042209964&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0CD6EFCADE7267A82236FA0DDF1066E0&cs_fpit=o&cs_fpdm=null&cs_fpdt=null	false		high
https://ntp.msn.com/bundles/v1/edgeChromium/latest/SSR-extension.828d19e24cc86fbcd5c9.js	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Web Data.28.dr	false		high
https://mail.google.com/mail/?usp=installed_webapp	chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	sriwln.12.dr	false		high
http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q	jPKFh06jHI.exe	false		high
https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing	chrome.exe, 00000010.00000002.1345257733.0000203C00440000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v2/tokeninfo	msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ntp.msn.com/0	000003.log7.28.dr	false		high
https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b	chrome.exe, 00000010.00000002.1347387744.0000203C008C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/J	chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone	chrome.exe, 00000010.00000002.1349046088.0000203C00D4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1346779867.0000203C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348332900.0000203C00AB0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ntp.msn.com/_default	QuotaManager.28.dr	false		high
http://ocsps.ssl.com0?	jPKFh06jHI.exe	false		high
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	jPKFh06jHI.exe	false		high
https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/	chrome.exe, 00000010.00000002.1347876155.0000203C009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	2cc80dabc69f58b6_0.28.dr	false		high
https://ntp.msn.cn/edge/ntp	2cc80dabc69f58b6_1.28.dr	false		high
https://support.google.com/chrome?p=desktop_tab_groups	chrome.exe, 00000010.00000002.1346026583.0000203C00598000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1288960343.0000203C0058C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dns-tunnel-check.googlezip.net/connect	chrome.exe, 00000010.00000002.1350258536.0000203C0110C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/	manifest.json0.28.dr	false		high
https://docs.google.com/document/:	chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com	c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	false		high
https://mail.google.com/chat/	chrome.exe, 00000010.00000002.1351127345.0000203C01324000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1350258536.0000203C0110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1272422800.0000203C010C5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1350144150.0000203C010C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.instagram.com	c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	false		high
http://unisolated.invalid/	chrome.exe, 00000010.00000002.1349433562.0000203C00E5C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/tips/	chrome.exe, 00000010.00000002.1349046088.0000203C00D4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348776929.0000203C00C38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1351825929.0000203C01510000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/?lfhs=2	chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ogs.google.com/widget/callout?eom=1	chrome.exe, 00000010.00000002.1350848860.0000203C0124C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299573499.0000203C01558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge	c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	false		high
http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)	chrome.exe, 00000010.00000002.1347743567.0000203C009A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1344072027.0000203C000E8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://outlook.office.com/mail/compose?isExtension=true	c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	false		high
https://i.y.qq.com/n2/m/index.html	c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	false		high
https://www.deezer.com/	c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	false		high
https://www.youtube.com/?feature=ytca	chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/browser-tools/	chrome.exe, 00000010.00000002.1348122760.0000203C00A34000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/u/0/create?usp=chrome_actions	chrome.exe, 00000010.00000002.1348991157.0000203C00D18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1351741434.0000203C014C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348519314.0000203C00B90000.00000004.00000800.00020000.00000000.sdmp	false		high
https://web.telegram.org/	c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	false		high
https://permanently-removed.invalid/oauth2/v4/token	msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	chrome.exe, 00000010.00000002.1344111795.0000203C000F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1343493846.0000203C00004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1347630075.0000203C00964000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1347809865.0000203C009B8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000002.1404726022.000032580237C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com/ajax/libs/mathjax/	offscreendocument_main.js.28.dr, service_worker_bin_prod.js.28.dr	false		high
https://drive-daily-2.corp.google.com/	manifest.json0.28.dr	false		high
https://unitedstates1.ss.wd.microsoft.us/	edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.28.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	sriwln.12.dr	false		high
http://www.autoitscript.com/autoit3/X	Wake.com, 0000000C.00000000.943415256.0000000000DD5000.00000002.00000001.01000000.00000008.sdmp, Convicted.8.dr, Wake.com.1.dr	false		high
https://ogads-pa.clients6.google.com	chrome.exe, 00000010.00000002.1350848860.0000203C0124C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299573499.0000203C01558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-1.corp.google.com/	manifest.json0.28.dr	false		high
https://excel.new?from=EdgeM365Shoreline	c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	false		high
https://drive-daily-5.corp.google.com/	manifest.json0.28.dr	false		high
https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions	chrome.exe, 00000010.00000002.1348991157.0000203C00D18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1351741434.0000203C014C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348519314.0000203C00B90000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy	chrome.exe, 00000010.00000002.1349046088.0000203C00D4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348332900.0000203C00AB0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://plus.google.com	chromecache_456.18.dr	false		high
https://permanently-removed.invalid/chrome/blank.html	msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bzib.nelreports.net/api/report?cat=bingbusiness	Reporting and NEL.29.dr	false		high
https://chrome.google.com/webstore?hl=enm/webstore?hl=en	chrome.exe, 00000010.00000002.1338289525.00000267190A7000.00000004.08000000.00040000.00000000.sdmp	false		high
https://permanently-removed.invalid/v1/issuetoken	msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	false		high
https://m.google.com/devicemanagement/data/api	chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/reauth/v1beta/users/	msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/u/0/create?usp=chrome_actions	chrome.exe, 00000010.00000002.1348991157.0000203C00D18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1350961542.0000203C012A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348519314.0000203C00B90000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/	chrome.exe, 00000010.00000002.1343493846.0000203C00004000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000002.1404726022.000032580237C000.00000004.00000800.00020000.00000000.sdmp, manifest.json.28.dr	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	Wake.com, 0000000C.00000002.2165101677.0000000001220000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2166362758.000000000378F000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2165101677.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, jmyuai.12.dr	false		high
https://drive-preprod.corp.google.com/	manifest.json0.28.dr	false		high
https://srtb.msn.cn/	2cc80dabc69f58b6_1.28.dr	false		high
https://msn.comXIDv10	Cookies.29.dr	false		high
https://chrome.google.com/webstore/	manifest.json.28.dr	false		high
https://bard.google.com/	c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	false		high
https://assets.msn.cn/resolver/	2cc80dabc69f58b6_1.28.dr	false		high
https://clients4.google.com/chrome-sync	chrome.exe, 00000010.00000002.1344690210.0000203C00220000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	sriwln.12.dr	false		high
https://browser.events.data.msn.com/	2cc80dabc69f58b6_1.28.dr	false		high
https://permanently-removed.invalid/RotateBoundCookies	msedge.exe, 0000001A.00000003.1393580460.000032580246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000001A.00000003.1393215004.0000325802464000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199839170361go77lhMozilla/5.0	Wake.com, 0000000C.00000003.1121593164.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com	c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	false		high
https://outlook.live.com/mail/0/	c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	false		high
https://docs.google.com/presentation/J	chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	false		high
https://49.13.158.58N	Wake.com, 0000000C.00000002.2165101677.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/drive/installwebapp?usp=chrome_default	chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1346373016.0000203C0071C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ntp.msn.com/edge/ntp	000003.log7.28.dr, 2cc80dabc69f58b6_1.28.dr	false		high
https://assets.msn.com/resolver/	2cc80dabc69f58b6_1.28.dr	false		high
https://chrome.google.com/webstoreLDDiscover	chrome.exe, 00000010.00000002.1344111795.0000203C000F0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	jPKFh06jHI.exe	false		high
https://tidal.com/	c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	false		high
https://docs.google.com/presentation/:	chrome.exe, 00000010.00000002.1348276849.0000203C00A90000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ntp.msn.com	000003.log1.28.dr, 2cc80dabc69f58b6_0.28.dr	false		high
https://lens.google.com/gen204	chrome.exe, 00000010.00000003.1299133666.0000203C00604000.00000004.00000800.00020000.00000000.sdmp	false		high
https://msn.com/	msedge.exe, 0000001A.00000002.1405136815.00003258024C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	Wake.com, 0000000C.00000002.2166362758.0000000003785000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1346192972.0000203C006D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1347387744.0000203C008C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1346221527.0000203C006E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1344939441.0000203C003CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1349395091.0000203C00E44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1344309759.0000203C00164000.00000004.00000800.00020000.00000000.sdmp, sriwln.12.dr	false		high
https://gaana.com/	c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	false		high
https://mail.google.com/mail/?tab=rm&ogbl	chrome.exe, 00000010.00000002.1345257733.0000203C00440000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299443705.0000203C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.1299573499.0000203C01558000.00000004.00000800.00020000.00000000.sdmp	false		high
https://outlook.live.com/mail/compose?isExtension=true	c42630f2-a00c-46da-a4a5-6358f893018a.tmp.28.dr	false		high
https://49.13.158.58hello	Wake.com, 0000000C.00000002.2166362758.0000000003710000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121823251.0000000001256000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2168427542.0000000003A11000.00000040.00001000.00020000.00000000.sdmp, Wake.com, 0000000C.00000002.2165101677.0000000001177000.00000004.00000020.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121478187.0000000003733000.00000004.00000800.00020000.00000000.sdmp, Wake.com, 0000000C.00000003.1121593164.0000000003A15000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW	chrome.exe, 00000010.00000002.1349046088.0000203C00D4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348332900.0000203C00AB0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://policies.google.com/	chrome.exe, 00000010.00000003.1272548326.0000203C01260000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1348895256.0000203C00CCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.1349019724.0000203C00D34000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.204.152.207	a416.dscd.akamai.net	United States	20940	AKAMAI-ASN1EU	false
142.251.40.206	plus.l.google.com	United States	15169	GOOGLEUS	false
49.13.158.58	unknown	Germany	24940	HETZNER-ASDE	true
83.217.208.144	unknown	Russian Federation	31514	INF-NET-ASRU	true
20.189.173.17	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.125.209.212	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
23.219.161.138	a233.dscd.akamai.net	United States	20940	AKAMAI-ASN1EU	false
108.139.47.92	sb.scorecardresearch.com	United States	16509	AMAZON-02US	false
23.204.152.202	unknown	United States	20940	AKAMAI-ASN1EU	false
142.251.40.193	unknown	United States	15169	GOOGLEUS	false
150.171.28.10	ax-0001.ax-msedge.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.44.201.22	unknown	United States	20940	AKAMAI-ASN1EU	false
20.110.205.119	c-msn-pme.trafficmanager.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.219	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.251.35.170	ogads-pa.clients6.google.com	United States	15169	GOOGLEUS	false
142.251.40.164	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
18.164.96.83	unknown	United States	3	MIT-GATEWAYSUS	false
23.44.201.7	unknown	United States	20940	AKAMAI-ASN1EU	false
150.171.27.12	ax-0003.ax-msedge.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.44.201.4	unknown	United States	20940	AKAMAI-ASN1EU	false
204.79.197.203	a-0003.a-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.7
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1658540
Start date and time:	2025-04-07 18:08:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	jPKFh06jHI.exe renamed because original name is a hash value
Original Sample Name:	9baf61196c985b17067f787d6373f142.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@89/302@30/25
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 67 Number of non-executed functions: 301
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, RuntimeBroker.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.54.127.164, 142.250.65.163, 142.250.81.238, 142.250.72.110, 172.253.115.84, 142.250.80.78, 142.250.176.195, 142.251.32.110, 142.251.35.174, 13.107.42.16, 142.250.65.206, 13.107.6.158, 40.74.81.198, 104.77.150.50, 104.77.150.57, 104.77.150.42, 104.77.150.15, 104.77.150.54, 104.77.150.18, 104.77.150.47, 104.77.150.6, 104.77.150.14, 23.204.152.201, 23.204.152.217, 23.219.36.110, 23.219.36.106, 104.70.121.192, 104.70.121.138, 104.70.121.217, 104.70.121.179, 104.70.121.160, 104.70.121.194, 104.70.121.186, 104.70.121.184, 104.70.121.177, 23.219.82.88, 23.219.82.99, 23.219.82.83, 23.219.82.98, 23.219.82.82, 23.219.82.89, 23.219.82.8, 23.219.82.91, 23.219.82.90, 23.204.152.204, 142.251.40.227, 142.250.80.3, 142.250.64.99, 4.175.87.197, 184.31.69.3, 150.171.27.11, 13.107.246.40, 40.126.24.146, 150.171.28.11, 4.152.133.8, 23.219.161.135, 150.171.27.10
Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, nav-edge.smartscreen.microsoft.com, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, img-s-msn-com.akamaized.net, data-edge.smartscreen.microsoft.com, clientservices.googleapis.com, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, redirector.gvt1.com, prod-agic-jw-1.japanwest.cloudapp.azure.com, www.bing.com.edgekey.net, login.live.com, config-edge-skype.l-0007.l-msedge.net, th.bing.com, msedge.b.tlu.dl.delivery.mp.microsoft.com, www.gstatic.com, l-0007.l-msedge.net, c.pki.goog, config.edge.skype.com, www.bing.com, fs.microsoft.com, accounts.google.com, th.bing.com.edgekey.net, api.edgeoffer.microsoft.com, star.sb.tlu.dl.delivery.mp.microsoft.com.edgesuite.net, ctldl.windowsupdate.com, p-th.bing.com.trafficmanager.net, b-0005.b-msedge.net, prod-atm-wds-edge.trafficmanager.net, www-www.bing.com.trafficmanager.net, edge.microsoft.com, business-
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
12:09:16	API Interceptor	90x Sleep call for process: Wake.com modified
12:09:50	API Interceptor	3127x Sleep call for process: jPKFh06jHI.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
20.189.173.17	https://click.mailchimp.com/track/click/30010842/www.canva.com?p=eyJzIjoiU0pmejVsM21QLVNpRWZtZjVrNFp5WUdNRkdzIiwidiI6MiwicCI6IntcInVcIjozMDAxMDg0MixcInZcIjoyLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5jYW52YS5jb21cXFwvZGVzaWduXFxcL0RBR2psUzlISVk4XFxcL0lta2tMbzducnpJVW5UUXZKTVl5TndcXFwvZWRpdD91dG1fY29udGVudD1EQUdqbFM5SElZOCZ1dG1fY2FtcGFpZ249ZGVzaWduc2hhcmUmdXRtX21lZGl1bT1saW5rMiZ1dG1fc291cmNlPXNoYXJlYnV0dG9uXCIsXCJpZFwiOlwiZGUwMDY4NTU5ZDQ5NGFiZDhlYjczNjU1MGIwNDM4NTdcIixcInVybF9pZHNcIjpbXCI5NGQ5NGFkMTNjZTA1YWY0MzA4YmVjMzkzNTQyMTBlNDY4NDEyNjhlXCJdLFwibXNnX3RzXCI6MTc0NDAwNDYyMn0ifQ	Get hash	malicious	HTMLPhisher	Browse
	7H9CCIVPzr.exe	Get hash	malicious	Unknown	Browse
	DanielEmployee-Handbook-84408.doc	Get hash	malicious	Gabagool	Browse
	Revised - Cwalker 2025 Handbook25807.doc	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse
	b9bdbc2d.eml	Get hash	malicious	HTMLPhisher	Browse
	original (2).eml	Get hash	malicious	Unknown	Browse
	https://site-xtxg5.powerappsportals.com/	Get hash	malicious	HTMLPhisher	Browse
	Denise Salvano shared _Kerry Ingredients Flooring Standards_ with you.eml	Get hash	malicious	Unknown	Browse
	q3na5Mc.exe	Get hash	malicious	Vidar	Browse
	https://efax-38.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse
20.125.209.212	mumirolepawers.exe	Get hash	malicious	Vidar	Browse
	huilter.exe	Get hash	malicious	Vidar	Browse
	WQYHIICF.msi	Get hash	malicious	HTMLPhisher	Browse
	http://80.66.84.133/SIEKSQCT.msi	Get hash	malicious	Unknown	Browse
	trin.pdf.lnk	Get hash	malicious	Petite Virus	Browse
	comprom.pdf.lnk	Get hash	malicious	Petite Virus	Browse
	SecuriteInfo.com.Trojan.DownLoaderNET.1144.26432.6688.exe	Get hash	malicious	Unknown	Browse
	Case157450AB.lnk	Get hash	malicious	Unknown	Browse
	nqa3yj3p7N.exe	Get hash	malicious	Vidar	Browse
	cfr4.txt.ps1	Get hash	malicious	Unknown	Browse
162.159.61.3	#Ud835#Udde6#Ud835#Uddd8#Ud835#Udde7#Ud835#Udde8#Ud835#Udde3.exe	Get hash	malicious	Vidar	Browse
	installer (1).msi	Get hash	malicious	Unknown	Browse
	LgMVA0QNl7.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.CrypterX-gen.25870.24883.exe	Get hash	malicious	LummaC Stealer, Vidar	Browse
	NightGame Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse
	TbV75ZR.exe	Get hash	malicious	Vidar	Browse
	JGJRA8m29G.pdf	Get hash	malicious	Unknown	Browse
	installer_ver12.03.exe	Get hash	malicious	Remcos, Vidar	Browse
	mumirolepawers.exe	Get hash	malicious	Vidar	Browse
	Set-up.exe	Get hash	malicious	Vidar	Browse
23.219.161.138	trin.pdf.lnk	Get hash	malicious	Petite Virus	Browse
23.219.161.138	comprom.pdf.lnk	Get hash	malicious	Petite Virus	Browse
23.204.152.207	http://80.66.84.133/SIEKSQCT.msi	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	#Ud835#Udde6#Ud835#Uddd8#Ud835#Udde7#Ud835#Udde8#Ud835#Udde3.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	installer (1).msi	Get hash	malicious	Unknown	Browse	162.159.61.3
	SecuriteInfo.com.Win64.CrypterX-gen.25870.24883.exe	Get hash	malicious	LummaC Stealer, Vidar	Browse	162.159.61.3
	NightGame Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	TbV75ZR.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
	NightGame Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	installer_ver12.03.exe	Get hash	malicious	Remcos, Vidar	Browse	172.64.41.3
	mumirolepawers.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
	huilter.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	bobobopepep.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
ax-0002.ax-msedge.net	#Ud835#Udde6#Ud835#Uddd8#Ud835#Udde7#Ud835#Udde8#Ud835#Udde3.exe	Get hash	malicious	Vidar	Browse	150.171.27.11
	msi (7).msi	Get hash	malicious	RedLine, SectopRAT	Browse	150.171.28.11
	msi (5).msi	Get hash	malicious	DBatLoader, RedLine, SectopRAT	Browse	150.171.27.11
	YTOEOXNI.msi	Get hash	malicious	RedLine, SectopRAT	Browse	150.171.27.11
	ZWXYSMLY.msi	Get hash	malicious	RedLine, SectopRAT	Browse	150.171.27.11
	msi (8).msi	Get hash	malicious	RedLine	Browse	150.171.28.11
	installer (1).msi	Get hash	malicious	Unknown	Browse	150.171.28.11
	SecuriteInfo.com.Win64.CrypterX-gen.25870.24883.exe	Get hash	malicious	LummaC Stealer, Vidar	Browse	150.171.27.11
	TbV75ZR.exe	Get hash	malicious	Vidar	Browse	150.171.28.11
	installer_ver12.03.exe	Get hash	malicious	Remcos, Vidar	Browse	150.171.27.11
ax-0003.ax-msedge.net	#Ud835#Udde6#Ud835#Uddd8#Ud835#Udde7#Ud835#Udde8#Ud835#Udde3.exe	Get hash	malicious	Vidar	Browse	150.171.27.12
	wvVWfOjzqo.exe	Get hash	malicious	TrojanRansom	Browse	150.171.27.12
	SecuriteInfo.com.Win64.CrypterX-gen.25870.24883.exe	Get hash	malicious	LummaC Stealer, Vidar	Browse	150.171.27.12
	TbV75ZR.exe	Get hash	malicious	Vidar	Browse	150.171.28.12
	installer_ver12.03.exe	Get hash	malicious	Remcos, Vidar	Browse	150.171.27.12
	mumirolepawers.exe	Get hash	malicious	Vidar	Browse	150.171.28.12
	huilter.exe	Get hash	malicious	Vidar	Browse	150.171.27.12
	bobobopepep.exe	Get hash	malicious	Vidar	Browse	150.171.28.12
	Set-up.exe	Get hash	malicious	Vidar	Browse	150.171.27.12
	Set-up_patched.exe	Get hash	malicious	Vidar	Browse	150.171.28.12
s-part-0012.t-0009.t-msedge.net	https://nut.sh/ell/ed/322238/XZdE6P	Get hash	malicious	HTMLPhisher	Browse	13.107.246.40
	http://my.altafiber.com	Get hash	malicious	Phisher	Browse	13.107.246.40
	#Ud835#Udde6#Ud835#Uddd8#Ud835#Udde7#Ud835#Udde8#Ud835#Udde3.exe	Get hash	malicious	Vidar	Browse	13.107.246.40
	https://click.mailchimp.com/track/click/30010842/www.canva.com?p=eyJzIjoiU0pmejVsM21QLVNpRWZtZjVrNFp5WUdNRkdzIiwidiI6MiwicCI6IntcInVcIjozMDAxMDg0MixcInZcIjoyLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5jYW52YS5jb21cXFwvZGVzaWduXFxcL0RBR2psUzlISVk4XFxcL0lta2tMbzducnpJVW5UUXZKTVl5TndcXFwvZWRpdD91dG1fY29udGVudD1EQUdqbFM5SElZOCZ1dG1fY2FtcGFpZ249ZGVzaWduc2hhcmUmdXRtX21lZGl1bT1saW5rMiZ1dG1fc291cmNlPXNoYXJlYnV0dG9uXCIsXCJpZFwiOlwiZGUwMDY4NTU5ZDQ5NGFiZDhlYjczNjU1MGIwNDM4NTdcIixcInVybF9pZHNcIjpbXCI5NGQ5NGFkMTNjZTA1YWY0MzA4YmVjMzkzNTQyMTBlNDY4NDEyNjhlXCJdLFwibXNnX3RzXCI6MTc0NDAwNDYyMn0ifQ	Get hash	malicious	HTMLPhisher	Browse	13.107.246.40
	Quote_NF#003.docx	Get hash	malicious	Unknown	Browse	13.107.246.40
	https://kpch.spreco.com.ar/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.40
	uOZ3Iu4I6x.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, XRed	Browse	13.107.246.40
	https://click.mailchimp.com/track/click/30010842/www.canva.com?p=eyJzIjoiU0pmejVsM21QLVNpRWZtZjVrNFp5WUdNRkdzIiwidiI6MiwicCI6IntcInVcIjozMDAxMDg0MixcInZcIjoyLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5jYW52YS5jb21cXFwvZGVzaWduXFxcL0RBR2psUzlISVk4XFxcL0lta2tMbzducnpJVW5UUXZKTVl5TndcXFwvZWRpdD91dG1fY29udGVudD1EQUdqbFM5SElZOCZ1dG1fY2FtcGFpZ249ZGVzaWduc2hhcmUmdXRtX21lZGl1bT1saW5rMiZ1dG1fc291cmNlPXNoYXJlYnV0dG9uXCIsXCJpZFwiOlwiZGUwMDY4NTU5ZDQ5NGFiZDhlYjczNjU1MGIwNDM4NTdcIixcInVybF9pZHNcIjpbXCI5NGQ5NGFkMTNjZTA1YWY0MzA4YmVjMzkzNTQyMTBlNDY4NDEyNjhlXCJdLFwibXNnX3RzXCI6MTc0NDAwNDYyMn0ifQ	Get hash	malicious	HTMLPhisher	Browse	13.107.246.40
	msi (7).msi	Get hash	malicious	RedLine, SectopRAT	Browse	13.107.246.40
	ZWXYSMLY.msi	Get hash	malicious	RedLine, SectopRAT	Browse	13.107.246.40

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://nut.sh/ell/ed/322238/XZdE6P	Get hash	malicious	HTMLPhisher	Browse	13.107.6.156
	http://my.altafiber.com	Get hash	malicious	Phisher	Browse	13.107.42.14
	sora.spc.elf	Get hash	malicious	Mirai	Browse	20.124.216.131
	#Ud835#Udde6#Ud835#Uddd8#Ud835#Udde7#Ud835#Udde8#Ud835#Udde3.exe	Get hash	malicious	Vidar	Browse	204.79.197.203
	https://click.mailchimp.com/track/click/30010842/www.canva.com?p=eyJzIjoiU0pmejVsM21QLVNpRWZtZjVrNFp5WUdNRkdzIiwidiI6MiwicCI6IntcInVcIjozMDAxMDg0MixcInZcIjoyLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5jYW52YS5jb21cXFwvZGVzaWduXFxcL0RBR2psUzlISVk4XFxcL0lta2tMbzducnpJVW5UUXZKTVl5TndcXFwvZWRpdD91dG1fY29udGVudD1EQUdqbFM5SElZOCZ1dG1fY2FtcGFpZ249ZGVzaWduc2hhcmUmdXRtX21lZGl1bT1saW5rMiZ1dG1fc291cmNlPXNoYXJlYnV0dG9uXCIsXCJpZFwiOlwiZGUwMDY4NTU5ZDQ5NGFiZDhlYjczNjU1MGIwNDM4NTdcIixcInVybF9pZHNcIjpbXCI5NGQ5NGFkMTNjZTA1YWY0MzA4YmVjMzkzNTQyMTBlNDY4NDEyNjhlXCJdLFwibXNnX3RzXCI6MTc0NDAwNDYyMn0ifQ	Get hash	malicious	HTMLPhisher	Browse	20.42.73.31
	Quote_NF#003.docx	Get hash	malicious	Unknown	Browse	13.107.246.40
	https://kpch.spreco.com.ar/	Get hash	malicious	HTMLPhisher	Browse	13.107.6.156
	uOZ3Iu4I6x.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, XRed	Browse	13.107.246.40
	http://nsubddse.proacteye.com/rd/4EaTnI6331JzCB727gwacifhvrr249LTLITTNGHRGELJP571410HIPC41923S12?NRpaAYQBQEaiWcfZy-iDxOnKpwTM-vPqDpt	Get hash	malicious	Unknown	Browse	20.157.93.108
	https://click.mailchimp.com/track/click/30010842/www.canva.com?p=eyJzIjoiU0pmejVsM21QLVNpRWZtZjVrNFp5WUdNRkdzIiwidiI6MiwicCI6IntcInVcIjozMDAxMDg0MixcInZcIjoyLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5jYW52YS5jb21cXFwvZGVzaWduXFxcL0RBR2psUzlISVk4XFxcL0lta2tMbzducnpJVW5UUXZKTVl5TndcXFwvZWRpdD91dG1fY29udGVudD1EQUdqbFM5SElZOCZ1dG1fY2FtcGFpZ249ZGVzaWduc2hhcmUmdXRtX21lZGl1bT1saW5rMiZ1dG1fc291cmNlPXNoYXJlYnV0dG9uXCIsXCJpZFwiOlwiZGUwMDY4NTU5ZDQ5NGFiZDhlYjczNjU1MGIwNDM4NTdcIixcInVybF9pZHNcIjpbXCI5NGQ5NGFkMTNjZTA1YWY0MzA4YmVjMzkzNTQyMTBlNDY4NDEyNjhlXCJdLFwibXNnX3RzXCI6MTc0NDAwNDYyMn0ifQ	Get hash	malicious	HTMLPhisher	Browse	13.107.42.14
HETZNER-ASDE	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	#Ud835#Udde6#Ud835#Uddd8#Ud835#Udde7#Ud835#Udde8#Ud835#Udde3.exe	Get hash	malicious	Vidar	Browse	78.47.105.59
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	RFQ 6000066536 - PR 10023150.exe	Get hash	malicious	FormBook	Browse	144.76.229.203
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	RtpKzWv1ui.exe	Get hash	malicious	FormBook	Browse	88.198.219.246
	BBjDSx0iWh.exe	Get hash	malicious	FormBook	Browse	144.76.229.203
INF-NET-ASRU	http://www.delawarejellystone.com	Get hash	malicious	Unknown	Browse	89.169.52.197
	m4n1AQRhaP.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	83.217.209.253
	Software Installer.exe	Get hash	malicious	Unknown	Browse	83.217.208.69
	http://89.169.13.138/3.exe	Get hash	malicious	Unknown	Browse	89.169.13.138
	tlses(x86).exe	Get hash	malicious	CryptOne, RHADAMANTHYS	Browse	83.217.208.90
	vstdlib_s64.dll.dll	Get hash	malicious	RHADAMANTHYS	Browse	83.217.208.36
	Limba#U017ei.dll.dll	Get hash	malicious	RHADAMANTHYS	Browse	83.217.208.96
	albion.ps1	Get hash	malicious	Unknown	Browse	83.217.208.90
	https://report-dto51bfgo7f.pages.dev/	Get hash	malicious	Unknown	Browse	83.217.208.90
	osnova.ps1	Get hash	malicious	Unknown	Browse	83.217.208.90
AKAMAI-ASN1EU	https://nut.sh/ell/ed/322238/XZdE6P	Get hash	malicious	HTMLPhisher	Browse	23.209.72.9
	http://my.altafiber.com	Get hash	malicious	Phisher	Browse	23.54.161.81
	nvda_2024.4.2.exe	Get hash	malicious	Unknown	Browse	172.236.133.164
	#Ud835#Udde6#Ud835#Uddd8#Ud835#Udde7#Ud835#Udde8#Ud835#Udde3.exe	Get hash	malicious	Vidar	Browse	23.204.152.234
	https://hi.txjpejsyz.es/kgOKFB/#Ejoseph.crecca@boarshead.com	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	23.209.72.34
	https://click.mailchimp.com/track/click/30010842/www.canva.com?p=eyJzIjoiU0pmejVsM21QLVNpRWZtZjVrNFp5WUdNRkdzIiwidiI6MiwicCI6IntcInVcIjozMDAxMDg0MixcInZcIjoyLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5jYW52YS5jb21cXFwvZGVzaWduXFxcL0RBR2psUzlISVk4XFxcL0lta2tMbzducnpJVW5UUXZKTVl5TndcXFwvZWRpdD91dG1fY29udGVudD1EQUdqbFM5SElZOCZ1dG1fY2FtcGFpZ249ZGVzaWduc2hhcmUmdXRtX21lZGl1bT1saW5rMiZ1dG1fc291cmNlPXNoYXJlYnV0dG9uXCIsXCJpZFwiOlwiZGUwMDY4NTU5ZDQ5NGFiZDhlYjczNjU1MGIwNDM4NTdcIixcInVybF9pZHNcIjpbXCI5NGQ5NGFkMTNjZTA1YWY0MzA4YmVjMzkzNTQyMTBlNDY4NDEyNjhlXCJdLFwibXNnX3RzXCI6MTc0NDAwNDYyMn0ifQ	Get hash	malicious	HTMLPhisher	Browse	23.33.44.233
	https://kpch.spreco.com.ar/	Get hash	malicious	HTMLPhisher	Browse	23.219.82.161
	http://nsubddse.proacteye.com/rd/4EaTnI6331JzCB727gwacifhvrr249LTLITTNGHRGELJP571410HIPC41923S12?NRpaAYQBQEaiWcfZy-iDxOnKpwTM-vPqDpt	Get hash	malicious	Unknown	Browse	23.199.49.237
	https://click.mailchimp.com/track/click/30010842/www.canva.com?p=eyJzIjoiU0pmejVsM21QLVNpRWZtZjVrNFp5WUdNRkdzIiwidiI6MiwicCI6IntcInVcIjozMDAxMDg0MixcInZcIjoyLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5jYW52YS5jb21cXFwvZGVzaWduXFxcL0RBR2psUzlISVk4XFxcL0lta2tMbzducnpJVW5UUXZKTVl5TndcXFwvZWRpdD91dG1fY29udGVudD1EQUdqbFM5SElZOCZ1dG1fY2FtcGFpZ249ZGVzaWduc2hhcmUmdXRtX21lZGl1bT1saW5rMiZ1dG1fc291cmNlPXNoYXJlYnV0dG9uXCIsXCJpZFwiOlwiZGUwMDY4NTU5ZDQ5NGFiZDhlYjczNjU1MGIwNDM4NTdcIixcInVybF9pZHNcIjpbXCI5NGQ5NGFkMTNjZTA1YWY0MzA4YmVjMzkzNTQyMTBlNDY4NDEyNjhlXCJdLFwibXNnX3RzXCI6MTc0NDAwNDYyMn0ifQ	Get hash	malicious	HTMLPhisher	Browse	23.209.72.9
	YTOEOXNI.msi	Get hash	malicious	RedLine, SectopRAT	Browse	23.44.133.57

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	841921513_x64.dll.dll	Get hash	malicious	Unknown	Browse	49.13.158.58
	uicl9HAuoi.exe	Get hash	malicious	Unknown	Browse	49.13.158.58
	841921513_x64.dll.dll	Get hash	malicious	Unknown	Browse	49.13.158.58
	uicl9HAuoi.exe	Get hash	malicious	Unknown	Browse	49.13.158.58
	UawSjJJHvV.exe	Get hash	malicious	Socks5Systemz	Browse	49.13.158.58
	luWow7XoM6.exe	Get hash	malicious	Socks5Systemz	Browse	49.13.158.58
	pBYl2fOFZX.exe	Get hash	malicious	Socks5Systemz	Browse	49.13.158.58
	pBYl2fOFZX.exe	Get hash	malicious	Socks5Systemz	Browse	49.13.158.58
	file.exe	Get hash	malicious	CryptOne, LummaC Stealer, Socks5Systemz	Browse	49.13.158.58
	file.exe	Get hash	malicious	Socks5Systemz	Browse	49.13.158.58

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\714380\Wake.com	#Ud835#Udde6#Ud835#Uddd8#Ud835#Udde7#Ud835#Udde8#Ud835#Udde3.exe	Get hash	malicious	Vidar	Browse
	#Ud835#Udde6#Ud835#Uddf2#Ud835#Ude01#Ud835#Ude02#Ud835#Uddfd.exe	Get hash	malicious	Unknown	Browse
	#Ud835#Udde6#Ud835#Uddf2#Ud835#Ude01#Ud835#Ude02#Ud835#Uddfd.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	random.exe	Get hash	malicious	LummaC Stealer	Browse
	LatestLeave.exe	Get hash	malicious	AsyncRAT, Discord Token Stealer	Browse
	LatestLeave.exe	Get hash	malicious	AsyncRAT	Browse
	random.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse

Process:	C:\Users\user\AppData\Local\Temp\714380\Wake.com
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56063
Entropy (8bit):	6.102741065172069
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7ynxPGWv/sxtwu7VLyMV/YoskFoQ:z/0+zI7ynpv/4KMVeZoskx
MD5:	5A7728CC31F825EC1FBA7FE02ABB31CF
SHA1:	4DD27A2532DC016307EC6370D9A9642FD06C02B4
SHA-256:	8418D066DD60D5C65E8B567B71BC8CD68E398261FFA9122B53713FB90FCB40BA
SHA-512:	C5B327AF59D0F94D15F4918BEF161543444E3BCB6F10389DBAD4314C2C5DB16AA25FFEB6987605B46AF31D32B16EC316DF9E48B155C85DF020E06D778D05EE70
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	273723
Entropy (8bit):	7.999243667150374
Encrypted:	true
SSDEEP:	6144:HLPyokBA/X3/t30VZGmf068SkDDcS8IgSX02U:GopX3/t3OsxDDcvIE2U
MD5:	0CD24A64CBE479DE1CA8283C5CE9E733
SHA1:	DA22CDD32F7C9E02ED434E2886A113BB87DAE658
SHA-256:	22C0CC90AB7899923148A5EB3868204046043D414F9F7DBFDE5123CC6983C7EE
SHA-512:	9F904EC2DA58AB527AD1F1231757D5B2DB8E7B4C52878BBA86EC8A0B9D8FFEEF0C738229710628FE735C967F1AE22EA2217CFB634C258A173E1BD4A4FF5A0362
Malicious:	false
Preview:	.'@......{5.t.G....L.(u.t...P.<..$...~.(.`..-.Q-.....y..{...]..M.p#.4.:g#...5G.t.1....Gs<m...`.....,...g.q..4j..+..._...........F.G.Sc=.3..9...4...>S..9..#....vt<..z.q...>m...r.)....V.7.........P.m.h.....w.dWF.M..H...B\X..e...."5..z8HX....~.b./....+.....M!s:l5.........l...{ '+_M..j.+.V.K.HI...^..C..m(b7s.S.@..C.......7.Z#...d........z.Z.G.y.s.K=h\|..C.p...i6x@..>.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Ma......m@nD<....d....s..........x.C\X...........J...+....^.w.5............?r.Q..m;.....w.....;.&.......2..g2"~?]...%kC...p...G...................m.......m...kC.R......%x....}...q..U-...(....%....V..?p.he....,.. .o.UA..1.An....H.`>$O.ng.)........s+V.p...'\|.G...!.$..n.K...;E..<J.W.C3.lY....A8>..>..1...32...T8}..,...E......S..i=.#\In>3(..?..l...[I...kRa.....j.........m......^..x.5...x..2).U.j.....>.\|#.~.\........`............7.,L.="i.0 G..e.z'.z.x.C.+=._..J.]....-..Xm-........t.t T.....7..r..n!.

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	88064
Entropy (8bit):	6.732987252144287
Encrypted:	false
SSDEEP:	1536:OEYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ2kOEt:SWy4ZNoGmROL7F1G7ho2kOS
MD5:	4A11941A8B60E80500E6D4D3DAA8CEA2
SHA1:	F7D683B4F2114CF4E8D63F105DAB2E9097846883
SHA-256:	9F8E2771A4FF4D1292DBD040928E60C4E2BD96464E8F21F711A76C6196DE1652
SHA-512:	D8BCF7593D92B89DC0D9088A6AAAC6A8E194FDED5E12987FAD75593FBBE18E7720A6D69F17BB42D60C3B8C7FE62488FBB56323EDE37BC8B647BD09EE814E0FB6
Malicious:	false
Preview:	.b.e. .u.s.e.d. .i.n.s.t.e.a.d... . .S.e.e. .t.h.e. .D.l.l.C.a.l.l.(.). .d.o.c.u.m.e.n.t.a.t.i.o.n. .f.o.r. .d.e.t.a.i.l.s. .o.n. .c.h.a.n.g.i.n.g. .t.h.e. .c.a.l.l.i.n.g. .c.o.n.v.e.n.t.i.o.n.....".E.n.d.W.i.t.h.". .m.i.s.s.i.n.g. .".W.i.t.h."...!.B.a.d.l.y. .f.o.r.m.a.t.t.e.d. .".F.u.n.c.". .s.t.a.t.e.m.e.n.t.....".W.i.t.h.". .m.i.s.s.i.n.g. .".E.n.d.W.i.t.h."...(.M.i.s.s.i.n.g. .r.i.g.h.t. .b.r.a.c.k.e.t. .'.).'. .i.n. .e.x.p.r.e.s.s.i.o.n.....M.i.s.s.i.n.g. .o.p.e.r.a.t.o.r. .i.n. .e.x.p.r.e.s.s.i.o.n...".U.n.b.a.l.a.n.c.e.d. .b.r.a.c.k.e.t.s. .i.n. .e.x.p.r.e.s.s.i.o.n.....E.r.r.o.r. .i.n. .e.x.p.r.e.s.s.i.o.n.....E.r.r.o.r. .p.a.r.s.i.n.g. .f.u.n.c.t.i.o.n. .c.a.l.l.......>.".S.e.l.e.c.t.". .s.t.a.t.e.m.e.n.t. .i.s. .m.i.s.s.i.n.g. .".E.n.d.S.e.l.e.c.t.". .o.r. .".C.a.s.e.". .s.t.a.t.e.m.e.n.t...+.".I.f.". .s.t.a.t.e.m.e.n.t.s. .m.u.s.t. .h.a.v.e. .a. .".T.h.e.n.". .k.e.y.w.o.r.d... .B.a.d.l.y. .f.o.r.m.a.t.e.d. .S.t.r.u.c.t. .s.t.a.t.e.m.e.n.t...".C.a.n.n.o.t. .a.s.s.i.g.n. .v.a

Process:	C:\Users\user\Desktop\jPKFh06jHI.exe
File Type:	ASCII text, with very long lines (1746), with CRLF line terminators
Category:	dropped
Size (bytes):	31945
Entropy (8bit):	5.102070171388372
Encrypted:	false
SSDEEP:	768:gRq4PTgiIJkgcn7heWhmi949P72UUmm+BZ:gRjWROFB62UUmB
MD5:	89C543FDCF5029E8A2699C214E9794C6
SHA1:	B5793956001C41AC3B997D46AA3CC8D486F632CB
SHA-256:	C6294C4B72D2F1EC0CE9C739618EFE8EE6C235BF027A13F896D102F35D1142E2
SHA-512:	CEEEBB20548F1F815420CDD02CCE919447974C6F57041228A2FA181FC0A340F2FD2A639E4C3F57F3996A987BD77DDAB34FB9997416721171DB2C39A731E1E3E3
Malicious:	false
Preview:	Set Exciting=T..EPhEDiscovered(Apr(..jqlQBucks(Fusion(Mysql(Operating(Trembl(Trans(Uni(License(..FPFOGroup(Pm(..tQJBCopyrighted(Lovely(Attendance(Meditation(Outlook(Harvest(Summaries(Whole(Raymond(..KwLdMonte(Designated(Tracy(..Set Sleeps=f..yEOperations(Singing(Census(Numbers(Excluded(Alto(Contract(Implied(Occasional(..UPhlGrade(Squirt(Than(Links(Playstation(Sorted(Marshall(Investor(Bedrooms(..hVsInterface(Trackback(Sw(English(Museum(..sDqTEmphasis(Medal(Specifications(Anal(..vTcCeramic(Trustee(Corporation(Mumbai(Tom(Blend(..arAustria(Builder(..YiYqPools(Emotions(Mobility(Slideshow(Spirit(..yzPublicly(Http(Maximize(..zmIsProof(Ecuador(Greensboro(Karaoke(Specification(..Set Referral=K..GpzLBob(Cholesterol(Lounge(Recovery(Neon(Tide(Lemon(..NVcaAnalyst(Poem(Housing(Guy(Seal(Resources(..obUNotebook(September(Citizen(By(Ripe(Shanghai(Struct(Nickname(Sie(..wXDLender(Agent(Sticks(..excWealth(Decreased(Sandra(Hired(Cove(Good(Opt(Because(..HhGSelection(Regular(..tXeMaps(Behavior(Abandoned(Read

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	29
Entropy (8bit):	3.9353986674667634
Encrypted:	false
SSDEEP:	3:VQAOx/1n:VQAOd1n
MD5:	6FED308183D5DFC421602548615204AF
SHA1:	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5
SHA-256:	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
SHA-512:	A2F7627379F24FEC8DC2C472A9200F6736147172D36A77D71C7C1916C0F8BDD843E36E70D43B5DC5FAABAE8FDD01DD088D389D8AE56ED1F591101F09135D02F5
Malicious:	false
URL:	https://www.google.com/async/newtab_promos
Preview:	)]}'.{"update":{"promos":{}}}

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.762329971173265
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	jPKFh06jHI.exe
File size:	1'122'194 bytes
MD5:	9baf61196c985b17067f787d6373f142
SHA1:	1dda434580f65aff8e0f9dbcd20a3e46c56db89e
SHA256:	12dab9b1e693d996b00cd7812e3aa160fe3d85bd3441eb5655fd5f5d853984be
SHA512:	aab5ab05d9a5d4a8734ab5c4d8fc4ed1211d95f57894179144cbc77f94e4d7d67a627ef86abdfe2cb96c56a9d089882cc7af709c1651adb6a09ab1a4b6cfe3d1
SSDEEP:	12288:JtCOVG0JhTnUOucVcXpbjaCHgjD2MbbSnaF2KyGFIlqIhrEkoAbjKaA:JtC0G0JhTndBVcZbQD2MbbJBshyJaA
TLSH:	00351DC823524647CE7B05B73FEA0EDDDA73975326C2929F2801F7B8A25A159435BF20
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6..fX..fX..fX...5..fX...#..fX..fY.,fX......fX......fX......fX.Rich.fX.........PE..L....l.K.................d...\|>..B...3.....

Entrypoint:	0x4033ff
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4BC06CBA [Sat Apr 10 12:19:06 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	bf95d1fc1d10de18b32654b123ad5e1f

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x89f0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x470000	0x14eb0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x31400022	0x1f70
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x63c2	0x6400	0222e192e15f5dae2b2916129612c20e	False	0.6772265625	data	6.5339670071373455	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x18ca	0x1a00	7eb0899a4b6211f8bc545228417d92ad	False	0.42427884615384615	data	4.878367399492845	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x3e4ebc	0x200	6966cfc8c85a950bb67188d20603933d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3ef000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x470000	0x14eb0	0x15000	536b28a2bfaf547a5569e1076df39640	False	0.8720470610119048	data	7.44738136122566	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x470280	0xdcc8	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9943205944798301
RT_ICON	0x47df48	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.3422497965825875
RT_ICON	0x4805b0	0x18df	PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced	English	United States	1.0017276582377885
RT_ICON	0x481e90	0x14d2	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.002063789868668
RT_ICON	0x483368	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.4237249544626594
RT_ICON	0x484490	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5629432624113475
RT_DIALOG	0x4848f8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x4849f8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x484b18	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x484b78	0x5a	data	English	United States	0.7888888888888889
RT_MANIFEST	0x484bd8	0x2d4	XML 1.0 document, ASCII text, with very long lines (724), with no line terminators	English	United States	0.5649171270718232

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, MulDiv, lstrlenA, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, FindWindowExW, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, IsWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report jPKFh06jHI.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\00hl6\16phvsjmg

C:\ProgramData\00hl6\8gvk6x

C:\ProgramData\00hl6\jmyuai

C:\ProgramData\00hl6\ngv37y

C:\ProgramData\00hl6\sjmgvk

C:\ProgramData\00hl6\sriwln

C:\ProgramData\00hl6\vkfkno

C:\ProgramData\00hl6\w47qq9rqq

Windows Analysis Report
jPKFh06jHI.exe