Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:Setup.exe
Analysis ID:1616298
MD5:2dfce881ad2ca0ca30c5ed6a92230b3f
SHA1:c6792769d515fe768c4b81b123127cb0a08bd4ce
SHA256:230d14997dbfa46128e59c5e2b54f542adb297b1b034f740078fb8d8c03d3df8
Tags:exevidaruser-aachum
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Attempt to bypass Chrome Application-Bound Encryption
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Performs DNS queries to domains with low reputation
Searches for specific processes (likely to inject)
Self deletion via cmd or bat file
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Browser Started with Remote Debugging
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Setup.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 2DFCE881AD2CA0CA30C5ED6A92230B3F)
    • conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Setup.exe (PID: 7636 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 2DFCE881AD2CA0CA30C5ED6A92230B3F)
      • chrome.exe (PID: 8000 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
        • chrome.exe (PID: 7304 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 --field-trial-handle=2244,i,15866123195984460800,8169958791410487907,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • cmd.exe (PID: 8040 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\Setup.exe" & rd /s /q "C:\ProgramData\8qimg" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 2132 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
    • WerFault.exe (PID: 7732 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7572 -s 1148 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199825403037", "Botnet": "oomaino5"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1821672563.0000000003699000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.2112838625.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          00000002.00000002.2112838625.0000000000400000.00000040.00000400.00020000.00000000.sdmpinfostealer_win_vidar_strings_nov23Finds Vidar samples based on the specific stringsSekoia.io
          • 0x1ad7f:$str01: MachineID:
          • 0x19d4f:$str02: Work Dir: In memory
          • 0x1ae27:$str03: [Hardware]
          • 0x1ad68:$str04: VideoCard:
          • 0x1a4c0:$str05: [Processes]
          • 0x1a4cc:$str06: [Software]
          • 0x19de0:$str07: information.txt
          • 0x1aabc:$str08: %s\*
          • 0x1ab09:$str08: %s\*
          • 0x19ffd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration
          • 0x1a392:$str12: UseMasterPassword
          • 0x1ae33:$str13: Soft: WinSCP
          • 0x1a86b:$str14: <Pass encoding="base64">
          • 0x1ae16:$str15: Soft: FileZilla
          • 0x19dd2:$str16: passwords.txt
          • 0x1a3bd:$str17: build_id
          • 0x1a484:$str18: file_data
          Process Memory Space: Setup.exe PID: 7572JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.Setup.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              2.2.Setup.exe.400000.0.raw.unpackinfostealer_win_vidar_strings_nov23Finds Vidar samples based on the specific stringsSekoia.io
              • 0x1ad7f:$str01: MachineID:
              • 0x19d4f:$str02: Work Dir: In memory
              • 0x1ae27:$str03: [Hardware]
              • 0x1ad68:$str04: VideoCard:
              • 0x1a4c0:$str05: [Processes]
              • 0x1a4cc:$str06: [Software]
              • 0x19de0:$str07: information.txt
              • 0x1aabc:$str08: %s\*
              • 0x1ab09:$str08: %s\*
              • 0x19ffd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration
              • 0x1a392:$str12: UseMasterPassword
              • 0x1ae33:$str13: Soft: WinSCP
              • 0x1a86b:$str14: <Pass encoding="base64">
              • 0x1ae16:$str15: Soft: FileZilla
              • 0x19dd2:$str16: passwords.txt
              • 0x1a3bd:$str17: build_id
              • 0x1a484:$str18: file_data
              2.2.Setup.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                2.2.Setup.exe.400000.0.unpackinfostealer_win_vidar_strings_nov23Finds Vidar samples based on the specific stringsSekoia.io
                • 0x19f7f:$str01: MachineID:
                • 0x18f4f:$str02: Work Dir: In memory
                • 0x1a027:$str03: [Hardware]
                • 0x19f68:$str04: VideoCard:
                • 0x196c0:$str05: [Processes]
                • 0x196cc:$str06: [Software]
                • 0x18fe0:$str07: information.txt
                • 0x19cbc:$str08: %s\*
                • 0x19d09:$str08: %s\*
                • 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration
                • 0x19592:$str12: UseMasterPassword
                • 0x1a033:$str13: Soft: WinSCP
                • 0x19a6b:$str14: <Pass encoding="base64">
                • 0x1a016:$str15: Soft: FileZilla
                • 0x18fd2:$str16: passwords.txt
                • 0x195bd:$str17: build_id
                • 0x19684:$str18: file_data
                0.2.Setup.exe.3699550.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Browser Started with Remote Debugging
                  Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\Setup.exe", ParentImage: C:\Users\user\Desktop\Setup.exe, ParentProcessId: 7636, ParentProcessName: Setup.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 8000, ProcessName: chrome.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-16T14:06:16.826513+010020442471Malware Command and Control Activity Detected78.47.75.136443192.168.2.449741TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-16T14:06:18.184641+010020518311Malware Command and Control Activity Detected78.47.75.136443192.168.2.449742TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-16T14:06:15.515059+010020490871A Network Trojan was detected192.168.2.44973978.47.75.136443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-16T14:06:19.582636+010020593311Malware Command and Control Activity Detected192.168.2.44974478.47.75.136443TCP
                  2025-02-16T14:06:20.601113+010020593311Malware Command and Control Activity Detected192.168.2.44974678.47.75.136443TCP
                  2025-02-16T14:06:29.419089+010020593311Malware Command and Control Activity Detected192.168.2.44977478.47.75.136443TCP
                  2025-02-16T14:06:29.712087+010020593311Malware Command and Control Activity Detected192.168.2.44977578.47.75.136443TCP
                  2025-02-16T14:06:30.729571+010020593311Malware Command and Control Activity Detected192.168.2.44977678.47.75.136443TCP
                  2025-02-16T14:06:31.840269+010020593311Malware Command and Control Activity Detected192.168.2.44977778.47.75.136443TCP
                  2025-02-16T14:06:33.707586+010020593311Malware Command and Control Activity Detected192.168.2.44977878.47.75.136443TCP
                  2025-02-16T14:06:33.931542+010020593311Malware Command and Control Activity Detected192.168.2.44977978.47.75.136443TCP
                  2025-02-16T14:06:35.064125+010020593311Malware Command and Control Activity Detected192.168.2.44978078.47.75.136443TCP
                  2025-02-16T14:06:36.079681+010020593311Malware Command and Control Activity Detected192.168.2.44978178.47.75.136443TCP
                  2025-02-16T14:06:37.105962+010020593311Malware Command and Control Activity Detected192.168.2.44978278.47.75.136443TCP
                  2025-02-16T14:06:38.116755+010020593311Malware Command and Control Activity Detected192.168.2.44978378.47.75.136443TCP
                  2025-02-16T14:06:40.162740+010020593311Malware Command and Control Activity Detected192.168.2.44978478.47.75.136443TCP
                  2025-02-16T14:06:41.487929+010020593311Malware Command and Control Activity Detected192.168.2.44978578.47.75.136443TCP
                  2025-02-16T14:06:46.094287+010020593311Malware Command and Control Activity Detected192.168.2.44978878.47.75.136443TCP
                  2025-02-16T14:06:49.574101+010020593311Malware Command and Control Activity Detected192.168.2.44978978.47.75.136443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-16T14:06:29.712087+010028596361Malware Command and Control Activity Detected192.168.2.44977578.47.75.136443TCP
                  2025-02-16T14:06:30.729571+010028596361Malware Command and Control Activity Detected192.168.2.44977678.47.75.136443TCP
                  2025-02-16T14:06:31.840269+010028596361Malware Command and Control Activity Detected192.168.2.44977778.47.75.136443TCP
                  2025-02-16T14:06:33.931542+010028596361Malware Command and Control Activity Detected192.168.2.44977978.47.75.136443TCP
                  2025-02-16T14:06:35.064125+010028596361Malware Command and Control Activity Detected192.168.2.44978078.47.75.136443TCP
                  2025-02-16T14:06:36.079681+010028596361Malware Command and Control Activity Detected192.168.2.44978178.47.75.136443TCP
                  2025-02-16T14:06:37.105962+010028596361Malware Command and Control Activity Detected192.168.2.44978278.47.75.136443TCP
                  2025-02-16T14:06:38.116755+010028596361Malware Command and Control Activity Detected192.168.2.44978378.47.75.136443TCP
                  2025-02-16T14:06:40.162740+010028596361Malware Command and Control Activity Detected192.168.2.44978478.47.75.136443TCP
                  2025-02-16T14:06:41.487929+010028596361Malware Command and Control Activity Detected192.168.2.44978578.47.75.136443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-16T14:06:14.182178+010028593781Malware Command and Control Activity Detected192.168.2.44973578.47.75.136443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: Setup.exeAvira: detected
                  Found malware configuration
                  Source: 00000000.00000002.1821672563.0000000003699000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199825403037", "Botnet": "oomaino5"}
                  Multi AV Scanner detection for submitted file
                  Source: Setup.exeVirustotal: Detection: 47%Perma Link
                  Source: Setup.exeReversingLabs: Detection: 45%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00405FE7 CryptUnprotectData,LocalAlloc,LocalFree,2_2_00405FE7
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_0040E7E9 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree,2_2_0040E7E9
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00406062 BCryptCloseAlgorithmProvider,BCryptDestroyKey,2_2_00406062
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_0040627F LocalAlloc,BCryptDecrypt,2_2_0040627F
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_0040609C BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,2_2_0040609C
                  Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 78.47.75.136:443 -> 192.168.2.4:49732 version: TLS 1.2
                  Source: Setup.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: A{"id":1,"method":"Storage.getCookies"}|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
                  Source: Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbA source: Setup.exe, 00000000.00000002.1821672563.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.2112838625.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: vdr1.pdb source: Setup.exe, Setup.exe, 00000002.00000002.2112838625.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: Defence.pdb source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: System.ni.pdbRSDS source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: mscorlib.ni.pdb source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: System.pdb) source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: mscorlib.pdbv source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: C:\Users\Admin\source\repos\Defence\Defence\obj\Release\Defence.pdb source: Setup.exe
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: Setup.exe, Setup.exe, 00000002.00000002.2112838625.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb` source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: System.ni.pdb source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: System.pdb source: WERA234.tmp.dmp.5.dr
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00412A5D wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00412A5D
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00407891 FindFirstFileA,CopyFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindNextFileA,FindClose,2_2_00407891
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_0040A69C FindFirstFileA,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,2_2_0040A69C
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00408776 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_00408776
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00413B10 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindNextFileA,FindNextFileA,FindClose,2_2_00413B10
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00411BD2 wsprintfA,FindFirstFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,2_2_00411BD2
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_004013DA FindFirstFileA,FindNextFileA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindNextFileA,FindClose,2_2_004013DA
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00406784 ExpandEnvironmentStringsA,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,2_2_00406784
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00411187 wsprintfA,FindFirstFileA,memset,memset,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,2_2_00411187
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00409C78 wsprintfA,FindFirstFileA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,2_2_00409C78
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00408224 FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00408224
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00412539 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,2_2_00412539
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00411722 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,2_2_00411722
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\Jump to behavior
                  Source: chrome.exeMemory has grown: Private usage: 11MB later: 40MB

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.4:49739 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49744 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49746 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49774 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49778 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49775 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49775 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49776 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49776 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.4:49735 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 78.47.75.136:443 -> 192.168.2.4:49742
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49780 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49780 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49781 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49781 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49779 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49779 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49783 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49783 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49784 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49784 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 78.47.75.136:443 -> 192.168.2.4:49741
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49777 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49777 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49782 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49782 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49788 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49789 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49785 -> 78.47.75.136:443
                  Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49785 -> 78.47.75.136:443
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199825403037
                  Performs DNS queries to domains with low reputation
                  Source: DNS query: xu3.201008281.xyz
                  Source: global trafficHTTP traffic detected: GET /b4cha00 HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                  Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                  Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
                  Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                  Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                  Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                  Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00403C79 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,2_2_00403C79
                  Source: global trafficHTTP traffic detected: GET /b4cha00 HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0Host: xu3.201008281.xyzConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: chrome.exe, 00000006.00000003.1808568709.000049A0003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1808433153.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1808505255.000049A000F44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
                  Source: chrome.exe, 00000006.00000003.1808568709.000049A0003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1808433153.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1808505255.000049A000F44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
                  Source: global trafficDNS traffic detected: DNS query: t.me
                  Source: global trafficDNS traffic detected: DNS query: xu3.201008281.xyz
                  Source: global trafficDNS traffic detected: DNS query: www.google.com
                  Source: global trafficDNS traffic detected: DNS query: apis.google.com
                  Source: global trafficDNS traffic detected: DNS query: play.google.com
                  Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----hv3ek6fknop8ym7ymophUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0Host: xu3.201008281.xyzContent-Length: 256Connection: Keep-AliveCache-Control: no-cache
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/1423136
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2162
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2517
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2970
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3078
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3205
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3206
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3452
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3498
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3502
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3577
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3584
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3586
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3623
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3624
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3625
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3832
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3862
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3965
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3970
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4324
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4384
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4405
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4428
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4551
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4633
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4722
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4836
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4901
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4937
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5007
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5055
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5061
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5281
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5371
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5375
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5421
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5430
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5535
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5658
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5750
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5881
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5901
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5906
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6041
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6048
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6141
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6248
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6439
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6651
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6692
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6755
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6860
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6876
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6878
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6929
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6953
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7036
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7047
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7172
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7279
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7370
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7406
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7488
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7553
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7556
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7724
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7760
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7761
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8162
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8215
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8229
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8280
                  Source: chrome.exe, 00000006.00000003.1807272967.0000021ABC151000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.wikipedia
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://issuetracker.google.com/200067929
                  Source: chrome.exe, 00000006.00000003.1809633742.000049A000F18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810348219.000049A00100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810543498.000049A001068000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810415401.000049A000F44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jsbin.com/temexa/4.
                  Source: chrome.exe, 00000006.00000003.1812090537.000049A0003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1811713492.000049A000A3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1811755895.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1809633742.000049A000F18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1811805423.000049A000F6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810348219.000049A00100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810543498.000049A001068000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1811674630.000049A000CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810383491.000049A00109C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810415401.000049A000F44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812373357.000049A0010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812566805.000049A00120C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://polymer.github.io/AUTHORS.txt
                  Source: chrome.exe, 00000006.00000003.1812090537.000049A0003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1811713492.000049A000A3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1811755895.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1809633742.000049A000F18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1811805423.000049A000F6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810348219.000049A00100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810543498.000049A001068000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1811674630.000049A000CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810383491.000049A00109C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810415401.000049A000F44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812373357.000049A0010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812566805.000049A00120C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
                  Source: chrome.exe, 00000006.00000003.1812090537.000049A0003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1811713492.000049A000A3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1811755895.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1809633742.000049A000F18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1811805423.000049A000F6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810348219.000049A00100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810543498.000049A001068000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1811674630.000049A000CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810383491.000049A00109C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810415401.000049A000F44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812373357.000049A0010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812566805.000049A00120C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://polymer.github.io/LICENSE.txt
                  Source: chrome.exe, 00000006.00000003.1812090537.000049A0003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1811713492.000049A000A3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1811755895.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1809633742.000049A000F18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1811805423.000049A000F6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810348219.000049A00100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810543498.000049A001068000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1811674630.000049A000CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810383491.000049A00109C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1810415401.000049A000F44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812373357.000049A0010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812566805.000049A00120C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://polymer.github.io/PATENTS.txt
                  Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                  Source: chromecache_69.8.drString found in binary or memory: http://www.broofa.com
                  Source: Setup.exe, 00000002.00000002.2116430853.0000000003A4A000.00000004.00000020.00020000.00000000.sdmp, dt2vkn.2.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: chrome.exe, 00000006.00000003.1824694816.000049A0002AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
                  Source: chrome.exe, 00000006.00000003.1824694816.000049A0002AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
                  Source: chrome.exe, 00000006.00000003.1824694816.000049A0002AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
                  Source: chromecache_68.8.drString found in binary or memory: https://accounts.google.com/o/oauth2/auth
                  Source: chromecache_68.8.drString found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/4830
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/4966
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/5845
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/6574
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7161
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7162
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7246
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7308
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7319
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7320
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7369
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7382
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7489
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7604
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7714
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7847
                  Source: chrome.exe, 00000006.00000003.1805027238.000049A00077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1804999097.000049A000398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7899
                  Source: chrome.exe, 00000006.00000003.1832431506.000049A0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826332069.000049A0014A4000.00000004.00000800.00020000.00000000.sdmp, chromecache_68.8.dr, chromecache_69.8.drString found in binary or memory: https://apis.google.com
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.2117843583.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, vs26f3.2.drString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.2117843583.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, vs26f3.2.drString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                  Source: Setup.exe, 00000002.00000002.2116430853.0000000003A4A000.00000004.00000020.00020000.00000000.sdmp, dt2vkn.2.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: Setup.exe, 00000002.00000002.2116430853.0000000003A4A000.00000004.00000020.00020000.00000000.sdmp, dt2vkn.2.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: Setup.exe, 00000002.00000002.2116430853.0000000003A4A000.00000004.00000020.00020000.00000000.sdmp, dt2vkn.2.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: chrome.exe, 00000006.00000003.1805767718.000049A000CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore
                  Source: chrome.exe, 00000006.00000003.1805814073.000049A000D14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1815834566.000049A000D14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812200439.000049A000CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1806870625.000049A000CD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1809791327.000049A000D14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1805767718.000049A000CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstoreLDDiscover
                  Source: chrome.exe, 00000006.00000003.1841076670.000027600080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1782843838.0000276000390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
                  Source: chrome.exe, 00000006.00000003.1841076670.000027600080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1782843838.0000276000390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
                  Source: chrome.exe, 00000006.00000003.1783392196.0000276000684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
                  Source: chrome.exe, 00000006.00000003.1841076670.000027600080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1782843838.0000276000390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
                  Source: chrome.exe, 00000006.00000003.1779316712.00002D18002E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1779287643.00002D18002D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report
                  Source: chrome.exe, 00000006.00000003.1787592893.000049A0004A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
                  Source: chromecache_68.8.drString found in binary or memory: https://clients6.google.com
                  Source: chromecache_68.8.drString found in binary or memory: https://content.googleapis.com
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.2117843583.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, vs26f3.2.drString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.2117843583.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, vs26f3.2.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                  Source: chrome.exe, 00000006.00000003.1787592893.000049A0004A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
                  Source: chromecache_68.8.drString found in binary or memory: https://domains.google.com/suggest/flow
                  Source: chrome.exe, 00000006.00000003.1787592893.000049A0004A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-autopush.corp.google.com/
                  Source: chrome.exe, 00000006.00000003.1787592893.000049A0004A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-0.corp.google.com/
                  Source: chrome.exe, 00000006.00000003.1787592893.000049A0004A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-1.corp.google.com/
                  Source: chrome.exe, 00000006.00000003.1787592893.000049A0004A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-2.corp.google.com/
                  Source: chrome.exe, 00000006.00000003.1787592893.000049A0004A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-3.corp.google.com/
                  Source: chrome.exe, 00000006.00000003.1787592893.000049A0004A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-4.corp.google.com/
                  Source: chrome.exe, 00000006.00000003.1787592893.000049A0004A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-5.corp.google.com/
                  Source: chrome.exe, 00000006.00000003.1787592893.000049A0004A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-6.corp.google.com/
                  Source: chrome.exe, 00000006.00000003.1787592893.000049A0004A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-preprod.corp.google.com/
                  Source: chrome.exe, 00000006.00000003.1787592893.000049A0004A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-staging.corp.google.com/
                  Source: chrome.exe, 00000006.00000003.1812566805.000049A00120C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
                  Source: chrome.exe, 00000006.00000003.1787592893.000049A0004A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
                  Source: Setup.exe, 00000002.00000002.2116430853.0000000003A4A000.00000004.00000020.00020000.00000000.sdmp, dt2vkn.2.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: Setup.exe, 00000002.00000002.2116430853.0000000003A4A000.00000004.00000020.00020000.00000000.sdmp, dt2vkn.2.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: Setup.exe, 00000002.00000002.2116430853.0000000003A4A000.00000004.00000020.00020000.00000000.sdmp, dt2vkn.2.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: chromecache_69.8.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
                  Source: chromecache_69.8.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
                  Source: chromecache_69.8.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
                  Source: chromecache_69.8.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
                  Source: chrome.exe, 00000006.00000003.1783392196.0000276000684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
                  Source: chrome.exe, 00000006.00000003.1841076670.000027600080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1782843838.0000276000390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
                  Source: chrome.exe, 00000006.00000003.1783392196.0000276000684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/hj
                  Source: chrome.exe, 00000006.00000003.1783392196.0000276000684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
                  Source: chrome.exe, 00000006.00000003.1841076670.000027600080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1782843838.0000276000390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
                  Source: chrome.exe, 00000006.00000003.1783392196.0000276000684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
                  Source: chrome.exe, 00000006.00000003.1783392196.0000276000684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://goto.google.com/sme-bugs27
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://goto.google.com/sme-bugs2e
                  Source: vs26f3.2.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/161903006
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/166809097
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/184850002
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/187425444
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/220069903
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/229267970
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/250706693
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/253522366
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/255411748
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/258207403
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/274859104
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/284462263
                  Source: chrome.exe, 00000006.00000003.1792716467.000049A000398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/issues/166475273
                  Source: chrome.exe, 00000006.00000003.1837708106.000049A001AD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2
                  Source: chrome.exe, 00000006.00000003.1837837157.000049A001AEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1837765882.000049A001AE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1837946323.000049A001AF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1837708106.000049A001AD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2/springboard
                  Source: chrome.exe, 00000006.00000003.1841076670.000027600080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1782843838.0000276000390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
                  Source: chrome.exe, 00000006.00000003.1837837157.000049A001AEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1837765882.000049A001AE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1837946323.000049A001AF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1837708106.000049A001AD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2/springboardI
                  Source: chrome.exe, 00000006.00000003.1841076670.000027600080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1782843838.0000276000390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
                  Source: chrome.exe, 00000006.00000003.1782843838.0000276000390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiments
                  Source: chrome.exe, 00000006.00000003.1832668934.000049A00140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826393936.000049A0014AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1825858208.000049A000F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826466739.000049A0014B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1834387294.000049A0014D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1832431506.000049A0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826332069.000049A0014A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search?source=ntp
                  Source: chrome.exe, 00000006.00000003.1812090537.000049A0003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812373357.000049A0010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812566805.000049A00120C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/upload
                  Source: chrome.exe, 00000006.00000003.1812090537.000049A0003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812373357.000049A0010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812566805.000049A00120C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/uploadbyurl
                  Source: chrome.exe, 00000006.00000003.1841076670.000027600080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1782843838.0000276000390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/v3/2
                  Source: chrome.exe, 00000006.00000003.1783672155.00002760006E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812373357.000049A0010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812566805.000049A00120C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/v3/upload
                  Source: chrome.exe, 00000006.00000003.1782843838.0000276000390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/v3/upload2
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
                  Source: chrome.exe, 00000006.00000003.1832668934.000049A00140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826393936.000049A0014AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1825858208.000049A000F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826466739.000049A0014B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1834387294.000049A0014D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1832431506.000049A0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826332069.000049A0014A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=rm&amp;ogbl
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/shielded-email2B
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
                  Source: chrome.exe, 00000006.00000003.1809222542.000049A000F9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myactivity.google.com/
                  Source: chrome.exe, 00000006.00000003.1832431506.000049A0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826332069.000049A0014A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ogads-pa.googleapis.com
                  Source: chrome.exe, 00000006.00000003.1836046933.000049A0002AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com
                  Source: chrome.exe, 00000006.00000003.1832431506.000049A0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826332069.000049A0014A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
                  Source: chrome.exe, 00000006.00000003.1832431506.000049A0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826332069.000049A0014A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?eom=1
                  Source: chrome.exe, 00000006.00000003.1847143524.000049A001D44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1806425909.000049A000A3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
                  Source: chrome.exe, 00000006.00000003.1806425909.000049A000A3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
                  Source: chrome.exe, 00000006.00000003.1847143524.000049A001D44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1806425909.000049A000A3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
                  Source: chrome.exe, 00000006.00000003.1806425909.000049A000A3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
                  Source: chrome.exe, 00000006.00000003.1806425909.000049A000A3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=4&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
                  Source: chrome.exe, 00000006.00000003.1809222542.000049A000F9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
                  Source: chrome.exe, 00000006.00000003.1812090537.000049A0003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812373357.000049A0010D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1812566805.000049A00120C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
                  Source: chromecache_69.8.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
                  Source: chromecache_68.8.drString found in binary or memory: https://plus.google.com
                  Source: chromecache_68.8.drString found in binary or memory: https://plus.googleapis.com
                  Source: chrome.exe, 00000006.00000003.1809222542.000049A000F9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://policies.google.com/
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.com2
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.comJv
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.comb
                  Source: chrome.exe, 00000006.00000003.1824694816.000049A0002AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
                  Source: chrome.exe, 00000006.00000003.1832668934.000049A00140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826393936.000049A0014AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826466739.000049A0014B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1834387294.000049A0014D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1832431506.000049A0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826332069.000049A0014A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
                  Source: Setup.exe, Setup.exe, 00000002.00000002.2112838625.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199825403037
                  Source: Setup.exe, 00000002.00000002.2112838625.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199825403037oomaino5Mozilla/5.0
                  Source: Setup.exe, 00000002.00000002.2118695876.000000000401A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: Setup.exe, 00000002.00000002.2118695876.000000000401A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                  Source: Setup.exe, 00000002.00000002.2115117573.00000000036FC000.00000004.00000020.00020000.00000000.sdmp, 5pzmgd.2.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                  Source: Setup.exe, 00000002.00000002.2115117573.00000000036D7000.00000004.00000020.00020000.00000000.sdmp, 5pzmgd.2.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                  Source: Setup.exe, 00000002.00000002.2115117573.00000000036FC000.00000004.00000020.00020000.00000000.sdmp, 5pzmgd.2.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                  Source: Setup.exe, 00000002.00000002.2115117573.00000000036D7000.00000004.00000020.00020000.00000000.sdmp, 5pzmgd.2.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000C7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/N&
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000C7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/W&
                  Source: Setup.exe, Setup.exe, 00000002.00000002.2113667300.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.2112838625.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/b4cha00
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000C7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/b4cha00%7_
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/b4cha00T
                  Source: Setup.exe, 00000002.00000002.2112838625.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/b4cha00oomaino5Mozilla/5.0
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
                  Source: chromecache_68.8.drString found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.2117843583.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, vs26f3.2.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                  Source: Setup.exe, 00000002.00000002.2116430853.0000000003A4A000.00000004.00000020.00020000.00000000.sdmp, dt2vkn.2.drString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.2117843583.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, vs26f3.2.drString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                  Source: chrome.exe, 00000006.00000003.1824694816.000049A0002AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com
                  Source: chrome.exe, 00000006.00000003.1824694816.000049A0002AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
                  Source: chrome.exe, 00000006.00000003.1824694816.000049A0002AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: chrome.exe, 00000006.00000003.1805767718.000049A000CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
                  Source: Setup.exe, 00000002.00000002.2116430853.0000000003A4A000.00000004.00000020.00020000.00000000.sdmp, dt2vkn.2.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: chrome.exe, 00000006.00000003.1832668934.000049A00140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826393936.000049A0014AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1825858208.000049A000F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826466739.000049A0014B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1834387294.000049A0014D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1832431506.000049A0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826332069.000049A0014A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&amp;tab=ri&amp;ogbl
                  Source: chrome.exe, 00000006.00000003.1826332069.000049A0014A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search
                  Source: chrome.exe, 00000006.00000003.1812566805.000049A00120C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=$
                  Source: chrome.exe, 00000006.00000003.1824694816.000049A0002AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/aida2
                  Source: chromecache_68.8.drString found in binary or memory: https://www.googleapis.com/auth/plus.me
                  Source: chromecache_68.8.drString found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
                  Source: chrome.exe, 00000006.00000003.1836584513.000049A00153C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
                  Source: chrome.exe, 00000006.00000003.1824694816.000049A0002AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
                  Source: chrome.exe, 00000006.00000003.1824694816.000049A0002AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                  Source: chromecache_69.8.drString found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
                  Source: chromecache_69.8.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
                  Source: chromecache_69.8.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
                  Source: chrome.exe, 00000006.00000003.1832431506.000049A0012D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
                  Source: chrome.exe, 00000006.00000003.1832668934.000049A00140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826393936.000049A0014C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1834387294.000049A0014D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1832431506.000049A0012D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
                  Source: chrome.exe, 00000006.00000003.1832431506.000049A0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826332069.000049A0014A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.Bvq7OK2_7ZA.2019.O/rt=j/m=q_dnp
                  Source: chrome.exe, 00000006.00000003.1832431506.000049A0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1826332069.000049A0014A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.S4XVq7ljTQU.L.W.O/m=qmd
                  Source: Setup.exe, 00000002.00000002.2118695876.000000000401A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                  Source: Setup.exe, 00000002.00000002.2118695876.000000000401A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                  Source: Setup.exe, 00000002.00000002.2118695876.000000000401A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                  Source: Setup.exe, 00000002.00000002.2118695876.000000000401A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: Setup.exe, 00000002.00000002.2118695876.000000000401A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xu3.201008281.xyz
                  Source: Setup.exe, 00000002.00000002.2116430853.0000000003B5B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xu3.201008281.xyz/
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xu3.201008281.xyz/0-
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xu3.201008281.xyz/J
                  Source: Setup.exe, 00000002.00000002.2116430853.0000000003B5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xu3.201008281.xyz/data;
                  Source: Setup.exe, 00000002.00000002.2116430853.0000000003B5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xu3.201008281.xyz/ones
                  Source: Setup.exe, 00000002.00000002.2115117573.00000000036B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xu3.201008281.xyzpk
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49672
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                  Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 78.47.75.136:443 -> 192.168.2.4:49732 version: TLS 1.2
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_0040EAB5 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,2_2_0040EAB5
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00405AD3 memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,CreateProcessA,Sleep,CloseDesktop,2_2_00405AD3

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.Setup.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 2.2.Setup.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 0.2.Setup.exe.3699550.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: 00000002.00000002.2112838625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_025F26B80_2_025F26B8
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00404B3F2_2_00404B3F
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_004151472_2_00415147
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00417D562_2_00417D56
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_0040AF7E2_2_0040AF7E
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_004171E12_2_004171E1
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_004153AF2_2_004153AF
                  Source: C:\Users\user\Desktop\Setup.exeCode function: String function: 0040D84A appears 136 times
                  Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7572 -s 1148
                  Source: Setup.exe, 00000000.00000002.1819284473.000000000071D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Setup.exe
                  Source: 2.2.Setup.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 2.2.Setup.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 0.2.Setup.exe.3699550.0.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: 00000002.00000002.2112838625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
                  Source: Setup.exeStatic PE information: Section: .iat ZLIB complexity 1.0003727956431536
                  Source: Setup.exe, Program.csBase64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
                  Source: 0.2.Setup.exe.3699550.0.raw.unpack, Program.csBase64 encoded string: 'MjRmODU0Njk1YWVlNmQ3NGI2ZDFlZGQ2ZGZkYWY0NTJkMzRlNzMzMTA4NTA0MTA0OTJhZGQzNWFiNTVkZDA0Mw=='
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@26/28@8/8
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_0040F029 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,2_2_0040F029
                  Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\1CH7X5JT.htmJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7572
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\d9f07ef2-5a9b-4da7-9c96-ed4cfabf2f54Jump to behavior
                  Source: Setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Setup.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\Setup.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: s2djmg4wl.2.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: Setup.exeVirustotal: Detection: 47%
                  Source: Setup.exeReversingLabs: Detection: 45%
                  Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\user\Desktop\Setup.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
                  Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
                  Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7572 -s 1148
                  Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 --field-trial-handle=2244,i,15866123195984460800,8169958791410487907,262144 /prefetch:8
                  Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\Setup.exe" & rd /s /q "C:\ProgramData\8qimg" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                  Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\Setup.exe" & rd /s /q "C:\ProgramData\8qimg" & exitJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 --field-trial-handle=2244,i,15866123195984460800,8169958791410487907,262144 /prefetch:8Jump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Setup.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: A{"id":1,"method":"Storage.getCookies"}|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
                  Source: Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbA source: Setup.exe, 00000000.00000002.1821672563.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.2112838625.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: vdr1.pdb source: Setup.exe, Setup.exe, 00000002.00000002.2112838625.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: Defence.pdb source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: System.ni.pdbRSDS source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: mscorlib.ni.pdb source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: System.pdb) source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: mscorlib.pdbv source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: C:\Users\Admin\source\repos\Defence\Defence\obj\Release\Defence.pdb source: Setup.exe
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: Setup.exe, Setup.exe, 00000002.00000002.2112838625.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb` source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: System.ni.pdb source: WERA234.tmp.dmp.5.dr
                  Source: Binary string: System.pdb source: WERA234.tmp.dmp.5.dr
                  Source: Setup.exeStatic PE information: 0xCAB23F60 [Tue Oct 5 17:07:44 2077 UTC]
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_0040E886 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0040E886
                  Source: Setup.exeStatic PE information: real checksum: 0x11465 should be: 0x22fa8
                  Source: Setup.exeStatic PE information: section name: .iat

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Self deletion via cmd or bat file
                  Source: C:\Users\user\Desktop\Setup.exeProcess created: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\Setup.exe" & rd /s /q "C:\ProgramData\8qimg" & exit
                  Source: C:\Users\user\Desktop\Setup.exeProcess created: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\Setup.exe" & rd /s /q "C:\ProgramData\8qimg" & exitJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_0040E886 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0040E886
                  Source: C:\Users\user\Desktop\Setup.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeMemory allocated: 2400000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeMemory allocated: 2690000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeMemory allocated: 2400000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_2-11538
                  Source: C:\Windows\SysWOW64\timeout.exe TID: 4456Thread sleep count: 84 > 30Jump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\Setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00412A5D wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00412A5D
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00407891 FindFirstFileA,CopyFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindNextFileA,FindClose,2_2_00407891
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_0040A69C FindFirstFileA,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,2_2_0040A69C
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00408776 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_00408776
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00413B10 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindNextFileA,FindNextFileA,FindClose,2_2_00413B10
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00411BD2 wsprintfA,FindFirstFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,2_2_00411BD2
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_004013DA FindFirstFileA,FindNextFileA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindNextFileA,FindClose,2_2_004013DA
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00406784 ExpandEnvironmentStringsA,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,2_2_00406784
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00411187 wsprintfA,FindFirstFileA,memset,memset,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,2_2_00411187
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00409C78 wsprintfA,FindFirstFileA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,2_2_00409C78
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00408224 FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00408224
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00412539 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,2_2_00412539
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00411722 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,2_2_00411722
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_0040DF8C GetSystemInfo,wsprintfA,2_2_0040DF8C
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\Jump to behavior
                  Source: Amcache.hve.5.drBinary or memory string: VMware
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWj
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000C7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWHJ
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Setup.exe, 00000002.00000002.2115117573.000000000376F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: od_VMware_SATA_C
                  Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\Setup.exeAPI call chain: ExitProcess graph end nodegraph_2-12231
                  Source: C:\Users\user\Desktop\Setup.exeAPI call chain: ExitProcess graph end nodegraph_2-12137
                  Source: C:\Users\user\Desktop\Setup.exeAPI call chain: ExitProcess graph end nodegraph_2-11843
                  Source: C:\Users\user\Desktop\Setup.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_0040E886 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0040E886
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_02692115 mov edi, dword ptr fs:[00000030h]0_2_02692115
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_02692292 mov edi, dword ptr fs:[00000030h]0_2_02692292
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_0040D84A lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrcpyA,lstrcatA,2_2_0040D84A
                  Source: C:\Users\user\Desktop\Setup.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_02692115 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_02692115
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Users\user\Desktop\Setup.exe base: 400000 value starts with: 4D5AJump to behavior
                  Searches for specific processes (likely to inject)
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_0040F029 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,2_2_0040F029
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_0040F0CA CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,2_2_0040F0CA
                  Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\Setup.exe" & rd /s /q "C:\ProgramData\8qimg" & exitJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeCode function: GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,2_2_0040DE1C
                  Source: C:\Users\user\Desktop\Setup.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\Users\user\Desktop\Setup.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00417842 SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,2_2_00417842
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_00414CDB EntryPoint,lstrlenW,GetWindowsDirectoryW,GetComputerNameW,GetFullPathNameA,GetUserNameW,GetFileType,GetModuleFileNameA,GetTempPathW,2_2_00414CDB
                  Source: C:\Users\user\Desktop\Setup.exeCode function: 2_2_0040DDBF GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,2_2_0040DDBF
                  Source: C:\Users\user\Desktop\Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Source: Yara matchFile source: 2.2.Setup.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Setup.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Setup.exe.3699550.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1821672563.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2112838625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 7572, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 7636, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum-LTC\wallets\
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \ElectronCash\wallets\
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum\wallets\
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: exodus.conf.json
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: info.seco
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ElectrumLTC
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: passphrase.json
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Ethereum\
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum
                  Source: Setup.exe, 00000002.00000002.2115117573.00000000036B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: multidoge.wallet
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: seed.seco
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum-LTC\wallets\
                  Source: Setup.exe, 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\*.*
                  Tries to harvest and steal Bitcoin Wallet information
                  Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\ConfigurationJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default\key4.dbJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                  Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                  Source: Yara matchFile source: 00000002.00000002.2113667300.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 7636, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Attempt to bypass Chrome Application-Bound Encryption
                  Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Source: Yara matchFile source: 2.2.Setup.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Setup.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Setup.exe.3699550.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1821672563.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2112838625.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 7572, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 7636, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  Create Account                  		1
                  Extra Window Memory Injection                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Credentials in Registry                  		1
                  Account Discovery                  		Remote Desktop Protocol4
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)311
                  Process Injection                  		11
                  Obfuscated Files or Information                  		Security Account Manager4
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Screen Capture                  		1
                  Remote Access Software                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Software Packing                  		NTDS35
                  System Information Discovery                  		Distributed Component Object ModelInput Capture3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Timestomp                  		LSA Secrets1
                  Query Registry                  		SSHKeylogging14
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials31
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  File Deletion                  		DCSync3
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Extra Window Memory Injection                  		Proc Filesystem12
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Masquerading                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron3
                  Virtualization/Sandbox Evasion                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd311
                  Process Injection                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1616298 Sample: Setup.exe Startdate: 16/02/2025 Architecture: WINDOWS Score: 100 35 xu3.201008281.xyz 2->35 37 t.me 2->37 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 63 5 other signatures 2->63 9 Setup.exe 3 2->9         started        signatures3 61 Performs DNS queries to domains with low reputation 35->61 process4 signatures5 65 Attempt to bypass Chrome Application-Bound Encryption 9->65 67 Self deletion via cmd or bat file 9->67 69 Contains functionality to inject code into remote processes 9->69 71 2 other signatures 9->71 12 Setup.exe 28 9->12         started        16 WerFault.exe 21 16 9->16         started        19 conhost.exe 9->19         started        process6 dnsIp7 49 xu3.201008281.xyz 78.47.75.136, 443, 49732, 49735 HETZNER-ASDE Germany 12->49 51 t.me 149.154.167.99, 443, 49731 TELEGRAMRU United Kingdom 12->51 53 127.0.0.1 unknown unknown 12->53 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->73 75 Found many strings related to Crypto-Wallets (likely being stolen) 12->75 77 Self deletion via cmd or bat file 12->77 79 4 other signatures 12->79 21 chrome.exe 12->21         started        24 cmd.exe 1 12->24         started        33 C:\ProgramData\Microsoft\...\Report.wer, Unicode 16->33 dropped file8 signatures9 process10 dnsIp11 39 192.168.2.4, 138, 443, 49672 unknown unknown 21->39 41 239.255.255.250 unknown Reserved 21->41 26 chrome.exe 21->26         started        29 conhost.exe 24->29         started        31 timeout.exe 1 24->31         started        process12 dnsIp13 43 plus.l.google.com 142.250.181.238, 443, 49767 GOOGLEUS United States 26->43 45 play.google.com 172.217.16.206, 443, 49771 GOOGLEUS United States 26->45 47 2 other IPs or domains 26->47

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.