Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SwitchAutoSetup_v0.7.0.3.exe

Overview

General Information

Sample name:SwitchAutoSetup_v0.7.0.3.exe
Analysis ID:1632615
MD5:4ce764cccf817c7f6f527e8d2c69c7e6
SHA1:ab533c671d0da276e5096455cc841b2703c0f3ef
SHA256:2959bef771b11c5180c49ab65c8e1db4d2a1c1b079a842f2300fefad35f7bb11
Tags:exevidaruser-aachum
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Confidence:100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Vidar stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Searches for specific processes (likely to inject)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Browser Started with Remote Debugging
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • SwitchAutoSetup_v0.7.0.3.exe (PID: 7360 cmdline: "C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe" MD5: 4CE764CCCF817C7F6F527E8D2C69C7E6)
    • SwitchAutoSetup_v0.7.0.3.tmp (PID: 7376 cmdline: "C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp" /SL5="$2043C,22688416,781824,C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe" MD5: 936F45C3C0CFC53736EBA6F1D614855E)
      • SwitchAutoSetup_v0.7.0.3.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe" /VERYSILENT MD5: 4CE764CCCF817C7F6F527E8D2C69C7E6)
        • SwitchAutoSetup_v0.7.0.3.tmp (PID: 7436 cmdline: "C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp" /SL5="$20446,22688416,781824,C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe" /VERYSILENT MD5: 936F45C3C0CFC53736EBA6F1D614855E)
          • SystemScannerSetup.exe (PID: 7612 cmdline: "C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe" MD5: 810FE193D35FE0D6577E9E3455F70579)
            • chrome.exe (PID: 2964 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)
              • chrome.exe (PID: 1400 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2436,i,7230122723258020460,16503310506373257666,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2508 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000003.1521581095.0000000000633000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      Process Memory Space: SystemScannerSetup.exe PID: 7612JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        Process Memory Space: SystemScannerSetup.exe PID: 7612JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Sigma Signatures

          Sigma detected: Browser Started with Remote Debugging
          Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe", ParentImage: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe, ParentProcessId: 7612, ParentProcessName: SystemScannerSetup.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 2964, ProcessName: chrome.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-08T14:08:57.306498+010020442471Malware Command and Control Activity Detected95.217.31.199443192.168.2.449726TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-08T14:09:00.232279+010020518311Malware Command and Control Activity Detected95.217.31.199443192.168.2.449727TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-08T14:08:57.305888+010020490871A Network Trojan was detected192.168.2.44972695.217.31.199443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-08T14:09:03.166295+010020593311Malware Command and Control Activity Detected192.168.2.44972895.217.31.199443TCP
          2025-03-08T14:09:05.007865+010020593311Malware Command and Control Activity Detected192.168.2.44972995.217.31.199443TCP
          2025-03-08T14:09:05.028479+010020593311Malware Command and Control Activity Detected192.168.2.44973095.217.31.199443TCP
          2025-03-08T14:09:07.243377+010020593311Malware Command and Control Activity Detected192.168.2.44973195.217.31.199443TCP
          2025-03-08T14:09:09.191933+010020593311Malware Command and Control Activity Detected192.168.2.44973295.217.31.199443TCP
          2025-03-08T14:09:18.356626+010020593311Malware Command and Control Activity Detected192.168.2.44975695.217.31.199443TCP
          2025-03-08T14:09:19.327027+010020593311Malware Command and Control Activity Detected192.168.2.44975795.217.31.199443TCP
          2025-03-08T14:09:20.414967+010020593311Malware Command and Control Activity Detected192.168.2.44975895.217.31.199443TCP
          2025-03-08T14:09:21.398133+010020593311Malware Command and Control Activity Detected192.168.2.44975995.217.31.199443TCP
          2025-03-08T14:09:26.326106+010020593311Malware Command and Control Activity Detected192.168.2.44976095.217.31.199443TCP
          2025-03-08T14:09:26.868257+010020593311Malware Command and Control Activity Detected192.168.2.44976195.217.31.199443TCP
          2025-03-08T14:09:30.809307+010020593311Malware Command and Control Activity Detected192.168.2.44976295.217.31.199443TCP
          2025-03-08T14:09:32.163775+010020593311Malware Command and Control Activity Detected192.168.2.44976395.217.31.199443TCP
          2025-03-08T14:09:53.325811+010020593311Malware Command and Control Activity Detected192.168.2.44976695.217.31.199443TCP
          2025-03-08T14:09:54.066993+010020593311Malware Command and Control Activity Detected192.168.2.44976795.217.31.199443TCP
          2025-03-08T14:09:57.096435+010020593311Malware Command and Control Activity Detected192.168.2.44976895.217.31.199443TCP
          2025-03-08T14:09:58.211213+010020593311Malware Command and Control Activity Detected192.168.2.44976995.217.31.199443TCP
          2025-03-08T14:10:00.449365+010020593311Malware Command and Control Activity Detected192.168.2.44977095.217.31.199443TCP
          2025-03-08T14:10:01.351689+010020593311Malware Command and Control Activity Detected192.168.2.44977195.217.31.199443TCP
          2025-03-08T14:10:04.775588+010020593311Malware Command and Control Activity Detected192.168.2.44977295.217.31.199443TCP
          2025-03-08T14:10:05.531328+010020593311Malware Command and Control Activity Detected192.168.2.44977395.217.31.199443TCP
          2025-03-08T14:10:09.168484+010020593311Malware Command and Control Activity Detected192.168.2.44977495.217.31.199443TCP
          2025-03-08T14:10:10.550196+010020593311Malware Command and Control Activity Detected192.168.2.44977595.217.31.199443TCP
          2025-03-08T14:10:13.099011+010020593311Malware Command and Control Activity Detected192.168.2.44977695.217.31.199443TCP
          2025-03-08T14:10:14.224361+010020593311Malware Command and Control Activity Detected192.168.2.44977795.217.31.199443TCP
          2025-03-08T14:10:18.008369+010020593311Malware Command and Control Activity Detected192.168.2.44977995.217.31.199443TCP
          2025-03-08T14:10:20.078642+010020593311Malware Command and Control Activity Detected192.168.2.44978095.217.31.199443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-08T14:09:05.028479+010028596361Malware Command and Control Activity Detected192.168.2.44973095.217.31.199443TCP
          2025-03-08T14:09:07.243377+010028596361Malware Command and Control Activity Detected192.168.2.44973195.217.31.199443TCP
          2025-03-08T14:09:09.191933+010028596361Malware Command and Control Activity Detected192.168.2.44973295.217.31.199443TCP
          2025-03-08T14:09:20.414967+010028596361Malware Command and Control Activity Detected192.168.2.44975895.217.31.199443TCP
          2025-03-08T14:09:21.398133+010028596361Malware Command and Control Activity Detected192.168.2.44975995.217.31.199443TCP
          2025-03-08T14:09:26.326106+010028596361Malware Command and Control Activity Detected192.168.2.44976095.217.31.199443TCP
          2025-03-08T14:09:26.868257+010028596361Malware Command and Control Activity Detected192.168.2.44976195.217.31.199443TCP
          2025-03-08T14:09:30.809307+010028596361Malware Command and Control Activity Detected192.168.2.44976295.217.31.199443TCP
          2025-03-08T14:09:32.163775+010028596361Malware Command and Control Activity Detected192.168.2.44976395.217.31.199443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-08T14:08:51.224057+010028593781Malware Command and Control Activity Detected192.168.2.44972495.217.31.199443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe (copy)ReversingLabs: Detection: 21%
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-QSQJJ.tmpReversingLabs: Detection: 21%
          Multi AV Scanner detection for submitted file
          Source: SwitchAutoSetup_v0.7.0.3.exeVirustotal: Detection: 19%Perma Link
          Source: SwitchAutoSetup_v0.7.0.3.exeReversingLabs: Detection: 15%
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00986A10 StrStrA,lstrlen,LocalAlloc,CryptUnprotectData,LocalAlloc,LocalFree,lstrlen,5_2_00986A10
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00990830 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree,5_2_00990830
          Source: SwitchAutoSetup_v0.7.0.3.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
          Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49719 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49722 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49723 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49724 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49725 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49728 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49729 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49730 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49731 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49732 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49756 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49757 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49758 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49759 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49760 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49761 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49762 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49763 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49766 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49767 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49768 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49769 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49770 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49771 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49772 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49773 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49774 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49775 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49776 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49777 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49778 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49779 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49780 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49781 version: TLS 1.2
          Source: SwitchAutoSetup_v0.7.0.3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: x64\ship\0\ietag.dll\bbtopt\ietagO.pdb source: is-2NH1K.tmp.3.dr
          Source: Binary string: D:\a\git-credential-manager\git-credential-manager\out\windows\GitLab.UI.Windows\obj\WindowsRelease\net472\GitLab.UI.pdbSHA256 source: is-MMEK3.tmp.3.dr
          Source: Binary string: t:\mso\x64\ship\0\ietag.pdb source: is-2NH1K.tmp.3.dr
          Source: Binary string: cryptosetup.pdbGCTL source: SystemScannerSetup.exe, 00000005.00000002.2415946862.000000000362D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cryptosetup.pdb source: SystemScannerSetup.exe, 00000005.00000002.2415946862.000000000362D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: t:\mso\x64\ship\0\ietag.pdbx64\ship\0\ietag.dll\bbtopt\ietagO.pdbh source: is-2NH1K.tmp.3.dr
          Source: Binary string: D:\a\git-credential-manager\git-credential-manager\out\windows\GitLab.UI.Windows\obj\WindowsRelease\net472\GitLab.UI.pdb source: is-MMEK3.tmp.3.dr
          Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00402910 FindFirstFileW,5_2_00402910
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_004069DF FindFirstFileW,FindClose,5_2_004069DF
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00405D8E DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,5_2_00405D8E
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_0098B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,5_2_0098B6B0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00987210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,memset,CopyFileA,DeleteFileA,memset,FindClose,5_2_00987210
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00993580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindClose,5_2_00993580
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_009897B0 FindFirstFileA,FindNextFileA,strlen,5_2_009897B0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_009813F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,5_2_009813F0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00988360 FindFirstFileA,CopyFileA,FindNextFileA,strlen,CopyFileA,FindClose,5_2_00988360
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00988C90 lstrcpy,lstrcat,FindFirstFileA,FindNextFileA,strlen,lstrcpy,memset,lstrcpy,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpy,lstrcpy,CopyFileA,FindClose,FindClose,DeleteFileA,5_2_00988C90
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00995EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,_mbscpy,_splitpath,_mbscpy,strlen,isupper,wsprintfA,_mbscpy,strlen,SHFileOperation,FindClose,5_2_00995EB0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_0098ACD0 wsprintfA,FindFirstFileA,strlen,lstrlen,DeleteFileA,CopyFileA,FindClose,5_2_0098ACD0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00994E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,CopyFileA,FindClose,5_2_00994E70
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00993FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,FindClose,5_2_00993FD0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00994950 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrlen,lstrlen,5_2_00994950
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00993AF0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrlen,5_2_00993AF0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
          Source: chrome.exeMemory has grown: Private usage: 8MB later: 41MB

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.4:49724 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49756 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49757 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49728 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49730 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49730 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49758 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49758 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49763 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49763 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.4:49726 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49729 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49731 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49731 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49759 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49759 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49732 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49732 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 95.217.31.199:443 -> 192.168.2.4:49727
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49760 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49760 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49762 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49762 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.217.31.199:443 -> 192.168.2.4:49726
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49767 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49770 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49768 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49771 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49775 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49761 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49761 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49773 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49780 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49772 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49769 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49777 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49776 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49774 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49779 -> 95.217.31.199:443
          Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49766 -> 95.217.31.199:443
          Source: global trafficHTTP traffic detected: GET /l793oy HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
          Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
          Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
          Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
          Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
          Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
          Source: unknownTCP traffic detected without corresponding DNS query: 2.23.77.188
          Source: unknownTCP traffic detected without corresponding DNS query: 2.23.77.188
          Source: unknownTCP traffic detected without corresponding DNS query: 52.113.196.254
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00982690 lstrlen,StrCmpCA,InternetOpenA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,GetProcessHeap,RtlAllocateHeap,memcpy,lstrlen,memcpy,lstrlen,memcpy,lstrlen,HttpSendRequestA,Sleep,HttpQueryInfoA,InternetReadFile,InternetReadFile,StrCmpCA,InternetCloseHandle,InternetCloseHandle,5_2_00982690
          Source: global trafficHTTP traffic detected: GET /l793oy HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0Host: us.f.goldenloafuae.comConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJOhywEInP7MAQiFoM0BCL7VzgEIgdbOAQjI3M4BCIrgzgEIruTOAQiG5c4BCIvlzgE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJOhywEInP7MAQiFoM0BCL7VzgEIgdbOAQjI3M4BCIrgzgEIruTOAQiG5c4BCIvlzgE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
          Source: chrome.exe, 0000000C.00000003.1676167786.00000E5401538000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1676249298.00000E54014B8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
          Source: chrome.exe, 0000000C.00000003.1676167786.00000E5401538000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1676249298.00000E54014B8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
          Source: chrome.exe, 0000000C.00000002.1765214144.00000E5400640000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
          Source: chrome.exe, 0000000C.00000002.1763118071.00000E540014C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: l="https://www.facebook. equals www.facebook.com (Facebook)
          Source: global trafficDNS traffic detected: DNS query: t.me
          Source: global trafficDNS traffic detected: DNS query: us.f.goldenloafuae.com
          Source: global trafficDNS traffic detected: DNS query: www.google.com
          Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----as26fu3ekf37qie37y5fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0Host: us.f.goldenloafuae.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cache
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://clients2.google.com/time/1/current
          Source: chrome.exe, 0000000C.00000002.1766289085.00000E5400848000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drString found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
          Source: SystemScannerSetup.exe, 00000005.00000003.1426749596.0000000000634000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1461705210.0000000000630000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1491933351.0000000000633000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1426803738.000000000066F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m&
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
          Source: is-CDLA5.tmp.3.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000002.1263324542.000000000018D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drString found in binary or memory: http://cscasha2.ocsp-certum.com04
          Source: chrome.exe, 0000000C.00000002.1762643984.00000E5400040000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
          Source: chrome.exe, 0000000C.00000002.1770593010.00000E5401094000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
          Source: chrome.exe, 0000000C.00000002.1762808398.00000E54000B5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://google.com/
          Source: SystemScannerSetup.exe, 00000005.00000002.2410104804.000000000040A000.00000008.00000001.01000000.00000011.sdmp, is-QSQJJ.tmp.3.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drString found in binary or memory: http://ocsp.sectigo.com0
          Source: is-CDLA5.tmp.3.drString found in binary or memory: http://ocsp.thawte.com0
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com0
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000002.1263324542.000000000018D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com0?
          Source: chrome.exe, 0000000C.00000002.1770060021.00000E5400F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drString found in binary or memory: http://repository.certum.pl/cscasha2.cer0
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drString found in binary or memory: http://repository.certum.pl/ctnca.cer09
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drString found in binary or memory: http://subca.ocsp-certum.com01
          Source: is-CDLA5.tmp.3.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
          Source: is-CDLA5.tmp.3.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
          Source: is-CDLA5.tmp.3.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
          Source: chrome.exe, 0000000C.00000002.1769101880.00000E5400DA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://unisolated.invalid/
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drString found in binary or memory: http://www.certum.pl/CPS0
          Source: chrome.exe, 0000000C.00000002.1771032649.00000E540116C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/update2/response
          Source: chrome.exe, 0000000C.00000002.1769336205.00000E5400DC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.gstatic.com/generate_204
          Source: SystemScannerSetup.exe, 00000005.00000003.1426749596.0000000000634000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1461705210.0000000000630000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1426803738.000000000066F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000002.1263324542.000000000018D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
          Source: chrome.exe, 0000000C.00000002.1751274379.0000024B207A0000.00000002.00000001.00040000.00000019.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
          Source: is-CDLA5.tmp.3.drString found in binary or memory: http://www.vmware.com/0
          Source: chrome.exe, 0000000C.00000002.1769028706.00000E5400D94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accountcapabilities-pa.googleapis.com/
          Source: chrome.exe, 0000000C.00000002.1762643984.00000E5400040000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
          Source: chrome.exe, 0000000C.00000003.1675579088.00000E5400710000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1765716117.00000E5400710000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1775425096.00000E5401A44000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1771758681.00000E540128C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com
          Source: chrome.exe, 0000000C.00000002.1775425096.00000E5401A44000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/AccountChooser
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/AddSession
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
          Source: chrome.exe, 0000000C.00000003.1675910854.00000E54010E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowser
          Source: chrome.exe, 0000000C.00000003.1675910854.00000E54010E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/Logout
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/RotateBoundCookies
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/chrome/blank.html
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/windows
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
          Source: chrome.exe, 0000000C.00000002.1763012808.00000E5400109000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/o/oauth2/revoke
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/oauth/multilogin
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/samlredirect
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
          Source: chrome.exe, 0000000C.00000003.1675579088.00000E5400710000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1765716117.00000E5400710000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com:443
          Source: chrome.exe, 0000000C.00000002.1776703584.00000E5401FC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776829622.00000E5401FD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540203C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
          Source: chrome.exe, 0000000C.00000002.1766704820.00000E5400944000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
          Source: chrome.exe, 0000000C.00000003.1712373986.00000E5401508000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711364407.00000E5401558000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713115103.00000E5401538000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com
          Source: chrome.exe, 0000000C.00000002.1768285555.00000E5400C78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767447600.00000E5400AFC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773068670.00000E5401478000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
          Source: chrome.exe, 0000000C.00000002.1769028706.00000E5400D94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769028706.00000E5400D94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769028706.00000E5400D94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: chrome.exe, 0000000C.00000003.1712030400.00000E5401528000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore
          Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chrome.google.com/webstore/category/extensions
          Source: chrome.exe, 0000000C.00000002.1769494238.00000E5400E04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1774517924.00000E540187C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769336205.00000E5400DC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1756562218.0000024B26B97000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
          Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
          Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
          Source: chrome.exe, 0000000C.00000002.1771188780.00000E5401198000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675988183.00000E54012E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1712030400.00000E5401528000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstoreLDDiscover
          Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
          Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
          Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
          Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
          Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
          Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
          Source: chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/
          Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
          Source: chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
          Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
          Source: chrome.exe, 0000000C.00000003.1666418449.00000E5000468000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666347199.00000E5000458000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
          Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
          Source: chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/https://google-ohttp-relay-join.fastly-edge.com/
          Source: chrome.exe, 0000000C.00000002.1766009646.00000E54007C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
          Source: chrome.exe, 0000000C.00000002.1766009646.00000E54007C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
          Source: chrome.exe, 0000000C.00000002.1763731535.00000E54002CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
          Source: chrome.exe, 0000000C.00000002.1763731535.00000E54002CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
          Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
          Source: chrome.exe, 0000000C.00000002.1763405975.00000E54001D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/
          Source: chrome.exe, 0000000C.00000002.1767044155.00000E54009BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/category/extensions
          Source: chrome.exe, 0000000C.00000002.1766704820.00000E5400944000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/category/themes
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://classroom.googleapis.com/
          Source: chrome.exe, 0000000C.00000003.1664450207.00000778000DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report
          Source: chrome.exe, 0000000C.00000002.1763405975.00000E54001D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766652476.00000E5400908000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766289085.00000E5400848000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763291723.00000E5400198000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1771032649.00000E540116C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
          Source: chrome.exe, 0000000C.00000002.1765842218.00000E540078F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
          Source: chrome.exe, 0000000C.00000002.1766179166.00000E5400804000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
          Source: chrome.exe, 0000000C.00000002.1766179166.00000E5400804000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-sync
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-sync/event
          Source: chrome.exe, 0000000C.00000002.1766289085.00000E5400848000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
          Source: chrome.exe, 0000000C.00000002.1764437647.00000E5400430000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/368855.)
          Source: chrome.exe, 0000000C.00000002.1764183680.00000E54003D4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
          Source: chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/:
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/J
          Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
          Source: chrome.exe, 0000000C.00000002.1765214144.00000E5400640000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
          Source: chrome.exe, 0000000C.00000002.1768285555.00000E5400C78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767447600.00000E5400AFC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773068670.00000E5401478000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
          Source: chrome.exe, 0000000C.00000002.1768285555.00000E5400C78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767447600.00000E5400AFC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773068670.00000E5401478000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/:
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/J
          Source: chrome.exe, 0000000C.00000002.1765214144.00000E5400640000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
          Source: chrome.exe, 0000000C.00000002.1768285555.00000E5400C78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767447600.00000E5400AFC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773068670.00000E5401478000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/:
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/J
          Source: chrome.exe, 0000000C.00000002.1765214144.00000E5400640000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
          Source: chrome.exe, 0000000C.00000002.1768285555.00000E5400C78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767447600.00000E5400AFC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773068670.00000E5401478000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
          Source: chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-4.corp.google.com/
          Source: chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-5.corp.google.com/
          Source: chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-6.corp.google.com/
          Source: chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive-preprod.corp.google.com/
          Source: chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive-staging.corp.google.com/
          Source: chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/:
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?lfhs=2
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/J
          Source: chrome.exe, 0000000C.00000002.1765214144.00000E5400640000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
          Source: SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
          Source: SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: chrome.exe, 0000000C.00000003.1711519779.00000E54016F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711519779.00000E54016A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fonts.google.com/icons?selected=Material
          Source: chrome.exe, 0000000C.00000002.1769028706.00000E5400D94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
          Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B78000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic
          Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B78000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic/intro?
          Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711722751.00000E5401660000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic/intro?20
          Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711722751.00000E5401660000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic2
          Source: chrome.exe, 0000000C.00000003.1666347199.00000E5000458000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
          Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
          Source: chrome.exe, 0000000C.00000003.1666418449.00000E5000468000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666347199.00000E5000458000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
          Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
          Source: chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
          Source: chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666347199.00000E5000458000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
          Source: chrome.exe, 0000000C.00000002.1762530557.00000E5400004000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google.com/
          Source: chrome.exe, 0000000C.00000002.1766578185.00000E54008E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://googleusercontent.com/
          Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713907864.00000E5401B08000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goto.google.com/sme-bugs2e
          Source: SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drString found in binary or memory: https://jrsoftware.org/
          Source: SwitchAutoSetup_v0.7.0.3.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drString found in binary or memory: https://jrsoftware.org0
          Source: chrome.exe, 0000000C.00000002.1768948060.00000E5400D74000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1771256346.00000E54011C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767817560.00000E5400B90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
          Source: chrome.exe, 0000000C.00000002.1764365926.00000E5400404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search?source=ntp
          Source: chrome.exe, 0000000C.00000003.1711364407.00000E5401558000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/gen204
          Source: chrome.exe, 0000000C.00000002.1763938996.00000E5400328000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
          Source: chrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/comon
          Source: chrome.exe, 0000000C.00000002.1763731535.00000E54002CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://m.google.com/devicemanagement/data/api
          Source: chrome.exe, 0000000C.00000002.1770593010.00000E5401094000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770740981.00000E54010E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766652476.00000E5400908000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769596352.00000E5400E2C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1771758681.00000E540128C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675910854.00000E54010E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/
          Source: chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/:
          Source: chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/J
          Source: chrome.exe, 0000000C.00000002.1770668945.00000E54010C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1774625425.00000E54018C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770212051.00000E5400FB4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default
          Source: chrome.exe, 0000000C.00000002.1770212051.00000E5400FB4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/download?usp=chrome_defaultValidator
          Source: chrome.exe, 0000000C.00000002.1774625425.00000E54018C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/download?usp=chrome_defaultfault
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/:
          Source: chrome.exe, 0000000C.00000002.1764365926.00000E5400404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=rm&amp;ogbl
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/J
          Source: chrome.exe, 0000000C.00000002.1765214144.00000E5400640000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
          Source: chrome.exe, 0000000C.00000002.1767379255.00000E5400A7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1768879134.00000E5400D4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1774004353.00000E540176C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
          Source: chrome.exe, 0000000C.00000002.1767218758.00000E5400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770002682.00000E5400F28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1768458225.00000E5400CC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
          Source: chrome.exe, 0000000C.00000002.1767218758.00000E5400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770002682.00000E5400F28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1768458225.00000E5400CC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
          Source: chrome.exe, 0000000C.00000003.1666497628.00000E5000498000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome
          Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
          Source: chrome.exe, 0000000C.00000002.1767218758.00000E5400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770002682.00000E5400F28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1768458225.00000E5400CC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
          Source: chrome.exe, 0000000C.00000002.1768135751.00000E5400C1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp, chrome.exe, 0000000C.00000003.1675837986.00000E54011A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myactivity.google.com/
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://oauthaccountmanager.googleapis.com/
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
          Source: chrome.exe, 0000000C.00000002.1776703584.00000E5401FC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776829622.00000E5401FD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540203C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogads-pa.googleapis.com
          Source: chrome.exe, 0000000C.00000002.1770500622.00000E5401084000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com
          Source: chrome.exe, 0000000C.00000002.1776703584.00000E5401FC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776829622.00000E5401FD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540203C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
          Source: chrome.exe, 0000000C.00000002.1776703584.00000E5401FC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776829622.00000E5401FD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540203C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?eom=1
          Source: chrome.exe, 0000000C.00000002.1774730234.00000E54018F4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675777847.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773682706.00000E5401604000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
          Source: chrome.exe, 0000000C.00000002.1770500622.00000E5401088000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773541487.00000E54015D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773575636.00000E54015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773436687.00000E54015A5000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675777847.00000E5401084000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
          Source: chrome.exe, 0000000C.00000002.1762763876.00000E5400088000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773436687.00000E54015A5000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675777847.00000E5401084000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
          Source: chrome.exe, 0000000C.00000002.1773541487.00000E54015D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770160353.00000E5400FA0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773575636.00000E54015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773436687.00000E54015A5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
          Source: chrome.exe, 0000000C.00000002.1773541487.00000E54015D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770160353.00000E5400FA0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773436687.00000E54015A5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
          Source: chrome.exe, 0000000C.00000002.1773541487.00000E54015D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773436687.00000E54015A5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
          Source: chrome.exe, 0000000C.00000002.1773575636.00000E54015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1775248788.00000E5401A28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1774730234.00000E54018F4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773682706.00000E5401604000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1696267841&target=OPTIMIZATION_TARGET_OMN
          Source: chrome.exe, 0000000C.00000002.1775021024.00000E5401990000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675777847.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773682706.00000E5401604000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1728324084&target=OPTIMIZATION_TARGET_OMN
          Source: chrome.exe, 0000000C.00000002.1770160353.00000E5400FA0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773575636.00000E54015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1775021024.00000E5401990000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773682706.00000E5401604000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739808228&target=OPTIMIZATION_TARGET_GEO
          Source: chrome.exe, 0000000C.00000002.1770500622.00000E5401088000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773575636.00000E54015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1775021024.00000E5401990000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675777847.00000E5401084000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739808249&target=OPTIMIZATION_TARGET_NOT
          Source: chrome.exe, 0000000C.00000002.1775208989.00000E5401A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773263320.00000E54014F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773575636.00000E54015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773682706.00000E5401604000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739894676&target=OPTIMIZATION_TARGET_CLI
          Source: chrome.exe, 0000000C.00000002.1770500622.00000E5401088000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773575636.00000E54015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773436687.00000E54015A5000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675777847.00000E5401084000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
          Source: chrome.exe, 0000000C.00000002.1775021024.00000E5401990000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773682706.00000E5401604000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=240731042075&target=OPTIMIZATION_TARGET_S
          Source: chrome.exe, 0000000C.00000002.1770500622.00000E5401088000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773541487.00000E54015D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773436687.00000E54015A5000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675777847.00000E5401084000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=4&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
          Source: chrome.exe, 0000000C.00000002.1775208989.00000E5401A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773575636.00000E54015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766179166.00000E5400804000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1771032649.00000E540116C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773682706.00000E5401604000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=5&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
          Source: chrome.exe, 0000000C.00000003.1711364407.00000E5401558000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713115103.00000E5401538000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/calendar/
          Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://passwords.google.comSaved
          Source: chrome.exe, 0000000C.00000002.1767044155.00000E54009BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://passwords.google/
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://people.googleapis.com/
          Source: chrome.exe, 0000000C.00000002.1768135751.00000E5400C1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp, chrome.exe, 0000000C.00000003.1675837986.00000E54011A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://policies.google.com/
          Source: chrome.exe, 0000000C.00000003.1675579088.00000E5400710000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1765716117.00000E5400710000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
          Source: chrome.exe, 0000000C.00000003.1675579088.00000E5400710000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1765716117.00000E5400710000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
          Source: chrome.exe, 0000000C.00000002.1762877466.00000E54000E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1764570210.00000E5400450000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
          Source: chrome.exe, 0000000C.00000002.1762841931.00000E54000C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drString found in binary or memory: https://sectigo.com/CPS0D
          Source: chrome.exe, 0000000C.00000002.1769336205.00000E5400DC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
          Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.comb
          Source: chrome.exe, 0000000C.00000002.1773182996.00000E54014DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1768740720.00000E5400D1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767817560.00000E5400B90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
          Source: chrome.exe, 0000000C.00000002.1764437647.00000E5400430000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
          Source: SystemScannerSetup.exe, 00000005.00000002.2414264528.0000000002510000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000002.2413439900.00000000009A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199829660832
          Source: SystemScannerSetup.exe, 00000005.00000002.2413439900.00000000009A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199829660832ir7amMozilla/5.0
          Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
          Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869
          Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://support.google.com/chrome/answer/96817
          Source: chrome.exe, 0000000C.00000003.1713172327.00000E5400540000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1764735847.00000E5400540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome?p=desktop_tab_groups
          Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://support.google.com/chromebook?p=app_intent
          Source: SystemScannerSetup.exe, 00000005.00000002.2420351688.0000000003EB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
          Source: SystemScannerSetup.exe, 00000005.00000002.2420351688.0000000003EB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
          Source: chrome.exe, 0000000C.00000002.1773716137.00000E5401610000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
          Source: chrome.exe, 0000000C.00000002.1773716137.00000E5401610000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20161
          Source: chrome.exe, 0000000C.00000002.1773716137.00000E5401610000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
          Source: chrome.exe, 0000000C.00000002.1773716137.00000E5401610000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e175
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/
          Source: SystemScannerSetup.exe, 00000005.00000003.1461796705.0000000000612000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000620000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000002.2413439900.00000000009A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://t.me/l793oy
          Source: SystemScannerSetup.exe, 00000005.00000003.1426749596.0000000000634000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/l793oy-
          Source: SystemScannerSetup.exe, 00000005.00000002.2413439900.00000000009A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://t.me/l793oyir7amMozilla/5.0
          Source: chrome.exe, 0000000C.00000002.1769336205.00000E5400DC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://t0.gstatic.com/faviconV2
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tasks.googleapis.com/
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000620000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1491933351.0000000000633000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1582040519.0000000000631000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1426803738.000000000066F000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1552809969.0000000000630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.com
          Source: SystemScannerSetup.exe, 00000005.00000003.1491933351.0000000000633000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.com#
          Source: SystemScannerSetup.exe, 00000005.00000003.1491933351.0000000000633000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1582040519.0000000000631000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1552809969.0000000000630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.com/
          Source: SystemScannerSetup.exe, 00000005.00000003.1521581095.0000000000633000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1461705210.0000000000630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.com/#
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.com/.
          Source: SystemScannerSetup.exe, 00000005.00000003.1491933351.0000000000633000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.com/6
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.com/:
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.com/B
          Source: SystemScannerSetup.exe, 00000005.00000003.1461705210.0000000000630000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1491933351.0000000000633000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.com/Ch3uo
          Source: SystemScannerSetup.exe, 00000005.00000003.1491933351.0000000000633000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.com/G
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.com/denloafuae.com/
          Source: SystemScannerSetup.exe, 00000005.00000003.1552809969.0000000000630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.com/qh
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.com/s
          Source: SystemScannerSetup.exe, 00000005.00000002.2416786437.0000000003840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.com/sts
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.com2
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1461705210.0000000000630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.comH
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1461705210.0000000000630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.comd
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://us.f.goldenloafuae.com~
          Source: SystemScannerSetup.exe, 00000005.00000003.1426749596.0000000000634000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1461796705.0000000000620000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1491978923.0000000000620000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1521641183.0000000000620000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drString found in binary or memory: https://www.certum.pl/CPS0
          Source: SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769028706.00000E5400D94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
          Source: chrome.exe, 0000000C.00000002.1763118071.00000E540014C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.
          Source: chrome.exe, 0000000C.00000003.1712030400.00000E5401528000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769336205.00000E5400DC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1771758681.00000E540128C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766578185.00000E54008E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
          Source: chrome.exe, 0000000C.00000002.1771032649.00000E540116C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
          Source: chrome.exe, 0000000C.00000002.1774433539.00000E5401840000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/async/newtab_promos
          Source: chrome.exe, 0000000C.00000002.1767044155.00000E54009BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/#safe
          Source: chrome.exe, 0000000C.00000002.1766704820.00000E5400944000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/browser-features/
          Source: chrome.exe, 0000000C.00000002.1766704820.00000E5400944000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/browser-tools/
          Source: chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711722751.00000E5401660000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
          Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
          Source: chrome.exe, 0000000C.00000002.1770593010.00000E5401094000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1768879134.00000E5400D4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767697553.00000E5400B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/tips/
          Source: SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1764048514.00000E5400388000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767520370.00000E5400B24000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769951709.00000E5400EFC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1764693613.00000E5400500000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763246356.00000E540018C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711933931.00000E5400500000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766179166.00000E5400804000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
          Source: chrome.exe, 0000000C.00000002.1764365926.00000E5400404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&amp;tab=ri&amp;ogbl
          Source: chrome.exe, 0000000C.00000002.1764437647.00000E5400430000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab
          Source: chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540203C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
          Source: chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1714114840.00000E5401B78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713907864.00000E5401B08000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711722751.00000E5401660000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713870726.00000E5401AFC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search
          Source: chrome.exe, 0000000C.00000002.1765080772.00000E5400620000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
          Source: chrome.exe, 0000000C.00000002.1765080772.00000E5400620000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit7E
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/
          Source: chrome.exe, 0000000C.00000003.1666590184.00000E50004B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666530567.00000E50004AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666634617.00000E50004C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666497628.00000E5000498000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
          Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
          Source: chrome.exe, 0000000C.00000003.1666590184.00000E50004B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666530567.00000E50004AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666634617.00000E50004C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666497628.00000E5000498000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.managerForcedOn_PlusAddressAndroidOpenGmsCoreManagementP
          Source: chrome.exe, 0000000C.00000003.1666590184.00000E50004B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666530567.00000E50004AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666634617.00000E50004C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666497628.00000E5000498000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.managerPlusAddressOfferCreationIfPasswordFieldIsNotVisib
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v4/token
          Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
          Source: chrome.exe, 0000000C.00000002.1766056559.00000E54007E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773068670.00000E5401478000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
          Source: chrome.exe, 0000000C.00000002.1776588751.00000E5401F5C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
          Source: chrome.exe, 0000000C.00000002.1777268667.00000E5402058000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776331079.00000E5401D7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776629547.00000E5401F6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776979255.00000E5402004000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1774141831.00000E54017A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776588751.00000E5401F5C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
          Source: chrome.exe, 0000000C.00000002.1766578185.00000E54008E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.WcyoQrvsWY0.2019.O/rt=j/m=q_dnp
          Source: chrome.exe, 0000000C.00000002.1776703584.00000E5401FC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776829622.00000E5401FD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540203C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.L8bgMGq1rcI.L.W.O/m=qmd
          Source: SwitchAutoSetup_v0.7.0.3.exe, 00000000.00000003.1165812488.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000000.1167130222.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SwitchAutoSetup_v0.7.0.3.tmp.0.drString found in binary or memory: https://www.innosetup.com/
          Source: SystemScannerSetup.exe, 00000005.00000002.2420351688.0000000003EB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
          Source: SystemScannerSetup.exe, 00000005.00000002.2420351688.0000000003EB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
          Source: SystemScannerSetup.exe, 00000005.00000002.2420351688.0000000003EB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
          Source: SystemScannerSetup.exe, 00000005.00000002.2420351688.0000000003EB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
          Source: SystemScannerSetup.exe, 00000005.00000002.2420351688.0000000003EB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
          Source: SwitchAutoSetup_v0.7.0.3.exe, 00000000.00000003.1165812488.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000000.1167130222.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SwitchAutoSetup_v0.7.0.3.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000002.1263324542.000000000018D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://www.ssl.com/repository0
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/:
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?feature=ytca
          Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J
          Source: chrome.exe, 0000000C.00000002.1765214144.00000E5400640000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
          Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
          Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
          Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
          Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
          Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
          Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
          Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
          Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
          Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
          Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
          Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
          Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
          Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
          Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
          Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
          Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49719 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49722 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49723 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49724 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49725 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49728 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49729 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49730 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49731 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49732 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49756 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49757 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49758 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49759 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49760 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49761 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49762 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49763 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49766 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49767 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49768 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49769 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49770 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49771 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49772 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49773 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49774 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49775 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49776 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49777 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49778 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49779 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49780 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49781 version: TLS 1.2
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00405846 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_00405846
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00990A90 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,malloc,StrCmpCW,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,ReleaseDC,CloseWindow,5_2_00990A90
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00986480 memcpy,OpenDesktopA,CreateDesktopA,lstrcpy,CreateProcessA,Sleep,CloseDesktop,5_2_00986480
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00511F3B NtAllocateVirtualMemory,5_2_00511F3B
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00511FCC NtProtectVirtualMemory,5_2_00511FCC
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00511F8E NtFreeVirtualMemory,5_2_00511F8E
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_0059066E NtProtectVirtualMemory,5_2_0059066E
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00590CD8 NtAllocateVirtualMemory,5_2_00590CD8
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00590B72 NtGetContextThread,NtSetContextThread,NtResumeThread,5_2_00590B72
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_005911E5 CreateThread,malloc,NtClose,free,5_2_005911E5
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_005910E8 NtClose,5_2_005910E8
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00591084 NtClose,5_2_00591084
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_0059114C NtClose,5_2_0059114C
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_005919C5 free,NtClose,free,5_2_005919C5
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_004036455_2_00403645
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_0040464D5_2_0040464D
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_004046685_2_00404668
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_004046365_2_00404636
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00403CF45_2_00403CF4
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00406DA05_2_00406DA0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_005105315_2_00510531
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_005100015_2_00510001
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00984A205_2_00984A20
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_009986305_2_00998630
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_009993D05_2_009993D0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_0099A7D05_2_0099A7D0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_0099B3005_2_0099B300
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_0099C1005_2_0099C100
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_0099B7705_2_0099B770
          Source: SwitchAutoSetup_v0.7.0.3.exeStatic PE information: invalid certificate
          Source: SwitchAutoSetup_v0.7.0.3.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
          Source: SwitchAutoSetup_v0.7.0.3.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
          Source: is-GTHAH.tmp.3.drStatic PE information: Number of sections : 11 > 10
          Source: is-JL3NL.tmp.3.drStatic PE information: Number of sections : 11 > 10
          Source: is-P0TS2.tmp.3.drStatic PE information: Number of sections : 11 > 10
          Source: is-FJU40.tmp.3.drStatic PE information: Number of sections : 11 > 10
          Source: is-T2KNG.tmp.3.drStatic PE information: Number of sections : 11 > 10
          Source: is-J3R4N.tmp.3.drStatic PE information: Number of sections : 11 > 10
          Source: SwitchAutoSetup_v0.7.0.3.exe, 00000000.00000003.1165812488.000000007FB60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs SwitchAutoSetup_v0.7.0.3.exe
          Source: SwitchAutoSetup_v0.7.0.3.exe, 00000000.00000003.1178944856.0000000002348000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SwitchAutoSetup_v0.7.0.3.exe
          Source: SwitchAutoSetup_v0.7.0.3.exe, 00000000.00000000.1164868537.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs SwitchAutoSetup_v0.7.0.3.exe
          Source: SwitchAutoSetup_v0.7.0.3.exe, 00000000.00000003.1178944856.000000000228A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs SwitchAutoSetup_v0.7.0.3.exe
          Source: SwitchAutoSetup_v0.7.0.3.exe, 00000002.00000003.1264484208.000000000220A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs SwitchAutoSetup_v0.7.0.3.exe
          Source: SwitchAutoSetup_v0.7.0.3.exe, 00000002.00000003.1264484208.00000000022C8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SwitchAutoSetup_v0.7.0.3.exe
          Source: SwitchAutoSetup_v0.7.0.3.exeBinary or memory string: OriginalFileName vs SwitchAutoSetup_v0.7.0.3.exe
          Source: SwitchAutoSetup_v0.7.0.3.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
          Source: is-QSQJJ.tmp.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/62@5/5
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00510C41 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,Thread32Next,CloseHandle,5_2_00510C41
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_004021AF CoCreateInstance,5_2_004021AF
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmpJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
          Source: chrome.exe, 0000000C.00000002.1774987898.00000E5401980000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 45;
          Source: chrome.exe, 0000000C.00000002.1774987898.00000E5401980000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '756F6A466879157E';
          Source: chrome.exe, 0000000C.00000002.1771820943.00000E54012C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763810558.00000E54002FC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770830222.00000E5401134000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1774987898.00000E5401980000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'AD411B741D0DA012' AND metrics.metric_value > 0;
          Source: chrome.exe, 0000000C.00000002.1765447436.00000E54006C1000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
          Source: chrome.exe, 0000000C.00000002.1774987898.00000E5401980000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 120;
          Source: chrome.exe, 0000000C.00000002.1771820943.00000E54012C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763810558.00000E54002FC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770830222.00000E5401134000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1774987898.00000E5401980000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'B4CFE8741404B691' AND metrics.metric_value > 0;
          Source: chrome.exe, 0000000C.00000002.1774987898.00000E5401980000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '19E16122849E343B';
          Source: chrome.exe, 0000000C.00000002.1774912505.00000E540194C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT COUNT(id) FROM metrics WHERE metrics.metric_hash = '64BD7CCE5A95BF00';
          Source: 79h47yuk6.5.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: chrome.exe, 0000000C.00000002.1774987898.00000E5401980000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '79964621D357AB88';
          Source: chrome.exe, 0000000C.00000002.1770002682.00000E5400F28000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '534661B278B11BD';
          Source: SwitchAutoSetup_v0.7.0.3.exeVirustotal: Detection: 19%
          Source: SwitchAutoSetup_v0.7.0.3.exeReversingLabs: Detection: 15%
          Source: SwitchAutoSetup_v0.7.0.3.exeString found in binary or memory: /LOADINF="filename"
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeFile read: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe "C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe"
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp" /SL5="$2043C,22688416,781824,C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe"
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess created: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe "C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe" /VERYSILENT
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp" /SL5="$20446,22688416,781824,C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe" /VERYSILENT
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe "C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe"
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2436,i,7230122723258020460,16503310506373257666,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2508 /prefetch:3
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp" /SL5="$2043C,22688416,781824,C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess created: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe "C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe" /VERYSILENTJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp" /SL5="$20446,22688416,781824,C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe" /VERYSILENTJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe "C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2436,i,7230122723258020460,16503310506373257666,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2508 /prefetch:3Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: netapi32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: iconcodecservice.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: winsta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: netapi32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: iconcodecservice.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: winsta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: sfc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: sfc_os.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: explorerframe.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpWindow found: window name: TMainFormJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: SwitchAutoSetup_v0.7.0.3.exeStatic file information: File size 36721088 > 1048576
          Source: SwitchAutoSetup_v0.7.0.3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: x64\ship\0\ietag.dll\bbtopt\ietagO.pdb source: is-2NH1K.tmp.3.dr
          Source: Binary string: D:\a\git-credential-manager\git-credential-manager\out\windows\GitLab.UI.Windows\obj\WindowsRelease\net472\GitLab.UI.pdbSHA256 source: is-MMEK3.tmp.3.dr
          Source: Binary string: t:\mso\x64\ship\0\ietag.pdb source: is-2NH1K.tmp.3.dr
          Source: Binary string: cryptosetup.pdbGCTL source: SystemScannerSetup.exe, 00000005.00000002.2415946862.000000000362D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cryptosetup.pdb source: SystemScannerSetup.exe, 00000005.00000002.2415946862.000000000362D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: t:\mso\x64\ship\0\ietag.pdbx64\ship\0\ietag.dll\bbtopt\ietagO.pdbh source: is-2NH1K.tmp.3.dr
          Source: Binary string: D:\a\git-credential-manager\git-credential-manager\out\windows\GitLab.UI.Windows\obj\WindowsRelease\net472\GitLab.UI.pdb source: is-MMEK3.tmp.3.dr
          Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr
          Source: is-MMEK3.tmp.3.drStatic PE information: 0xE3936941 [Wed Dec 27 20:12:49 2090 UTC]
          Source: SwitchAutoSetup_v0.7.0.3.exeStatic PE information: section name: .didata
          Source: SwitchAutoSetup_v0.7.0.3.tmp.0.drStatic PE information: section name: .didata
          Source: SwitchAutoSetup_v0.7.0.3.tmp.2.drStatic PE information: section name: .didata
          Source: is-P0TS2.tmp.3.drStatic PE information: section name: .xdata
          Source: is-GTHAH.tmp.3.drStatic PE information: section name: .xdata
          Source: is-JL3NL.tmp.3.drStatic PE information: section name: .xdata
          Source: is-T2KNG.tmp.3.drStatic PE information: section name: .xdata
          Source: is-FJU40.tmp.3.drStatic PE information: section name: .xdata
          Source: is-J3R4N.tmp.3.drStatic PE information: section name: .xdata
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\p11-kit.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\pkcs1-conv.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_isdecmp.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-547IQ.tmpJump to dropped file
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_iscrypt.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-P0TS2.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-JL3NL.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\kvno.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\libopencore-amrnb.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\blocked-file-util.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-FJU40.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\IETAG.DLL (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-J3R4N.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-CDLA5.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\tclsh86.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-QSQJJ.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-GTHAH.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-T2KNG.tmpJump to dropped file
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\wish86.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile created: C:\ProgramData\glxbs\wlfk6fJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\bzip2recover.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-2NH1K.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_iscrypt.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\GitLab.UI.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_isdecmp.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpFile created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-MMEK3.tmpJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile created: C:\ProgramData\glxbs\wlfk6fJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile created: C:\ProgramData\glxbs\wlfk6fJump to dropped file
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_5-18252
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\pkcs1-conv.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\p11-kit.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_isdecmp.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-547IQ.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_iscrypt.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-P0TS2.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-JL3NL.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\kvno.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\libopencore-amrnb.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\blocked-file-util.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-FJU40.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\IETAG.DLL (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-J3R4N.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\tclsh86.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-CDLA5.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-GTHAH.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-T2KNG.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\wish86.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeDropped PE file which has not been started: C:\ProgramData\glxbs\wlfk6fJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\bzip2recover.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-2NH1K.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_iscrypt.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\GitLab.UI.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_isdecmp.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-MMEK3.tmpJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00402910 FindFirstFileW,5_2_00402910
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_004069DF FindFirstFileW,FindClose,5_2_004069DF
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00405D8E DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,5_2_00405D8E
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_0098B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,5_2_0098B6B0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00987210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,memset,CopyFileA,DeleteFileA,memset,FindClose,5_2_00987210
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00993580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindClose,5_2_00993580
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_009897B0 FindFirstFileA,FindNextFileA,strlen,5_2_009897B0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_009813F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,5_2_009813F0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00988360 FindFirstFileA,CopyFileA,FindNextFileA,strlen,CopyFileA,FindClose,5_2_00988360
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00988C90 lstrcpy,lstrcat,FindFirstFileA,FindNextFileA,strlen,lstrcpy,memset,lstrcpy,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpy,lstrcpy,CopyFileA,FindClose,FindClose,DeleteFileA,5_2_00988C90
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00995EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,_mbscpy,_splitpath,_mbscpy,strlen,isupper,wsprintfA,_mbscpy,strlen,SHFileOperation,FindClose,5_2_00995EB0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_0098ACD0 wsprintfA,FindFirstFileA,strlen,lstrlen,DeleteFileA,CopyFileA,FindClose,5_2_0098ACD0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00994E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,CopyFileA,FindClose,5_2_00994E70
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00993FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,FindClose,5_2_00993FD0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00994950 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrlen,lstrlen,5_2_00994950
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00993AF0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrlen,5_2_00993AF0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_0098FDD0 GetSystemInfo,wsprintfA,5_2_0098FDD0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
          Source: chrome.exe, 0000000C.00000002.1772994935.00000E540144C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware
          Source: chrome.exe, 0000000C.00000002.1754446407.0000024B2403F000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
          Source: is-CDLA5.tmp.3.drBinary or memory string: d:\build\ob\bora-1188790\generic\krb5-1.11.3\src\vmware\src\include\k5-thread.hres != WAIT_TIMEOUTm->is_locked == 0d:\build\ob\bora-1188790\generic\krb5-1.11.3\src\vmware\src\include\k5-thread.hres != WAIT_ABANDONEDd:\build\ob\bora-1188790\generic\krb5-1.11.3\src\vmware\src\include\k5-thread.hres == WAIT_OBJECT_0d:\build\ob\bora-1188790\generic\krb5-1.11.3\src\vmware\src\include\k5-thread.hd:\build\ob\bora-1188790\generic\krb5-1.11.3\src\vmware\src\include\k5-thread.h(m)->h == INVALID_HANDLE_VALUE%s: %s while initializing krb5 librarywhile converting etypewhile opening ccacheresolving keytab %swhile parsing principal name %swhile getting client principal namewhile parsing principal name %swhile formatting parsed principal name for '%s'client and server principal names must matchwhile getting credentials for %swhile decoding ticket for %s%s: kvno = %d, keytab entry invalid
          Source: is-CDLA5.tmp.3.drBinary or memory string: http://www.vmware.com/0
          Source: chrome.exe, 0000000C.00000002.1754446407.0000024B2403F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service?a(
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000002.1177180087.000000000086D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: SystemScannerSetup.exe, 00000005.00000003.1461796705.0000000000620000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1491978923.0000000000620000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1521641183.0000000000620000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
          Source: chrome.exe, 0000000C.00000002.1754446407.0000024B2403F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipes)]G
          Source: is-CDLA5.tmp.3.drBinary or memory string: VMware, Inc.0
          Source: chrome.exe, 0000000C.00000003.1701480510.0000024B2630E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses
          Source: chrome.exe, 0000000C.00000002.1754446407.0000024B2403F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processor.sysgap
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service<f
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
          Source: chrome.exe, 0000000C.00000003.1698333011.0000024B299F5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1697329287.0000024B299F5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1701727729.0000024B299F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/
          Source: is-CDLA5.tmp.3.drBinary or memory string: VMware, Inc.1>0<
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual Processors
          Source: chrome.exe, 0000000C.00000002.1754446407.0000024B2403F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
          Source: chrome.exe, 0000000C.00000003.1698433319.0000024B263B5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1697567627.0000024B263B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Tra
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partition
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipesl#}g
          Source: chrome.exe, 0000000C.00000003.1697735041.0000024B26373000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate
          Source: chrome.exe, 0000000C.00000002.1770939625.00000E540115C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=5542bd07-112a-413d-b03a-3e4a9554a6fc
          Source: chrome.exe, 0000000C.00000003.1701450125.0000024B2635D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor[~
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B262AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V HypervisorA
          Source: chrome.exe, 0000000C.00000002.1774730234.00000E54018F4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware Virtual USB Mouse
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B262AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partition
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
          Source: chrome.exe, 0000000C.00000003.1697860924.0000024B2633A000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1701960561.0000024B26315000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actua
          Source: chrome.exe, 0000000C.00000003.1698114312.0000024B262E4000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1755024146.0000024B262AF000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1698724796.0000024B262E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ime Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/
          Source: chrome.exe, 0000000C.00000002.1754446407.0000024B2403F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
          Source: chrome.exe, 0000000C.00000003.1694724989.0000024B2629E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V mqacavpbchkvrgi Bus'
          Source: chrome.exe, 0000000C.00000003.1701644449.0000024B29A4A000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1697261061.0000024B29A12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Ref
          Source: chrome.exe, 0000000C.00000002.1754446407.0000024B2403F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
          Source: chrome.exe, 0000000C.00000002.1754446407.0000024B2403F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root Partition
          Source: chrome.exe, 0000000C.00000003.1697357858.0000024B299DA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1701754623.0000024B299DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor
          Source: chrome.exe, 0000000C.00000003.1698072323.0000024B26320000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1698621104.0000024B26323000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1698705367.0000024B26324000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1697935998.0000024B26309000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 1486
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V mqacavpbchkvrgi Bus Pipes
          Source: chrome.exe, 0000000C.00000003.1669107217.00000E5400380000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware20,1(
          Source: chrome.exe, 0000000C.00000003.1698114312.0000024B262E4000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1755024146.0000024B262AF000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1698724796.0000024B262E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virt
          Source: chrome.exe, 0000000C.00000002.1750798384.0000024B2039D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B262AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition8
          Source: chrome.exe, 0000000C.00000002.1754446407.0000024B2403F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual ProcessorOaX
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B262AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Registry\Machine\Software\Classes\Directory\shellex\PropertySheetHandlers\Sharingmmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980No?
          Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000002.1177180087.000000000086D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: chrome.exe, 0000000C.00000002.1754446407.0000024B2403F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipesl
          Source: chrome.exe, 0000000C.00000003.1701929785.0000024B2634C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer I
          Source: chrome.exe, 0000000C.00000003.1698114312.0000024B262E4000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1698724796.0000024B262E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980No?
          Source: chrome.exe, 0000000C.00000003.1698552986.0000024B2634C000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1697829027.0000024B2634C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processor.mui
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B262AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
          Source: chrome.exe, 0000000C.00000003.1701872027.0000024B2639D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1698481828.0000024B26389000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Globa
          Source: chrome.exe, 0000000C.00000003.1701562642.0000024B2636E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nterrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Costntly\\
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition1&
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26204000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
          Source: chrome.exe, 0000000C.00000002.1754446407.0000024B2403F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisorr
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
          Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor>b
          Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_005901A3 LdrLoadDll,5_2_005901A3
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00510AF1 mov eax, dword ptr fs:[00000030h]5_2_00510AF1
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00510531 mov edx, dword ptr fs:[00000030h]5_2_00510531
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00510EA1 mov eax, dword ptr fs:[00000030h]5_2_00510EA1
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00511141 mov eax, dword ptr fs:[00000030h]5_2_00511141
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00511140 mov eax, dword ptr fs:[00000030h]5_2_00511140
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00511B2F mov eax, dword ptr fs:[00000030h]5_2_00511B2F
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00982690 lstrlen,StrCmpCA,InternetOpenA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,GetProcessHeap,RtlAllocateHeap,memcpy,lstrlen,memcpy,lstrlen,memcpy,lstrlen,HttpSendRequestA,Sleep,HttpQueryInfoA,InternetReadFile,InternetReadFile,StrCmpCA,InternetCloseHandle,InternetCloseHandle,5_2_00982690

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Searches for specific processes (likely to inject)
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00991310 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,5_2_00991310
          Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmpProcess created: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe "C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe" /VERYSILENTJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: LocalAlloc,GetLocaleInfoA,GetLocaleInfoA,LocalFree,5_2_0098FC20
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_0099BAA0 GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,5_2_0099BAA0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00996F80 memset,GetModuleFileNameA,ShellExecuteEx,memset,lstrlenW,GetWindowsDirectoryW,GetComputerNameW,GetFullPathNameA,GetUserNameW,GetFileType,GetModuleFileNameA,GetTempPathW,5_2_00996F80
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_0098FBC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,5_2_0098FBC0
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeCode function: 5_2_00403645 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,GetModuleHandleA,5_2_00403645
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Vidar stealer
          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
          Source: Yara matchFile source: 00000005.00000003.1521581095.0000000000633000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SystemScannerSetup.exe PID: 7612, type: MEMORYSTR
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: *wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*,*.txt
          Source: SystemScannerSetup.exe, 00000005.00000002.2417747470.0000000003920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \ElectronCash\wallets\
          Source: SystemScannerSetup.exe, 00000005.00000002.2417747470.0000000003920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum\wallets\
          Source: SystemScannerSetup.exe, 00000005.00000002.2417747470.0000000003920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
          Source: SystemScannerSetup.exe, 00000005.00000002.2417747470.0000000003920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: exodus.conf.json
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: info.seco
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ElectrumLTC
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: passphrase.json
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Ethereum\
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: *wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*,*.txt
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: *wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*,*.txt
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \MultiDoge\
          Source: SystemScannerSetup.exe, 00000005.00000002.2417747470.0000000003920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: seed.seco
          Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
          Source: SystemScannerSetup.exe, 00000005.00000002.2417747470.0000000003920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum-LTC\wallets\
          Tries to harvest and steal Bitcoin Wallet information
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\ConfigurationJump to behavior
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\key4.dbJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default\key4.dbJump to behavior
          Tries to harvest and steal ftp login credentials
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
          Tries to steal Crypto Currency Wallets
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
          Source: Yara matchFile source: Process Memory Space: SystemScannerSetup.exe PID: 7612, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Attempt to bypass Chrome Application-Bound Encryption
          Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
          Yara detected Vidar stealer
          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
          Source: Yara matchFile source: 00000005.00000003.1521581095.0000000000633000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SystemScannerSetup.exe PID: 7612, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Software Packing          		2
          OS Credential Dumping          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          Create Account          		1
          Extra Window Memory Injection          		1
          Timestomp          		1
          Credentials in Registry          		1
          Account Discovery          		Remote Desktop Protocol4
          Data from Local System          		21
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)111
          Process Injection          		1
          DLL Side-Loading          		Security Account Manager4
          File and Directory Discovery          		SMB/Windows Admin Shares1
          Screen Capture          		1
          Remote Access Software          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Extra Window Memory Injection          		NTDS35
          System Information Discovery          		Distributed Component Object Model1
          Clipboard Data          		3
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
          Masquerading          		LSA Secrets111
          Security Software Discovery          		SSHKeylogging4
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
          Process Injection          		Cached Domain Credentials12
          Process Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync3
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632615 Sample: SwitchAutoSetup_v0.7.0.3.exe Startdate: 08/03/2025 Architecture: WINDOWS Score: 100 57 us.f.goldenloafuae.com 2->57 59 t.me 2->59 69 Suricata IDS alerts for network traffic 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Yara detected Vidar stealer 2->75 12 SwitchAutoSetup_v0.7.0.3.exe 2 2->12         started        signatures3 process4 file5 47 C:\Users\...\SwitchAutoSetup_v0.7.0.3.tmp, PE32 12->47 dropped 15 SwitchAutoSetup_v0.7.0.3.tmp 3 15 12->15         started        process6 file7 49 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 15->49 dropped 51 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 15->51 dropped 53 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 15->53 dropped 18 SwitchAutoSetup_v0.7.0.3.exe 2 15->18         started        process8 file9 35 C:\Users\...\SwitchAutoSetup_v0.7.0.3.tmp, PE32 18->35 dropped 21 SwitchAutoSetup_v0.7.0.3.tmp 5 27 18->21         started        process10 file11 37 C:\Users\...\libopencore-amrnb.dll (copy), PE32+ 21->37 dropped 39 C:\Users\user\AppData\...\is-QSQJJ.tmp, PE32 21->39 dropped 41 C:\Users\user\AppData\...\is-547IQ.tmp, PE32+ 21->41 dropped 43 22 other files (18 malicious) 21->43 dropped 24 SystemScannerSetup.exe 38 21->24         started        process12 dnsIp13 61 us.f.goldenloafuae.com 95.217.31.199, 443, 49723, 49724 HETZNER-ASDE Germany 24->61 63 t.me 149.154.167.99, 443, 49722 TELEGRAMRU United Kingdom 24->63 65 127.0.0.1 unknown unknown 24->65 45 C:\ProgramData\glxbs\wlfk6f, PE32+ 24->45 dropped 77 Attempt to bypass Chrome Application-Bound Encryption 24->77 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->79 81 Found many strings related to Crypto-Wallets (likely being stolen) 24->81 83 5 other signatures 24->83 29 chrome.exe 24->29         started        file14 signatures15 process16 dnsIp17 67 192.168.2.4, 138, 443, 49415 unknown unknown 29->67 32 chrome.exe 29->32         started        process18 dnsIp19 55 www.google.com 142.250.185.196, 443, 49735, 49738 GOOGLEUS United States 32->55

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SwitchAutoSetup_v0.7.0.3.exe19%VirustotalBrowse
          SwitchAutoSetup_v0.7.0.3.exe16%ReversingLabsWin32.Malware.Generic

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\ProgramData\glxbs\wlfk6f0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_iscrypt.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_isdecmp.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_setup64.tmp0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_iscrypt.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_isdecmp.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_setup64.tmp0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\IETAG.DLL (copy)0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe (copy)21%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\GitLab.UI.exe (copy)0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\blocked-file-util.exe (copy)0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\bzip2recover.exe (copy)0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-CDLA5.tmp0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-FJU40.tmp0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-GTHAH.tmp0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-J3R4N.tmp0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-JL3NL.tmp0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-MMEK3.tmp0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-P0TS2.tmp0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-T2KNG.tmp0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\kvno.exe (copy)0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\p11-kit.exe (copy)0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\pkcs1-conv.exe (copy)0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\tclsh86.exe (copy)0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\wish86.exe (copy)0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-2NH1K.tmp0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-547IQ.tmp0%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-QSQJJ.tmp21%ReversingLabs
          C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\libopencore-amrnb.dll (copy)0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://ocsps.ssl.com0?0%Avira URL Cloudsafe
          https://drive-daily-5.corp.google.com/0%Avira URL Cloudsafe
          https://us.f.goldenloafuae.com~0%Avira URL Cloudsafe
          https://us.f.goldenloafuae.com/G0%Avira URL Cloudsafe
          https://us.f.goldenloafuae.com/B0%Avira URL Cloudsafe
          https://us.f.goldenloafuae.com/sts0%Avira URL Cloudsafe
          https://crbug.com/368855.)0%Avira URL Cloudsafe
          https://drive-preprod.corp.google.com/0%Avira URL Cloudsafe
          https://us.f.goldenloafuae.comd0%Avira URL Cloudsafe
          https://us.f.goldenloafuae.com/s0%Avira URL Cloudsafe
          http://crl.m&0%Avira URL Cloudsafe
          https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg0%Avira URL Cloudsafe
          https://us.f.goldenloafuae.com/qh0%Avira URL Cloudsafe
          https://drive-daily-6.corp.google.com/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          us.f.goldenloafuae.com
          		95.217.31.199
          		truetrue
            		unknown
            t.me
            		149.154.167.99
            		truefalse
              		high
              www.google.com
              		142.250.185.196
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://t.me/l793oyfalse
                  		high
                  https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhEfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://mail.google.com/mail/?usp=installed_webappchrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://duckduckgo.com/ac/?q=SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0QSwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          http://www.vmware.com/0is-CDLA5.tmp.3.drfalse
                            		high
                            https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditingchrome.exe, 0000000C.00000002.1762877466.00000E54000E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1764570210.00000E5400450000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              https://support.google.com/chrome/answer/6098869chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpfalse
                                		high
                                https://mail.google.com/chat/download?usp=chrome_defaultfaultchrome.exe, 0000000C.00000002.1774625425.00000E54018C8000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=bchrome.exe, 0000000C.00000002.1766179166.00000E5400804000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    https://docs.google.com/document/Jchrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhonechrome.exe, 0000000C.00000002.1767218758.00000E5400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770002682.00000E5400F28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1768458225.00000E5400CC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		high
                                        http://ocsps.ssl.com0?SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000002.1263324542.000000000018D000.00000004.00000010.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000002.1263324542.000000000018D000.00000004.00000010.00020000.00000000.sdmpfalse
                                          		high
                                          https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/chrome.exe, 0000000C.00000002.1766704820.00000E5400944000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://support.google.com/chrome?p=desktop_tab_groupschrome.exe, 0000000C.00000003.1713172327.00000E5400540000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1764735847.00000E5400540000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                http://dns-tunnel-check.googlezip.net/connectchrome.exe, 0000000C.00000002.1770593010.00000E5401094000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://crbug.com/368855.)chrome.exe, 0000000C.00000002.1764437647.00000E5400430000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://docs.google.com/chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://docs.google.com/document/:chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://mail.google.com/chat/chrome.exe, 0000000C.00000002.1770593010.00000E5401094000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770740981.00000E54010E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766652476.00000E5400908000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769596352.00000E5400E2C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1771758681.00000E540128C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675910854.00000E54010E4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://us.f.goldenloafuae.com/stsSystemScannerSetup.exe, 00000005.00000002.2416786437.0000000003840000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://unisolated.invalid/chrome.exe, 0000000C.00000002.1769101880.00000E5400DA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.remobjects.com/psSwitchAutoSetup_v0.7.0.3.exe, 00000000.00000003.1165812488.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000000.1167130222.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SwitchAutoSetup_v0.7.0.3.tmp.0.drfalse
                                                            		high
                                                            https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrlchrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpfalse
                                                              		high
                                                              https://www.google.com/chrome/tips/chrome.exe, 0000000C.00000002.1770593010.00000E5401094000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1768879134.00000E5400D4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767697553.00000E5400B68000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.innosetup.com/SwitchAutoSetup_v0.7.0.3.exe, 00000000.00000003.1165812488.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000000.1167130222.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SwitchAutoSetup_v0.7.0.3.tmp.0.drfalse
                                                                  		high
                                                                  https://drive.google.com/?lfhs=2chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ogs.google.com/widget/callout?eom=1chrome.exe, 0000000C.00000002.1776703584.00000E5401FC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776829622.00000E5401FD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540203C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)chrome.exe, 0000000C.00000002.1762643984.00000E5400040000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.certum.pl/CPS0SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drfalse
                                                                          		high
                                                                          https://www.youtube.com/?feature=ytcachrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.google.com/chrome/browser-tools/chrome.exe, 0000000C.00000002.1766704820.00000E5400944000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.google.com/tools/feedback/chrome/__submit7Echrome.exe, 0000000C.00000002.1765080772.00000E5400620000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://docs.google.com/document/u/0/create?usp=chrome_actionschrome.exe, 0000000C.00000002.1768285555.00000E5400C78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767447600.00000E5400AFC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773068670.00000E5401478000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://us.f.goldenloafuae.com/sSystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://chrome.google.com/webstorechrome.exe, 0000000C.00000003.1712030400.00000E5401528000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://us.f.goldenloafuae.com~SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://www.google.com/intl/en/about/products?tabchrome.exe, 0000000C.00000002.1764437647.00000E5400430000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctaSystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://drive-daily-5.corp.google.com/chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actionschrome.exe, 0000000C.00000002.1768285555.00000E5400C78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767447600.00000E5400AFC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773068670.00000E5401478000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacychrome.exe, 0000000C.00000002.1767218758.00000E5400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770002682.00000E5400F28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1768458225.00000E5400CC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrlchrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpfalse
                                                                                                  		high
                                                                                                  https://m.google.com/devicemanagement/data/apichrome.exe, 0000000C.00000002.1763731535.00000E54002CC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://steamcommunity.com/profiles/76561199829660832SystemScannerSetup.exe, 00000005.00000002.2414264528.0000000002510000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000002.2413439900.00000000009A2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://docs.google.com/presentation/u/0/create?usp=chrome_actionschrome.exe, 0000000C.00000002.1768285555.00000E5400C78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767447600.00000E5400AFC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773068670.00000E5401478000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://chromewebstore.google.com/chrome.exe, 0000000C.00000002.1763405975.00000E54001D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://us.f.goldenloafuae.com/BSystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000620000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://drive-preprod.corp.google.com/chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://us.f.goldenloafuae.comdSystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1461705210.0000000000630000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://clients4.google.com/chrome-syncchrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://gemini.google.com/app?q=chrome.exe, 0000000C.00000002.1769028706.00000E5400D94000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://gemini.google.com/glic/intro?chrome.exe, 0000000C.00000003.1714114840.00000E5401B78000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://us.f.goldenloafuae.com/GSystemScannerSetup.exe, 00000005.00000003.1491933351.0000000000633000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://ocsp.sectigo.com0SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drfalse
                                                                                                                  		high
                                                                                                                  https://docs.google.com/presentation/Jchrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.unicode.org/copyright.htmlchrome.exe, 0000000C.00000002.1751274379.0000024B207A0000.00000002.00000001.00040000.00000019.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://drive.google.com/drive/installwebapp?usp=chrome_defaultchrome.exe, 0000000C.00000002.1765214144.00000E5400640000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://chrome.google.com/webstoreLDDiscoverchrome.exe, 0000000C.00000002.1771188780.00000E5401198000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675988183.00000E54012E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1712030400.00000E5401528000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0QSwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://docs.google.com/presentation/:chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://crl.m&SystemScannerSetup.exe, 00000005.00000003.1426749596.0000000000634000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1461705210.0000000000630000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1491933351.0000000000633000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1426803738.000000000066F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://lens.google.com/gen204chrome.exe, 0000000C.00000003.1711364407.00000E5401558000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://www.google.com/images/branding/product/ico/googleg_alldp.icoSystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1764048514.00000E5400388000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767520370.00000E5400B24000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769951709.00000E5400EFC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1764693613.00000E5400500000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763246356.00000E540018C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711933931.00000E5400500000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766179166.00000E5400804000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://crl.thawte.com/ThawteTimestampingCA.crl0is-CDLA5.tmp.3.drfalse
                                                                                                                                    		high
                                                                                                                                    https://mail.google.com/mail/?tab=rm&amp;ogblchrome.exe, 0000000C.00000002.1764365926.00000E5400404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://www.google.com/chrome/privacy/eula_text.htmlH&elpManagedchrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://subca.ocsp-certum.com01SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drfalse
                                                                                                                                          		high
                                                                                                                                          https://chromeenterprise.google/policies/#BrowserSwitcherUrlListchrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePWchrome.exe, 0000000C.00000002.1767218758.00000E5400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770002682.00000E5400F28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1768458225.00000E5400CC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://policies.google.com/chrome.exe, 0000000C.00000002.1768135751.00000E5400C1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp, chrome.exe, 0000000C.00000003.1675837986.00000E54011A8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://apis.google.comchrome.exe, 0000000C.00000002.1776703584.00000E5401FC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776829622.00000E5401FD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540203C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://support.mozilla.org/products/firefoxgro.allSystemScannerSetup.exe, 00000005.00000002.2420351688.0000000003EB9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://labs.google.com/search?source=ntpchrome.exe, 0000000C.00000002.1764365926.00000E5400404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://google-ohttp-relay-query.fastly-edge.com/2Pchrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://steamcommunity.com/profiles/76561199829660832ir7amMozilla/5.0SystemScannerSetup.exe, 00000005.00000002.2413439900.00000000009A2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://ogs.google.com/widget/app/so?eom=1chrome.exe, 0000000C.00000002.1776703584.00000E5401FC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776829622.00000E5401FD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540203C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://chrome.google.com/webstore/category/extensionschrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgSystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                		unknown
                                                                                                                                                                https://mail.google.com/chat/download?usp=chrome_defaultValidatorchrome.exe, 0000000C.00000002.1770212051.00000E5400FB4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://us.f.goldenloafuae.com/qhSystemScannerSetup.exe, 00000005.00000003.1552809969.0000000000630000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://www.google.com/searchchrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1714114840.00000E5401B78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713907864.00000E5401B08000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711722751.00000E5401660000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713870726.00000E5401AFC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://www.google.com/update2/responsechrome.exe, 0000000C.00000002.1771032649.00000E540116C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://login.microsoftonline.com/comonchrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://www.certum.pl/CPS0SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.drfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://support.google.com/chrome/a/?p=browser_profile_detailschrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://google-ohttp-relay-join.fastly-edge.com/chrome.exe, 0000000C.00000003.1666347199.00000E5000458000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://www.ecosia.org/newtab/v20SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769028706.00000E5400D94000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2Kchrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgSystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://drive-daily-6.corp.google.com/chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://duckduckgo.com/chrome_newtabv20SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelistchrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://gemini.google.com/glic2chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711722751.00000E5401660000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high

                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                            Public IPs

                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                            95.217.31.199
                                                                                                                                                                                            		us.f.goldenloafuae.comGermany
                                                                                                                                                                                            		24940HETZNER-ASDEtrue
                                                                                                                                                                                            142.250.185.196
                                                                                                                                                                                            		www.google.comUnited States
                                                                                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                                                                                            149.154.167.99
                                                                                                                                                                                            		t.meUnited Kingdom
                                                                                                                                                                                            		62041TELEGRAMRUfalse

                                                                                                                                                                                            Private

                                                                                                                                                                                            IP
                                                                                                                                                                                            192.168.2.4
                                                                                                                                                                                            127.0.0.1

                                                                                                                                                                                            General Information

                                                                                                                                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                            Analysis ID:1632615
                                                                                                                                                                                            Start date and time:2025-03-08 14:07:20 +01:00
                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                            Overall analysis duration:0h 7m 42s
                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                            Report type:full
                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                            Number of analysed new started processes analysed:17
                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                            Technologies:
                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                            Sample name:SwitchAutoSetup_v0.7.0.3.exe
                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@25/62@5/5
                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                            • Number of executed functions: 75
                                                                                                                                                                                            • Number of non-executed functions: 90
                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                                                                                            Warnings

                                                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 199.232.214.172, 142.250.184.206, 142.250.185.67, 172.217.16.206, 142.251.168.84, 142.250.186.174, 142.250.186.163, 142.250.186.142, 142.250.185.174, 23.60.203.209, 20.109.210.53
                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, redirector.gvt1.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, www.gstatic.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                            Simulations

                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                            08:08:19API Interceptor1x Sleep call for process: SwitchAutoSetup_v0.7.0.3.tmp modified

                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                            IPs

                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                            149.154.167.99http://45.142.208.144.sslip.io/blog/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • telegram.org/img/emoji/40/F09F9889.png
                                                                                                                                                                                            http://xn--r1a.website/s/ogorodruGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • telegram.org/img/favicon.ico
                                                                                                                                                                                            http://cryptorabotakzz.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • telegram.org/
                                                                                                                                                                                            http://cache.netflix.com.id1.wuush.us.kg/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
                                                                                                                                                                                            http://investors.spotify.com.sg2.wuush.us.kg/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • telegram.org/
                                                                                                                                                                                            http://bekaaviator.kz/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • telegram.org/
                                                                                                                                                                                            http://telegramtw1.org/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • telegram.org/?setln=pl
                                                                                                                                                                                            http://makkko.kz/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • telegram.org/
                                                                                                                                                                                            http://telegram.dogGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • telegram.dog/
                                                                                                                                                                                            LnSNtO8JIa.exeGet hashmaliciousCinoshi StealerBrowse
                                                                                                                                                                                            • t.me/cinoshibot

                                                                                                                                                                                            Domains

                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                            t.meKMSpico.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            KMSpico.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            file.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            LtCPevm69G.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Poverty Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            https://graph.org/WBACK-03-06?qb3nGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            EasyWay.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            Collapse.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            q3na5Mc.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            Yanto v1.2.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                            • 149.154.167.99

                                                                                                                                                                                            ASNs

                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                            TELEGRAMRU1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            RFQ_PO_98473009.png.exeGet hashmaliciousMSIL Logger, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            uK5pfobYyD.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            n8l3NmC5EH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            DbAAqJQFmx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            OW1i3n5K3s.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            XFo9jVGyLQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            HETZNER-ASDEna.elfGet hashmaliciousPrometeiBrowse
                                                                                                                                                                                            • 88.198.246.242
                                                                                                                                                                                            ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                            • 5.161.109.169
                                                                                                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                                                                                                            • 88.198.246.242
                                                                                                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                                                                                                            • 88.198.246.242
                                                                                                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                                                                                                            • 88.198.246.242
                                                                                                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                                                                                                            • 88.198.246.242
                                                                                                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                                                                                                            • 88.198.246.242
                                                                                                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                                                                                                            • 88.198.246.242
                                                                                                                                                                                            https://docs.google.com/drawings/d/1xUXBcSQgwpQ-o9JYAXlo15maWwVxBMiXZKHY1_EXu1c/previewGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                            • 5.161.60.177
                                                                                                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                                                                                                            • 88.198.246.242

                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                            28a2c9bd18a11de089ef85a160da29e4Rockfon_Vmail_RDRUJND.svgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 204.79.197.222
                                                                                                                                                                                            https://docs.google.com/drawings/d/1xUXBcSQgwpQ-o9JYAXlo15maWwVxBMiXZKHY1_EXu1c/previewGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                            • 204.79.197.222
                                                                                                                                                                                            http://insprocks.com/Insprock289.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 204.79.197.222
                                                                                                                                                                                            Magic_V_pro_setup_stable_latest_release_version_9_709.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                            • 204.79.197.222
                                                                                                                                                                                            http://www.texascrafted.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 204.79.197.222
                                                                                                                                                                                            SecuriteInfo.com.Program.Unwanted.5412.9015.527.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                                                                                            • 204.79.197.222
                                                                                                                                                                                            6F9vhIKqe7.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                            • 204.79.197.222
                                                                                                                                                                                            Play_Voicemail_Transcription._(387.KB).svgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                            • 204.79.197.222
                                                                                                                                                                                            SecuriteInfo.com.FileRepMalware.23820.12149.exeGet hashmaliciousStrela StealerBrowse
                                                                                                                                                                                            • 204.79.197.222
                                                                                                                                                                                            Launcher.exeGet hashmaliciousGrowtopia, Phoenix StealerBrowse
                                                                                                                                                                                            • 204.79.197.222
                                                                                                                                                                                            37f463bf4616ecd445d4a1937da06e19SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 95.217.31.199
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 95.217.31.199
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            Magic_V_pro_setup_stable_latest_release_version_9_709.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                            • 95.217.31.199
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            Magic_V_pro_setup_stable_latest_release_version_9_709.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                            • 95.217.31.199
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 95.217.31.199
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 95.217.31.199
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            BWllpq4Tel.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                            • 95.217.31.199
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            uK5pfobYyD.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                                                                                            • 95.217.31.199
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            MNLS4PjscF.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                            • 95.217.31.199
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            MNLS4PjscF.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                            • 95.217.31.199
                                                                                                                                                                                            • 149.154.167.99

                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                            C:\ProgramData\glxbs\wlfk6flem.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                              1.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                SecuriteInfo.com.Win32.Malware-gen.26093.20806.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                  N11R7lRasm.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                    SecuriteInfo.com.Trojan.Inject5.16384.2170.8558.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                      random.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                        hX2c2UOBSX.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                          dOuC8iH5As.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                            SQ1NgqeTQy.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, KeyLogger, LummaC Stealer, Stealc, StormKittyBrowse
                                                                                                                                                                                                              1l1ohfybAf.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_iscrypt.dllAppKMSPico.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                  AppKMSPico.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                    dxRwXy19pq.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                                                      SecuriteInfo.com.W32.PossibleThreat.20086.24920.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        12321321.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                                                          SecuriteInfo.com.Win32.Malware-gen.14270.13618.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                                                              file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                                                                tKBxw8eOIV.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                                                                  tKBxw8eOIV.exeGet hashmaliciousSocks5SystemzBrowse

                                                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\0zuaie

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):114688
                                                                                                                                                                                                                                    Entropy (8bit):0.9746603542602881
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                                                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                                                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                                                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                                                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                                                                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\2djmo8

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):2947
                                                                                                                                                                                                                                    Entropy (8bit):5.120077314818075
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:48:22e8T8PvMu0846PYPvJ8+F9gUUL0VlxfMUIgPdunPduZJ0gPdunPduZQ/+lx3cCQ:22X8PvMu0LtPvJPF+0VlVO0z60w+lfah
                                                                                                                                                                                                                                    MD5:C7E301D9DD77A21C1CDBD73A63AF205C
                                                                                                                                                                                                                                    SHA1:715D25AA0C06B2AD162F52A8DE06FB5040C389B1
                                                                                                                                                                                                                                    SHA-256:239C9A49ACDA9FC9845B87819A33D07F359803153FEFFE4D2212989F82DE71E1
                                                                                                                                                                                                                                    SHA-512:B0E6FFB10EF5EB9EB433A23803591C84F603779306E78B1648374218A50D2F77E8EE7215615E9D1BE033A96B735321FCA9D5F7B0CB65661674346FC1546E43FE
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                    Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="jeffspel".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-09-13T14:04:43.4054402-07:00".. lastUpdateTimeStamp="2005-09-13T15:39:02.9208750-08:00".. manifestVersion="1.0".. owners="jeffspel".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-Crypto-keys-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. scope="Upgrade,MigWiz,USMT".. >.. <migXml xmlns="">.. Check as this is only valid for down-level OS < t

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\2ny5p8

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):4533
                                                                                                                                                                                                                                    Entropy (8bit):5.1021772201912805
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:96:22X8PvMu0jPvJPM0UJl1/Qi9XexcElVOaBIpgmQlwYBwkbsgobVu:MUnZUb1xXMV37BhgVu
                                                                                                                                                                                                                                    MD5:477F010FDB6BD5E5E57D6DEC5449F2FB
                                                                                                                                                                                                                                    SHA1:73F9C03AF35B29EC2404BB70FEDC8C9ADADE74F6
                                                                                                                                                                                                                                    SHA-256:2DBEDD5D4D6645E9ED45563FDB1DC42387EF24C9CF5D6A08EC3BE448073C4696
                                                                                                                                                                                                                                    SHA-512:3C630BE96FC7FCD0036D254BA4D197AB31F37F6DAC411F8C78E624B0501D0205AF36CD5A29EC98D96D5D8D88EF2DBB2DF3A62C6F658A93302ECA500B8EC74F2F
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                    Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="jeffspel".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-09-13T14:05:43.4054402-07:00".. lastUpdateTimeStamp="2005-09-13T15:41:02.9208750-08:00".. manifestVersion="1.0".. owners="jeffspel".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-dpapi-keys-DL".. processorArchitecture="*".. publicKeyToken="".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. scope="Upgrade,MigWiz,USMT".. >.. <machineSpecific>.. <migXml>.. Check as this is only valid for down-level OS < than Windows V

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\3wtj5f

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):98304
                                                                                                                                                                                                                                    Entropy (8bit):0.08235737944063153
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                                                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                                                                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                                                                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                                                                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\6fcb1v

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):2062
                                                                                                                                                                                                                                    Entropy (8bit):4.925445222257812
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:48:227+9gUKl+lxFcCY4/YBu4yTy3opyLyXyoyOyzylpjyA:22Sw+lxaWm3uCL9Gv
                                                                                                                                                                                                                                    MD5:60145F68B1CF9440FA663820AE11CE4B
                                                                                                                                                                                                                                    SHA1:10195A2926015E3024D769673E004AA60DFEC0A3
                                                                                                                                                                                                                                    SHA-256:4805E01EB0C9B3DFEB6B754D4148588E2FB798734D9EDE20E53EB8E75158B64F
                                                                                                                                                                                                                                    SHA-512:55D088040D25D4CBFF5A4210A85107666E628C67CA3134B0C836E135DBFE82AA4FA70185993E99D951307F7D159C1428B390727DA17EFEC5AA4BE9D799B96895
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Kerberos-Key-Distribution-Center-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. />.. <migration>.. <machineSpecific>.. <migXml xmlns="">.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\kdc\* [*]</pattern>.. </objectSet>.. </include>.. <exclude>.. <objectSet>.. <pattern type="Reg

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\79h47yuk6

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):40960
                                                                                                                                                                                                                                    Entropy (8bit):0.8616778647394084
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:48:pMtA+IIkCVEq8Ma0D0HOlf/6ykwpLf/UUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:pOCCn8MouB6w9f/MiZqmvJKLPeymwil
                                                                                                                                                                                                                                    MD5:BDDE4AD11E732420E7ABCCA946B11611
                                                                                                                                                                                                                                    SHA1:278C3386A37BAFCA507CF4C128600B01B312DDA0
                                                                                                                                                                                                                                    SHA-256:099AB6B902097361832FC2485E96C71C827E722FA74C09C7D08DCE9091094C1D
                                                                                                                                                                                                                                    SHA-512:B29061A507FCAE2CB56155C5C911706E60C798D288968B210A1670C0F0D1D3F7B3B2B2919B946FED47C4975B157A56B557F71AE80A427C85C660F6B37153C9E8
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................zp....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\89r1ng

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):139264
                                                                                                                                                                                                                                    Entropy (8bit):1.1366509594298093
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:192:+lsfoVZkNi61n1ulH5eJpX6Nq4wOVuaaDPqfPk:+lsfoQx1n1ulH5683wOVuaaDPqfM
                                                                                                                                                                                                                                    MD5:C5CFBCA422AD1353E7116A02424C59FD
                                                                                                                                                                                                                                    SHA1:38F032839FC5E1F890FAA636390A3CC9556AD350
                                                                                                                                                                                                                                    SHA-256:F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
                                                                                                                                                                                                                                    SHA-512:94463562E57B9D42995A55C24E403E6DA2EFD56C0C8EB0DAAF9C5D6D2BC85981717A2D89E92E8F492A409F1BFE1406BA5F1B559AC3457CB4353D227D1954C84B
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:SQLite format 3......@ .......D...........J......................................................zp...........<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\aa1ng4

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):4309
                                                                                                                                                                                                                                    Entropy (8bit):5.059776328378613
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:96:22CBzmeQiHRAQgXx9QgXcOaBIpghKkQlwYBwkbsgo9:MmCZy7BhA
                                                                                                                                                                                                                                    MD5:3A9306662FE93D09B05B9AE44128BCF1
                                                                                                                                                                                                                                    SHA1:77A917FFE8FF0EAAD8F3D3B764836C810E4C9DF5
                                                                                                                                                                                                                                    SHA-256:1988183ECBC3C6987DA9CB598C78B52D7563D995FA94D1E91E0470392E765374
                                                                                                                                                                                                                                    SHA-512:DA1F2776E8D1E08076032365B0D463DC847A31C6C360181D9966488455E878C7738DEC6F2B39153B2A410E3BEB73A05EB524593D125077273343740826A7B9F9
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-dpapi-keys".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,MigWiz,USMT,Data".. settingsVersion="1".. replacementSettingsVersionRange="0" .. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Protect [CREDHIST]</pattern>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Protect\* [Preferred]</pattern>.. </objectSet>.. </include>.. <merge script="MigXmlHelper.DestinationPriority()">.. <objectSet>..

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\aa1ng4wba

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):49152
                                                                                                                                                                                                                                    Entropy (8bit):0.8180424350137764
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                                                                                    MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                                                                                    SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                                                                                    SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                                                                                    SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\as26fu

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3046000, file counter 6, database pages 41, 1st free page 29, free pages 1, cookie 0x25, schema 4, UTF-8, version-valid-for 6
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):196608
                                                                                                                                                                                                                                    Entropy (8bit):0.4792253015780342
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:96:xWpdkG7xQ+ALqL/uejzH+bF+UIYysX0lj/twfLyl0e9S8E:ApdkG77IqL/tH+bF+UI3i67Kylj9
                                                                                                                                                                                                                                    MD5:33642526D21BAF34FB5D5AAF11B3FB91
                                                                                                                                                                                                                                    SHA1:A64B4A7605D8B449C085474A3484921975EF6C14
                                                                                                                                                                                                                                    SHA-256:3ED06184837C7FF625C54589CA2037F127E0525E3541DE8960A9D5503625862B
                                                                                                                                                                                                                                    SHA-512:A013359FCBAC1005653793D3FF6398E32746E2F6FFCDA26AA3C9EB96279F7A2E989E05B5B8D2510EAF5F93DDD6281A71773DA81C472FCC71AD74315353948782
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:SQLite format 3......@ .......)...........%......................................................zp....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\bsriec

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):10219
                                                                                                                                                                                                                                    Entropy (8bit):4.966520026409024
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:96:NPgBOOzJMk67cY82SGrPVYRjDjXK2F6KJzLLwGXtXqWgrjj31jj6OzJMk67cY82s:UYwP62I+Wr3JjkwP62I+Ws
                                                                                                                                                                                                                                    MD5:381138FA1B1C4C298AD2441898677ED6
                                                                                                                                                                                                                                    SHA1:B8A0B0ECAAF6F3BBD7C27DD54ACD4BC3366DD0A4
                                                                                                                                                                                                                                    SHA-256:D4EE07BC2183E3D013B68B080B9E2F603676B27F8B0C95CCA2ED533BC671FAFA
                                                                                                                                                                                                                                    SHA-512:095C2B1C129C36125FE17ED096FDE58AE0F8AF61527D9AEDCAB379C3221BF09D87F28846E6FA3CF9FE05C750689A2ADFCDD1AB67409780A12A425A33219858EC
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-Authentication-AuthUI-Component".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. optimizePatterns="no".. offlineApply="no".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2-10.0".. scope="MigWiz,Upgrade".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. Downlevel settings -->.. <pattern type="Registry">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [DefaultUserName]</pattern>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [DefaultDomainName]</pattern>.. <pattern type="Registry">HKLM\Software\Microsof

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\d2dba1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):126976
                                                                                                                                                                                                                                    Entropy (8bit):0.47147045728725767
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                                                                                    MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                                                                                    SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                                                                                    SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                                                                                    SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\f3wl6x

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):3019
                                                                                                                                                                                                                                    Entropy (8bit):4.884926762491409
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:48:22e8z2j+YgfH0LeIg6aFnJmINGbYgaFnQ7sPvh27+QgL7sYN2b4waFnw+:22X2qD0SPJv1/Pvh2S/pVN
                                                                                                                                                                                                                                    MD5:63F04FB9936532B21E616E88E3EBED14
                                                                                                                                                                                                                                    SHA1:56CEC96A0D4B10C6FC28C726B76BEF278CBC512F
                                                                                                                                                                                                                                    SHA-256:61C5B3D0FD4051236AD00A0A39BE2F75F7E0DEC2AFBFF85617AED19AEF3FC650
                                                                                                                                                                                                                                    SHA-512:66FF4756CE723378126DC6C1EC493B665D08387B3305A97ED9A80500CCCE6001DFB7F8957E8246C7C572D0362DA49EEC7AF8451B849F9E0E89FD8E14041CE75D
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-Extensible-Authentication-Protocol-Host-Service".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.1.7150".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\EapHost\Methods\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\EapHost\Configuration\

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\fcbimy

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with very long lines (1809), with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):9571
                                                                                                                                                                                                                                    Entropy (8bit):5.536643647658967
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
                                                                                                                                                                                                                                    MD5:5D8E5D85E880FB2D153275FCBE9DA6E5
                                                                                                                                                                                                                                    SHA1:72332A8A92B77A8B1E3AA00893D73FC2704B0D13
                                                                                                                                                                                                                                    SHA-256:50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
                                                                                                                                                                                                                                    SHA-512:57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\l6xlf3

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):1468
                                                                                                                                                                                                                                    Entropy (8bit):5.0065780470180306
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:24:p/o2e8GFp8PvMu0Vnu7vFPvJ8+FXg0Mej39ImlQu/kKcCEF4wflBX0FCUK:22e8+8PvMu0VnuRPvJ8+FXgMtImlx3cd
                                                                                                                                                                                                                                    MD5:E68A33BDAF7AEBE6D5BBBCEFDED6AC5C
                                                                                                                                                                                                                                    SHA1:A1120341BB4452FCA47EB5EA8FA62A08BFC48073
                                                                                                                                                                                                                                    SHA-256:A5DC5B9F31D69E6F65F405EF4E187BAB262746AAAC08E95C195AA77A0B310DE1
                                                                                                                                                                                                                                    SHA-512:69E1A60C0FFE8AA19B55FABE47801EEEA7CF4C84E426318D8B7BFFAF09A14FC5F569573BE30753D354B604911A616C231F485B08C3778E0A214F7E3DC9C21D2C
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="artbaker".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-09-13T14:05:43.4054402-07:00".. lastUpdateTimeStamp="2005-09-13T15:41:02.9208750-08:00".. manifestVersion="1.0".. owners="artbaker".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-Cryptography-CryptoConfig-DL".. processorArchitecture="*".. publicKeyToken="".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration xmlns="">.. <machineSpecific>.. <migXml>.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detects>..

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\ppzus2

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):2829
                                                                                                                                                                                                                                    Entropy (8bit):5.130068712095974
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:48:/2e8G+F0Vg8DIIgPdunPduPPduNJ7IgfCfikfidjikjirJu/MY4C5uXC5u/C5upL:/29F+cO0Mf7Rwiai5ieiFEMAQSQaQwX4
                                                                                                                                                                                                                                    MD5:CD55A48FE382A6820EC4FB55A66C2858
                                                                                                                                                                                                                                    SHA1:70A0A7B0E12DF915BD5E68FF0432637EFC2153DE
                                                                                                                                                                                                                                    SHA-256:97838AB994B53DFADEEF63955EECB05A7F118C2066EF97B0B0EB7BB48A526451
                                                                                                                                                                                                                                    SHA-512:37C6D78CCD807B04834659B5E796424C443B2C4F72481CB4080ED1BC5E6A954E47C4AF837A653DDAAFED2372C4FF60CE442170EA58586AB93C57B841449C5195
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-Crypto-keys".. version="0.0.0.0".. processorArchitecture="*".. language="neutral".. />.. <migration scope="Upgrade,MigWiz,USMT" .. replacementVersionRange="6.0-6.1".. replacementSettingsVersionRange="0".. settingsVersion="0" .. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Crypto\RSA\*[*]</pattern>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Crypto\DSS\*[*]</pattern>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Crypto\Keys[*]</pattern>.. </objectSet>.. </include>.. </rules>..

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\sr90zu

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):1941
                                                                                                                                                                                                                                    Entropy (8bit):4.861537145678193
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:48:22e8v+phDgrcHreIg/0xJ9U3C0gcj0kqIg/0xJuX:22CphPHyx0ruS0N0kqx0rQ
                                                                                                                                                                                                                                    MD5:6F0056EC818D4FC20158F3FF190D6D6A
                                                                                                                                                                                                                                    SHA1:9E2108FE560CC2187395C5EED011559D201CE45D
                                                                                                                                                                                                                                    SHA-256:2F9596801DBE57D73C292BE4F93BD0C05F6D0A44C7A45F5F03FDBE35993B7DEC
                                                                                                                                                                                                                                    SHA-512:72C193919EC4402D430CCBCC4F9A9B25DC9AAECBCCAEE666EFE20DA4133964D2382F1090EEB8FB0A3073ACAA7825AF7A62B59447D29F912A19BD4C04CDDF1AD1
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-CertificateAuthority-Enrollment-ServerUpgrade".. processorArchitecture="*".. version="1.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.1.*".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\ADCS\CES [ConfigurationStatus]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="System">.. <detects>.. <detect>.. Detection of CES. -

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\tjeukx

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):889
                                                                                                                                                                                                                                    Entropy (8bit):5.016955029110262
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:24:p/o2e8ZR+Vj3Xg0cjAkt3QbENgwnwJXMFhUK:22e8v+VrgfAbIggwJuX
                                                                                                                                                                                                                                    MD5:2948FF1C0804EC7DB473BB77EB3FBE4E
                                                                                                                                                                                                                                    SHA1:98A97AFC0E4E2B09A17AA0746F455DFD24356357
                                                                                                                                                                                                                                    SHA-256:2F6B99F5915A462CAFF60950839E1498F12C9F8194DB3DA02251C5BD2CAD700E
                                                                                                                                                                                                                                    SHA-512:8393B3AE7D44A4DD85D05D48768F9123910E603C477A3CACC6BF12D03D464959EC01A293B0B3317B0F8470A76D71F695098AE211DD6200D8F7F21E1C757F4EDA
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Security-NGC-PopKeySrv".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. offlineApply="no".. scope="Upgrade,Data".. settingsVersion="3".. replacementSettingsVersionRange="0-2" .. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Ngc\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\usrqq1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):1065
                                                                                                                                                                                                                                    Entropy (8bit):4.96984082363901
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:24:p/o2e8ZF2YS+pg0cjh3N1LRMEF4wuSb3wuyBX0FCUK:22e8z2j+pgfZlMY4Qr0B2A
                                                                                                                                                                                                                                    MD5:4DBFCA3B87A59186D2612A95CA2CD899
                                                                                                                                                                                                                                    SHA1:4C84BD2D60CE789B44070CDDC296C09D2F52B1CC
                                                                                                                                                                                                                                    SHA-256:2C229D8DA31E17FCEF244A8A2029CA8FE8374738A9ECBFED9E23FB89DB8DF059
                                                                                                                                                                                                                                    SHA-512:704ECDBE3FC38AC3807946072C7C523C36B4AF1586BEFE01A87BBBF35CF20214A0E0DE892A56E74FE8AA806154D7D2B9CC7028AEF47BEC326564B5F18CD12421
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-OneCore-TetheringService".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="Yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\icssvc\Roaming\*[*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\icssvc\Settings\*[*]</pattern>.. </objectSet>.. </include>.. </rules>..

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\v3e3wl

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):1095
                                                                                                                                                                                                                                    Entropy (8bit):4.976174799333973
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:24:p/o2e8ZR+UX6g0cj3+3A63sDEF4wwVpQwuoMBX0FCUK:22e8v+DgfLUwY4fcZB2A
                                                                                                                                                                                                                                    MD5:ECC51190BD585AB376691BBDDF2A638B
                                                                                                                                                                                                                                    SHA1:84DE01CF25B71C0BC4D16FAF65BE1589E385EAF0
                                                                                                                                                                                                                                    SHA-256:6F15C7E90A3C414BEAD4C1C50DC5E7CAB987D72E2F49953B717A879D7745038C
                                                                                                                                                                                                                                    SHA-512:C0626F92BD934A3C5295EA32D63910C3F51E0A47CB6287C698C0DF7EE66C1D1A1867FDE10F824BD7514566C69CD2DA16571D3F0DC56FE9DE39D13F89DFE2A02A
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Embedded-KeyboardFilterService-Client".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0-1".. settingsVersion="2".. >.. <machineSpecific>.. <migXml xmlns="">.. Per-machine state -->.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\MsKeyboardFilter [Start]</pattern>.. </objectSet>.. </inc

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\vs0hvs

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):8193
                                                                                                                                                                                                                                    Entropy (8bit):5.027484893998515
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:96:WNPERXr2q6QOOzJMk67cY8GrPVYRjDjXK2FJpjjsjwjZjj6OzJMk67cY8GrPVYRM:a2gwP625sQ9jsw902I
                                                                                                                                                                                                                                    MD5:2D6ACF2AEC5E5349B16581C8AE23BF3E
                                                                                                                                                                                                                                    SHA1:0AA7B29E8F13EB16F3DFC503D4E8CC55424ECB15
                                                                                                                                                                                                                                    SHA-256:B48F54A1F8A4C3A25D7E0FBCB95BF2C825C89ACD9C80EBACE8C15681912EDEA2
                                                                                                                                                                                                                                    SHA-512:7943AA852F34778B9197C34E6B6978FE51E0CDD2130167CB9C7C56D1B2B1272051EFE03DF3A21A12ECB9B9303DE0733E335CDE0BBBE1A1FC429E3323D335A1FE
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. AuthUI has 3 different component names that matter in its migration story... The one that applies during the migration gather phase is as follows:.. Microsoft-Windows-Authentication-AuthUI: Vista and Win7.. Microsoft-Windows-Authentication-AuthUI-Component: Win8 (and beyond).. In order to support migration from Vista/Win7 to Win8, we update the Microsoft-Windows-Authentication-AuthUI component.. to gather in the MigWiz scope (in addition to the Upgrade scope, which it already supported)... -->.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-Authentication-AuthUI".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration .. optimizePatterns="no".. offlineApply="no".. alwaysProcess="yes".. scope="MigWiz,

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\wlfk6f

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):24008
                                                                                                                                                                                                                                    Entropy (8bit):6.062446965815151
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:192:GKODczWz9IdqYbN9h+rKipXKuS28xb3HWJvah46Flkzl2W4FWEWSawTyihVWQ4e1:6DiWzGG+mKlxb32JyczEW4FWdwGyUlI
                                                                                                                                                                                                                                    MD5:6AEAEBF650EFC93CD3B6670A05724FE8
                                                                                                                                                                                                                                    SHA1:A4FE07E6C678AC8D4DC095997DB5043668D103B4
                                                                                                                                                                                                                                    SHA-256:C86891B9DF9FEEA2E98F50C9950CB446DB97A513AF0C23810F7CA818A6187329
                                                                                                                                                                                                                                    SHA-512:5C7E8C7DBAEB22956C774199BAD83312987240D574160B846349C0E237445407FF1CAACD2984BFAD0BBBE6011CC8918AF60A0EBBE82A8561CAFA4DF825ADD183
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                                                                    • Filename: lem.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: 1.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: SecuriteInfo.com.Win32.Malware-gen.26093.20806.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: N11R7lRasm.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: SecuriteInfo.com.Trojan.Inject5.16384.2170.8558.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: random.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: hX2c2UOBSX.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: dOuC8iH5As.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: SQ1NgqeTQy.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: 1l1ohfybAf.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q..Q..Q..E...S..E...]..Q..t..E...Z..E...P..E...S..E.S.P..E...P..RichQ..................PE..d....Q.!..........",.........$......................................................Bn....`A.........................................<..X....<..x....p..(....`..h....<...!......(....8..T............................0..............(1..0............................text...p........................... ..`.rdata..>....0......................@..@.data...`....P.......0..............@....pdata..h....`.......2..............@..@.rsrc...(....p.......4..............@..@.reloc..(............:..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                    C:\ProgramData\glxbs\y5fc2v

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):294912
                                                                                                                                                                                                                                    Entropy (8bit):0.08436842005578409
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vIn:51zkVmvQhyn+Zoz67n
                                                                                                                                                                                                                                    MD5:2CD2840E30F477F23438B7C9D031FC08
                                                                                                                                                                                                                                    SHA1:03D5410A814B298B068D62ACDF493B2A49370518
                                                                                                                                                                                                                                    SHA-256:49F56AAA16086F2A9DB340CC9A6E8139E076765C1BFED18B1725CC3B395DC28D
                                                                                                                                                                                                                                    SHA-512:DCDD722C3A8AD79265616ADDDCA208E068E4ECEBE8820E4ED16B1D1E07FD52EB3A59A22988450071CFDA50BBFF7CB005ADF05A843DA38421F28572F3433C0F19
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\json[1].json

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe
                                                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):1787
                                                                                                                                                                                                                                    Entropy (8bit):5.381639004214078
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:48:SfNaoC1TECdfNaoC8DC8ffNaoCp9lCpbfNaoCJ50UrU0U8CH:6NnC1TECJNnCoCONnCFC5NnCr0UrU0UF
                                                                                                                                                                                                                                    MD5:E960921B37959BA8C1E8D0DDF14E52F5
                                                                                                                                                                                                                                    SHA1:31DA673B61F329E6BB6B5007C49A9BFF0B21A79A
                                                                                                                                                                                                                                    SHA-256:F17A0D50B134205F036CEC723D8F9D4DC6A07BD4B3AA4ED1775DF0C0B1D5C7A4
                                                                                                                                                                                                                                    SHA-512:AAD390C0E8486175335822B174C9DEF315FFA5465A3A83C0A8DAA0CC5EEE167A85D1A59F404B8F4F33F16F8FB38A1EE23CFA7B1B6DA1BC46A8103E240D2E8749
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:[ {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/76EEEA40DA7D5B70065EC4927F683EFB",.. "id": "76EEEA40DA7D5B70065EC4927F683EFB",.. "title": "Google Network Speech",.. "type": "background_page",.. "url": "chrome-extension://neajdppkdcdipfabeoofebfddakdcjhd/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/76EEEA40DA7D5B70065EC4927F683EFB"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/88579438B47876A727E0B3A9492B696B",.. "id": "88579438B47876A727E0B3A9492B696B",.. "title": "Google Hangouts",.. "type": "background_page",.. "url": "chrome-extension://nkeimhogjdpnpccoofpliimaahmaaome/background.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/88579438B47876A727E0B3A9492B696B"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtoo

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_iscrypt.dll

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp
                                                                                                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):2560
                                                                                                                                                                                                                                    Entropy (8bit):2.8818118453929262
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                                                                                                                                                    MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                                                                                                                                                    SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                                                                                                                                                    SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                                                                                                                                                    SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                                                                    • Filename: AppKMSPico.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: AppKMSPico.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: dxRwXy19pq.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: 12321321.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: SecuriteInfo.com.Win32.Malware-gen.14270.13618.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: tKBxw8eOIV.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: tKBxw8eOIV.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B............................................................................................................................................................................................................................................................................................................................