Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1554012
MD5:	92c35fbe82bf7e416805c9286746ac4d
SHA1:	c02243fb0053a5ba2eb71d8ccfe81553c3b4f191
SHA256:	1ae950affe325dddd05586f66c1a4edd5133ffd13a8017759f8992ac27472e69
Infos:

Detection

Score:	51
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	34
Range:	0 - 100

Signatures

Multi AV Scanner detection for dropped file

Creates multiple autostart registry keys

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Drops PE files

EXE planting / hijacking vulnerabilities found

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Installs a global mouse hook

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Process Tree

System is w10x64

Setup.exe (PID: 2940 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 92C35FBE82BF7E416805C9286746AC4D)

chrome.exe (PID: 1720 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pcapp.store/installing.php?guid=2ED92742-89DC-DD72-92E8-869FA5A66493&winver=19045&version=fa.1092c&nocache=20241111161519.190&_fcid=1731354202975821 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2780 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 --field-trial-handle=2020,i,9919245016783265167,1368110808741966562,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7348 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4964 --field-trial-handle=2020,i,9919245016783265167,1368110808741966562,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7356 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=2020,i,9919245016783265167,1368110808741966562,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

nsi70C.tmp (PID: 7884 cmdline: "C:\Users\user\AppData\Local\Temp\nsi70C.tmp" /internal 1731354202975821 /force MD5: 84EE733F8014D22DAD2DFEF725489980)

PcAppStore.exe (PID: 5736 cmdline: "C:\Users\user\PCAppStore\PcAppStore.exe" /init default MD5: 4B88D8ADA8D22622C30D581FC38EAA52)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

PcAppStore.exe (PID: 7272 cmdline: "C:\Users\user\PCAppStore\PCAppStore.exe" /init default MD5: 4B88D8ADA8D22622C30D581FC38EAA52)

RoXOpwnzkOItZgrk.exe (PID: 2140 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 5460 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 5376 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 5608 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 2520 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 3168 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 4444 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 1852 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 6688 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 3060 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 3380 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 728 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 2992 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 3332 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 3680 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 4400 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 6484 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 3040 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 7096 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 5988 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 4012 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 5908 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 5812 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 5980 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 3664 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 6056 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RoXOpwnzkOItZgrk.exe (PID: 5896 cmdline: "C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

Watchdog.exe (PID: 4708 cmdline: "C:\Users\user\PCAppStore\Watchdog.exe" /guid=2ED92742-89DC-DD72-92E8-869FA5A66493 /rid=20241111161614.1886019781 /ver=fa.1092c MD5: 11F3801CB9FF046D6075F681971C4EB8)

cleanup

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\PCAppStore\PCAppStore.exe" /init default, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\nsi70C.tmp, ProcessId: 7884, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCAppStore

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	ReversingLabs: Detection: 45%
Source: C:\Users\user\PCAppStore\Uninstaller.exe	ReversingLabs: Detection: 29%

Machine Learning detection for sample

Source: Setup.exe

Joe Sandbox ML: detected

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	EXE: C:\Users\user\PCAppStore\Watchdog.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	EXE: C:\Users\user\PCAppStore\AutoUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	EXE: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	EXE: C:\Users\user\PCAppStore\PcAppStore.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	EXE: C:\Users\user\PCAppStore\Uninstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	EXE: C:\Users\user\PCAppStore\nwjs\notification_helper.exe	Jump to behavior

Phishing

Source: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&_winver=19045&version=fa.1092c	HTTP Parser: No favicon
Source: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&_winver=19045&version=fa.1092c	HTTP Parser: No favicon
Source: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&_winver=19045&version=fa.1092c	HTTP Parser: No favicon
Source: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&_winver=19045&version=fa.1092c	HTTP Parser: No favicon

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	EXE: C:\Users\user\PCAppStore\Watchdog.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	EXE: C:\Users\user\PCAppStore\AutoUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	EXE: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	EXE: C:\Users\user\PCAppStore\PcAppStore.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	EXE: C:\Users\user\PCAppStore\Uninstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	EXE: C:\Users\user\PCAppStore\nwjs\notification_helper.exe	Jump to behavior

Uses 32bit PE files

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Creates a software uninstall entry

Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCAppStore

Jump to behavior

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\ui\static\js\2.801b9d83.chunk.js.LICENSE.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\ReadMe.txt			Jump to behavior

PE / OLE file has a valid certificate

Source: Setup.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\Build\Build_1092c_D20241025T171023\fa_rss\Watchdog\x64\Release\Watchdog.pdb source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002758000.00000004.00000020.00020000.00000000.sdmp, Watchdog.exe, 0000000C.00000002.3324189168.00007FF761CCA000.00000002.00000001.01000000.00000017.sdmp, Watchdog.exe, 0000000C.00000000.2630518343.00007FF761CCA000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\Build\Build_1092c_D20241025T171023\fa_rss\AppStoreUpdater\Release\auto_updater.pdb1 source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002E43000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: RoXOpwnzkOItZgrk.exe, 0000000F.00000000.2724803813.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000012.00000002.3300428885.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000013.00000000.2733660287.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000014.00000000.2735365384.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000015.00000000.2747064508.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000016.00000000.2756709624.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000017.00000000.2759556225.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000018.00000000.2762059491.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000019.00000000.2763201593.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 0000001A.00000000.2770181198.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 0000001B.00000000.2773002586.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 0000001C.00000002.3300472723.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 0000001D.00000002.3300451691.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 0000001E.00000002.3300423057.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 0000001F.00000000.2778470087.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000020.00000002.3300436152.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000021.00000002.3300418666.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000022.00000000.2782813093.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000023.00000000.2783909157.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000024.00000002.3312589178.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000025.00000002.3300434189.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000026.00000000.2789493677.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000027.00000000.2791526301.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000028.00000002.3300420741.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000029.00000000.2798103734.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 0000002A.00000002.3309239153.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 0000002B.00000000.2800370739.000
Source:	Binary string: C:\Users\zak\Downloads\Inetc\Unicode\Plugins\inetc.pdb source: Setup.exe, 00000000.00000002.2247284425.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Build\Build_1092c_D20241025T171023\fa_rss\engine\Release\PCAppStore.pdb source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000000.2629799617.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000002.3472679435.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733579179.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725223567.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\Build\Build_1092c_D20241025T171023\fa_rss\AppStoreUpdater\Release\auto_updater.pdb source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002E43000.00000004.00000020.00020000.00000000.sdmp

Networking

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 209.222.21.115 209.222.21.115
Source: Joe Sandbox View	IP Address: 147.182.211.77 147.182.211.77
Source: Joe Sandbox View	IP Address: 104.248.126.225 104.248.126.225

Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000002.00000002.3662305073.0000040400724000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660757093.0000040400618000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3678638424.0000040400D64000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000002.00000002.3660757093.0000040400618000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaogl` equals www.youtube.com (Youtube)
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000002.00000002.3690102260.00000404016F4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3677982006.0000040400CE8000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660424391.00000404005DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000002.00000002.3660424391.00000404005DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html0 equals www.youtube.com (Youtube)
Source: chrome.exe, 00000002.00000002.3677982006.0000040400CE8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmllt equals www.youtube.com (Youtube)
Source: chrome.exe, 00000002.00000002.3674496564.0000040400C24000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: chrome.exe, 00000002.00000002.3671444446.0000040400B54000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000002.00000002.3671444446.0000040400B54000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3674496564.0000040400C24000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000002.00000002.3678638424.0000040400D64000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000002.00000002.3678638424.0000040400D64000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000002.00000002.3678638424.0000040400D64000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000002.00000002.3671444446.0000040400B54000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000002.00000002.3671444446.0000040400B54000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660424391.00000404005DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000002.00000002.3671444446.0000040400B54000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000002.00000002.3671444446.0000040400B54000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722e
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000002.00000002.3671444446.0000040400B54000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000002.00000002.3595364004.0000040400028000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000002.00000002.3671444446.0000040400B54000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3674496564.0000040400C24000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: Setup.exe, 00000000.00000002.2254222810.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digice
Source: Setup.exe, 00000000.00000002.2254222810.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002E43000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773315830.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002ED4000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000002.00000002.3658279825.00000404004F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: Setup.exe, 00000000.00000002.2254222810.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCer
Source: Setup.exe, 00000000.00000002.2254222810.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTruste
Source: Setup.exe, 00000000.00000002.2254222810.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002E43000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773315830.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002ED4000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup.exe, 00000000.00000002.2254222810.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002E43000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773315830.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002ED4000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00MGQ5LTgyNjAt
Source: chrome.exe, 00000002.00000002.3657974653.00000404004B4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64_win_third_pa
Source: chrome.exe, 00000002.00000002.3680281468.0000040400EEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx3
Source: chrome.exe, 00000002.00000002.3680281468.0000040400EEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx352.0/
Source: chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/ac3jaavoltgfyc34eshs22baaooq_1128/efniojlnjndmcbiieeg
Source: chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmppeemjh
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkihi
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/acccxbt6wwsvpxzpob4hojndwkqq_4.10.2830.0/oimompecagna
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/ad3skwo2srs5xchyxzz6ujgnedha_9.52.0/gcmjkmgdlgnkkcocm
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/adm5fg7myczym5ugfpmw2lireirq_2024.11.8.0/gonpemdgkjce
Source: chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/adpcjrzq66vnkuggykvi4ijjqtva_9291/hfnkpimlhhgieaddgfe
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eeigpng
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocncanleaf
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/cxxqn654fg7hzrcrrnqcniqqye_2024.10.11.1/kiabhabjdbkjd
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcji
Source: chrome.exe, 00000002.00000002.3662388704.0000040400734000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/kqmxxzhbsp5oqnjc3nlsphfboa_20241101.690810062.14/obed
Source: chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/kuv6sxh4r3bgt6ctayzn6cl44e_3049/jflookgnkcckhobaglndi
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.1201/ggkkehgbnf
Source: chrome.exe, 00000002.00000002.3688922854.000004040159C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00
Source: chrome.exe, 00000002.00000002.3611089255.00000404000A4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64_
Source: chrome.exe, 00000002.00000002.3673225485.0000040400B98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac3jaavoltgfyc34eshs22baaooq_1128/efniojl
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebnd
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acccxbt6wwsvpxzpob4hojndwkqq_4.10.2830.0/
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad3skwo2srs5xchyxzz6ujgnedha_9.52.0/gcmjk
Source: chrome.exe, 00000002.00000002.3658279825.00000404004F4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adm5fg7myczym5ugfpmw2lireirq_2024.11.8.0/
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adpcjrzq66vnkuggykvi4ijjqtva_9291/hfnkpim
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.23
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305
Source: chrome.exe, 00000002.00000002.3658279825.00000404004F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/cxxqn654fg7hzrcrrnqcniqqye_2024.10.11.1/k
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/nei
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/kuv6sxh4r3bgt6ctayzn6cl44e_3049/jflookgnk
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.120
Source: chrome.exe, 00000002.00000002.3682583023.0000040400F98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000002.00000002.3556725840.0000016517C17000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localhost:64111/browseore/api/api.php
Source: Setup.exe, 00000000.00000000.2023503590.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Setup.exe, 00000000.00000002.2247284425.000000000040A000.00000004.00000001.01000000.00000003.sdmp, nsi70C.tmp, 00000009.00000002.2773315830.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, nsi70C.tmp, 00000009.00000000.2239315158.000000000040A000.00000008.00000001.01000000.0000000F.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Setup.exe, 00000000.00000002.2254222810.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002E43000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773315830.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002ED4000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3461771412.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.2659320457.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.2659320457.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.3095799951.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3461771412.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.3095799951.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exe, 00000000.00000002.2254222810.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002E43000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773315830.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002ED4000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Setup.exe, 00000000.00000002.2254222810.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002E43000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773315830.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002ED4000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS0
Source: chrome.exe, 00000002.00000002.3611089255.00000404000A4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64
Source: chrome.exe, 00000002.00000002.3667289268.0000040400980000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000002.00000002.3667032695.0000040400960000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000002.00000002.3667032695.0000040400960000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/U
Source: Setup.exe, 00000000.00000002.2254222810.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002E43000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773315830.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002ED4000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00MGQ5LTgy
Source: chrome.exe, 00000002.00000002.3664978898.0000040400820000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64_win_thir
Source: chrome.exe, 00000002.00000002.3680281468.0000040400EEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx3
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/ac3jaavoltgfyc34eshs22baaooq_1128/efniojlnjndmcbi
Source: chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmppe
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnn
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/acccxbt6wwsvpxzpob4hojndwkqq_4.10.2830.0/oimompec
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/ad3skwo2srs5xchyxzz6ujgnedha_9.52.0/gcmjkmgdlgnkk
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/adm5fg7myczym5ugfpmw2lireirq_2024.11.8.0/gonpemdg
Source: chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/adpcjrzq66vnkuggykvi4ijjqtva_9291/hfnkpimlhhgiead
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eei
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocncan
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/cxxqn654fg7hzrcrrnqcniqqye_2024.10.11.1/kiabhabjd
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindgg
Source: chrome.exe, 00000002.00000002.3636663103.0000040400184000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/kqmxxzhbsp5oqnjc3nlsphfboa_20241101.690810062.14/
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.1201/ggkkeh
Source: chrome.exe, 00000002.00000002.3673114267.0000040400B7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000002.00000002.3601866986.0000040400068000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000002.00000003.2810651311.00000404003EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3671444446.0000040400B54000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3656848597.00000404003EC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3657857046.0000040400484000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000002.00000002.3595364004.0000040400028000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3671444446.0000040400B54000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000002.00000002.3646364960.00000404001C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000002.00000002.3646364960.00000404001C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000002.00000002.3646364960.00000404001C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout%
Source: chrome.exe, 00000002.00000002.3646364960.00000404001C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000002.00000002.3646364960.00000404001C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000002.00000002.3611089255.00000404000A4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000002.00000002.3611089255.00000404000A4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000002.00000002.3611089255.00000404000A4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000002.00000002.3601866986.0000040400068000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000002.00000002.3646364960.00000404001C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 00000002.00000002.3669337392.0000040400A4C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://alling.p
Source: chrome.exe, 00000002.00000002.3690623544.0000040401791000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3555704146.000001651741D000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://analytics.google.com/g/collect?v=2&tid=G-VFQWFX3X1C&gtm=45je4b70v898645365za200zb9103256652&
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000002.00000002.3663239631.0000040400758000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000002.00000002.3673114267.0000040400B7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 00000002.00000002.3673225485.0000040400B98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000002.00000002.3673225485.0000040400B98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000002.00000002.3673225485.0000040400B98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: chrome.exe, 00000002.00000002.3667289268.0000040400980000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000002.00000002.3593070850.000004040000C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660424391.00000404005DC000.00000004.00000001.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000003.2920310089.000001A1B0518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000002.00000002.3689387733.000004040160C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660317741.00000404005C8000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3667556593.00000404009A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000002.00000002.3660317741.00000404005C8000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3667556593.00000404009A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enh
Source: chrome.exe, 00000002.00000002.3555821463.0000016517480000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3702253030.00005AE000918000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000002.00000002.3555821463.0000016517480000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3702253030.00005AE000918000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000002.00000002.3702253030.00005AE000918000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000002.00000002.3702253030.00005AE000918000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000002.00000002.3555821463.0000016517480000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/(
Source: chrome.exe, 00000002.00000002.3555821463.0000016517480000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/(TrustTokenOperationsRequiringOriginTrial#all-operat
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000002.00000002.3593070850.000004040000C000.00000004.00000001.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000003.2920310089.000001A1B0518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000002.00000002.3660317741.00000404005C8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000002.00000002.3646364960.00000404001C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000002.00000002.3646364960.00000404001C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/g%
Source: chrome.exe, 00000002.00000002.3593070850.000004040000C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3673114267.0000040400B7C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3405841906.0000001AD07FD000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3661579568.0000040400684000.00000004.00000001.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000003.2920310089.000001A1B0518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000002.00000002.3646364960.00000404001C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000002.00000002.3646364960.00000404001C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000002.00000002.3658279825.00000404004F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chrome.exe, 00000002.00000002.3656144019.00000404002F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.c
Source: chrome.exe, 00000002.00000002.3691154331.000004040180C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/
Source: chrome.exe, 00000002.00000002.3685446296.000004040106D000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690245714.000004040172C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3668194004.0000040400A0C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689969941.00000404016D4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689582365.0000040401648000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/analytics-container-tag-serving
Source: chrome.exe, 00000002.00000002.3690313692.0000040401740000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/analytics-container-tag-serving7
Source: chrome.exe, 00000002.00000002.3686382804.00000404010E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/analytics-container-tag-servingy
Source: chrome.exe, 00000002.00000002.3682583023.0000040400FAC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690313692.0000040401740000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3681975602.0000040400F54000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3539570676.000001651713D000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/clientupdate-aus/1
Source: chrome.exe, 00000002.00000002.3680904402.0000040400F3C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/clientupdate-aus/1Cache-Control:
Source: chrome.exe, 00000002.00000002.3690313692.0000040401740000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/clientupdate-aus/1b
Source: chrome.exe, 00000002.00000002.3682583023.0000040400FAC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3539570676.000001651713D000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/clientupdate-aus/1d
Source: chrome.exe, 00000002.00000002.3661787376.00000404006CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/download-dt/1
Source: chrome.exe, 00000002.00000002.3656144019.00000404002F0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3673588434.0000040400BC5000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3661787376.00000404006CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/download-dt/1Content-Security-Policy:
Source: chrome.exe, 00000002.00000002.3656144019.00000404002F0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3673588434.0000040400BC5000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3661787376.00000404006CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/download-dt/1Content-Type:
Source: chrome.exe, 00000002.00000002.3662388704.0000040400734000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/download-dt/1a.tmp
Source: chrome.exe, 00000002.00000002.3673588434.0000040400BC5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/download-dt/1d
Source: chrome.exe, 00000002.00000002.3686022516.0000040401098000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/scaf
Source: chrome.exe, 00000002.00000002.3685029643.0000040401028000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/scaffolding/ascgcycc:838:0
Source: chrome.exe, 00000002.00000002.3555704146.000001651741D000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/ascnsrsgac:57:0
Source: chrome.exe, 00000002.00000002.3555704146.000001651741D000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/ascnsrsggc:136:0
Source: Setup.exe, 00000000.00000002.2254222810.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delivery.pcapp.store/
Source: Setup.exe, 00000000.00000002.2254222810.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delivery.pcapp.store/H
Source: Setup.exe, 00000000.00000002.2248700845.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delivery.pcapp.store/download.php?&src=mini_installer&file=1&mini_ver=&evt_src=fa_mini_insta
Source: Setup.exe, 00000000.00000003.2246234361.0000000002AFB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2254282150.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2247284425.0000000000436000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://delivery.pcapp.store/download.php?&src=mini_installer&file=1&mini_ver=ersion=fa.1092c&src=pc
Source: Setup.exe, 00000000.00000002.2248700845.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delivery.pcapp.store/download.php?&src=mini_installer&file=1&mini_ver=fa.1092c
Source: Setup.exe, 00000000.00000002.2248700845.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delivery.pcapp.store/download.php?&src=mini_installer&file=1&mini_ver=fa.1092c~
Source: Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delivery.pcapp.store/e_
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00MGQ5LTgyNjA
Source: chrome.exe, 00000002.00000002.3657974653.00000404004B4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64_win_third_p
Source: chrome.exe, 00000002.00000002.3680281468.0000040400EEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx3
Source: chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/ac3jaavoltgfyc34eshs22baaooq_1128/efniojlnjndmcbiiee
Source: chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmppeemj
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkih
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/acccxbt6wwsvpxzpob4hojndwkqq_4.10.2830.0/oimompecagn
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/ad3skwo2srs5xchyxzz6ujgnedha_9.52.0/gcmjkmgdlgnkkcoc
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/adm5fg7myczym5ugfpmw2lireirq_2024.11.8.0/gonpemdgkjc
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eeigpn
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocncanlea
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/cxxqn654fg7hzrcrrnqcniqqye_2024.10.11.1/kiabhabjdbkj
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcj
Source: chrome.exe, 00000002.00000002.3636663103.0000040400184000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/kqmxxzhbsp5oqnjc3nlsphfboa_20241101.690810062.14/obe
Source: chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/kuv6sxh4r3bgt6ctayzn6cl44e_3049/jflookgnkcckhobaglnd
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.1201/ggkkehgbn
Source: chrome.exe, 00000002.00000002.3656212723.00000404002FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.goog
Source: chrome.exe, 00000002.00000002.3656212723.00000404002FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.googl0
Source: chrome.exe, 00000002.00000002.3656212723.00000404002FC000.00000004.00000001.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000003.2920310089.000001A1B0518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000002.00000002.3687579647.000004040116C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687359663.0000040401154000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000002.00000002.3661699795.00000404006B0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3686382804.00000404010E4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3674242073.0000040400C0C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687359663.0000040401154000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000002.00000002.3686382804.00000404010E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapppr~
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687359663.0000040401154000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000002.00000002.3687579647.000004040116C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/dogl
Source: chrome.exe, 00000002.00000002.3687579647.000004040116C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3682583023.0000040400F98000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690102260.00000404016F4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687359663.0000040401154000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660424391.00000404005DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000002.00000002.3690102260.00000404016F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultj
Source: chrome.exe, 00000002.00000002.3687579647.000004040116C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultlt
Source: chrome.exe, 00000002.00000002.3682583023.0000040400F98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultult
Source: chrome.exe, 00000002.00000002.3687579647.000004040116C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/njb
Source: chrome.exe, 00000002.00000002.3663505489.00000404007B0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3663412141.000004040079C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000002.00000002.3663505489.00000404007B0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3663412141.000004040079C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000002.00000002.3663505489.00000404007B0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3663412141.000004040079C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000002.00000002.3686959351.00000404010FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687359663.0000040401154000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3686382804.00000404010E4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3674242073.0000040400C0C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687359663.0000040401154000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687359663.0000040401154000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000002.00000002.3655848022.00000404002C0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690102260.00000404016F4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687359663.0000040401154000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660424391.00000404005DC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3691374694.0000040401848000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000002.00000002.3686959351.00000404010FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/ogl
Source: chrome.exe, 00000002.00000002.3663239631.0000040400758000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000002.00000002.3687579647.000004040116C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000002.00000002.3663505489.00000404007B0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3674242073.0000040400C0C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3681975602.0000040400F54000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000002.00000002.3687579647.000004040116C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660424391.00000404005DC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3691374694.0000040401848000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/ogl
Source: chrome.exe, 00000002.00000002.3663239631.0000040400758000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000002.00000002.3688826338.0000040401584000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689387733.000004040160C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690313692.0000040401740000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3688922854.000004040159C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3688622523.000004040155C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689165325.00000404015DC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689969941.00000404016D4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3674496564.0000040400C24000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://doubleclick.net/
Source: chrome.exe, 00000002.00000002.3688826338.0000040401584000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689387733.000004040160C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690313692.0000040401740000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3688922854.000004040159C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3688622523.000004040155C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689969941.00000404016D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://doubleclick.net/ore/
Source: chrome.exe, 00000002.00000002.3690313692.0000040401740000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://doubleclick.net/ore/w
Source: chrome.exe, 00000002.00000002.3656212723.00000404002FC000.00000004.00000001.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000003.2920310089.000001A1B0518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000002.00000002.3656212723.00000404002FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp
Source: chrome.exe, 00000002.00000002.3656212723.00000404002FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000002.00000002.3656212723.00000404002FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.c
Source: chrome.exe, 00000002.00000002.3656212723.00000404002FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.go
Source: chrome.exe, 00000002.00000002.3656212723.00000404002FC000.00000004.00000001.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000003.2920310089.000001A1B0518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000002.00000002.3656212723.00000404002FC000.00000004.00000001.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000003.2920310089.000001A1B0518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000002.00000002.3656212723.00000404002FC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000003.2920310089.000001A1B0518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000002.00000002.3687579647.000004040116C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3686959351.00000404010FC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3678638424.0000040400D64000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000002.00000002.3686959351.00000404010FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2ation.Result
Source: chrome.exe, 00000002.00000002.3687579647.000004040116C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2d
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3686382804.00000404010E4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689969941.00000404016D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000002.00000002.3661990200.00000404006D8000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3673797299.0000040400BD0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000002.00000002.3661990200.00000404006D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000002.00000002.3673114267.0000040400B7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chrome.exe, 00000002.00000002.3691712183.00000404018A4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64
Source: chrome.exe, 00000002.00000002.3673225485.0000040400B98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.cr
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac3jaavoltgfyc34eshs22baaooq_1128/efnioj
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebn
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acccxbt6wwsvpxzpob4hojndwkqq_4.10.2830.0
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad3skwo2srs5xchyxzz6ujgnedha_9.52.0/gcmj
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adm5fg7myczym5ugfpmw2lireirq_2024.11.8.0
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adpcjrzq66vnkuggykvi4ijjqtva_9291/hfnkpi
Source: chrome.exe, 00000002.00000002.3636663103.0000040400184000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.2
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.130
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/cxxqn654fg7hzrcrrnqcniqqye_2024.10.11.1/
Source: chrome.exe, 00000002.00000002.3658279825.00000404004F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/ne
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/kuv6sxh4r3bgt6ctayzn6cl44e_3049/jflookgn
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.12
Source: chrome.exe, 00000002.00000002.3600025879.000004040005C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css2?fa
Source: chrome.exe, 00000002.00000002.3600025879.000004040005C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css2?faly
Source: chrome.exe, 00000002.00000002.3663148317.000004040074D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com/
Source: chrome.exe, 00000002.00000002.3555821463.0000016517480000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3702253030.00005AE000918000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000002.00000002.3555821463.0000016517480000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3702253030.00005AE000918000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000002.00000002.3611089255.00000404000A4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3646364960.00000404001C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000002.00000002.3646364960.00000404001C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000002.00000002.3555704146.000001651741D000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: chrome.exe, 00000002.00000002.3680700958.0000040400F18000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3691154331.000004040180C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/viewthroughconversion/858128210/?random=1731359724105&cv=
Source: chrome.exe, 00000002.00000002.3680700958.0000040400F18000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3666185350.0000040400910000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3539570676.000001651713D000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/viewthroughconversion/858128210/?random=1731359724139&cv=
Source: chrome.exe, 00000002.00000002.3690385893.0000040401760000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3691154331.000004040180C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3680996209.0000040400F48000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/viewthroughconversion/858128210/?random=1731359724364&cv=
Source: chrome.exe, 00000002.00000002.3689890302.000004040169C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3688622523.000004040155C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689165325.00000404015DC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3674496564.0000040400C24000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://googletagmanager.com/
Source: chrome.exe, 00000002.00000002.3689890302.000004040169C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://googletagmanager.com/J
Source: chrome.exe, 00000002.00000002.3689890302.000004040169C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://googletagmanager.com/cy
Source: chrome.exe, 00000002.00000002.3689890302.000004040169C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://googletagmanager.com/ithm
Source: chrome.exe, 00000002.00000002.3682583023.0000040400F98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000002.00000002.3682583023.0000040400F98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000002.00000002.3682583023.0000040400F98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000002.00000002.3682583023.0000040400F98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000002.00000002.3682583023.0000040400F98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000002.00000002.3682583023.0000040400F98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000002.00000002.3682583023.0000040400F98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000002.00000002.3682583023.0000040400F98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000002.00000002.3682583023.0000040400F98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000002.00000002.3682583023.0000040400F98000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000002.00000002.3681975602.0000040400F54000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000002.00000002.3663505489.00000404007B0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3663412141.000004040079C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000002.00000002.3663505489.00000404007B0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3663412141.000004040079C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000002.00000002.3555821463.0000016517480000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3667556593.00000404009A8000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3702168767.00005AE000904000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000002.00000002.3699948450.00005AE000288000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3555821463.0000016517480000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3702168767.00005AE000904000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000002.00000002.3555821463.0000016517480000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard#exps-registration-success-page-urls
Source: chrome.exe, 00000002.00000002.3555821463.0000016517480000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardPi
Source: chrome.exe, 00000002.00000002.3699948450.00005AE000288000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3702168767.00005AE000904000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardZ
Source: chrome.exe, 00000002.00000002.3555821463.0000016517480000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3667556593.00000404009A8000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3702168767.00005AE000904000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000002.00000002.3702096091.00005AE0008D8000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3555821463.0000016517480000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3702253030.00005AE000918000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000002.00000002.3555821463.0000016517480000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload#companion-iph-blocklisted-page-urls
Source: chrome.exe, 00000002.00000002.3702253030.00005AE000918000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000002.00000002.3702253030.00005AE000918000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: chrome.exe, 00000002.00000002.3702096091.00005AE0008D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687359663.0000040401154000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3686382804.00000404010E4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3674242073.0000040400C0C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687359663.0000040401154000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687359663.0000040401154000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3686382804.00000404010E4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687359663.0000040401154000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3668011896.00000404009E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/u
Source: chrome.exe, 00000002.00000002.3663239631.0000040400758000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000002.00000002.3663239631.0000040400758000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000002.00000002.3663239631.0000040400758000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000002.00000002.3663239631.0000040400758000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000002.00000002.3646364960.00000404001C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 00000002.00000002.3670109466.0000040400AA0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3673412717.0000040400BAC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3673503203.0000040400BB8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000002.00000002.3673412717.0000040400BAC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3673503203.0000040400BB8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000002.00000002.3673412717.0000040400BAC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3673503203.0000040400BB8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000002.00000002.3673412717.0000040400BAC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000002.00000002.3673412717.0000040400BAC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3673503203.0000040400BB8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000002.00000002.3655848022.00000404002C0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3673412717.0000040400BAC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3673503203.0000040400BB8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000002.00000002.3670109466.0000040400AA0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3673412717.0000040400BAC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3673503203.0000040400BB8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000002.00000002.3673412717.0000040400BAC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3673503203.0000040400BB8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000002.00000002.3661385422.0000040400650000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.st
Source: chrome.exe, 00000002.00000002.3679230480.0000040400E7F000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687862249.00000404013DC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000003.2811042443.0000040400294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3556725840.0000016517C1D000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3695531384.0000040402330000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000003.2931707195.0000040400294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3656635886.000004040036C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3676927127.0000040400C58000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000003.3012166842.0000040400294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store
Source: Setup.exe, 00000000.00000002.2254222810.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246288853.0000000000710000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2074265969.0000000002A75000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2249431363.0000000000710000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690623544.0000040401791000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3638669538.000004040018C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660000463.0000040400590000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3632853896.0000040400164000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3600025879.000004040005C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687579647.000004040116C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3661385422.0000040400650000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689387733.000004040160C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3657179727.000004040045E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3667289268.0000040400980000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690385893.0000040401760000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3661484612.0000040400678000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3686959351.00000404010FC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689822811.0000040401688000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3677025922.0000040400C68000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/
Source: chrome.exe, 00000002.00000002.3687862249.00000404013DC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3557292517.0000016519963000.00000002.00000001.00040000.0000001E.sdmp	String found in binary or memory: https://pcapp.store//
Source: chrome.exe, 00000002.00000002.3692380156.0000040401930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/?p=lpd_instal
Source: chrome.exe, 00000002.00000002.3685446296.000004040106D000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3666185350.0000040400910000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3551213465.00000165173E7000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3667556593.00000404009A8000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3619038937.00000404000DC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3556725840.0000016517C1D000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3677829145.0000040400CD4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3679967169.0000040400EB0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3657650069.000004040047C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3674496564.0000040400C3F000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3563532130.0000016519AED000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3668194004.0000040400A0C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3692598137.0000040401AB4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=17313542029
Source: chrome.exe, 00000002.00000002.3692380156.0000040401930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/?p=lpd_instalng
Source: chrome.exe, 00000002.00000002.3666185350.0000040400910000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/BhATXkA&random=4025318608&rmt_tld=0&ipr=y
Source: chrome.exe, 00000002.00000002.3666185350.0000040400910000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/BhATXkA&random=4025318608&rmt_tld=0&ipr=yfmt=4
Source: Setup.exe, 00000000.00000003.2074265969.0000000002A75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/N
Source: Setup.exe, 00000000.00000003.2074265969.0000000002A75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/System32
Source: chrome.exe, 00000002.00000002.3663505489.00000404007B0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3663587125.00000404007D0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3671444446.0000040400B54000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689890302.000004040169C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3693859429.0000040401E84000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3696045726.00000404029F4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3539570676.000001651713D000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3690451680.000004040176C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690245714.000004040172C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3685719710.0000040401074000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689165325.00000404015DC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3661579568.0000040400684000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3674496564.0000040400C24000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3686282433.00000404010D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/api/api.php
Source: chrome.exe, 00000002.00000002.3689890302.000004040169C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/api/api.phpo
Source: chrome.exe, 00000002.00000002.3691154331.000004040180C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/gVvQQjQ&random=958788687&rmt_tld=0&ipr=y
Source: Setup.exe, 00000000.00000002.2249431363.00000000006CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/inst_cpg.php?guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&ve
Source: Setup.exe, 00000000.00000002.2248700845.000000000062A000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773861819.000000000056C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/installing.php?guid=&winver=
Source: chrome.exe, 00000002.00000002.3700522555.00005AE0002F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/installing.php?guid=2ED92742-89DC-DD72-92E8-
Source: chrome.exe, 00000002.00000002.3698157899.00003BB400238000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3699867400.00005AE000270000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3661484612.0000040400678000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3667556593.00000404009A8000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3486064200.0000016513530000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3697524573.00003708002A4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3655657174.00000404002B8000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3696786891.0000370800234000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/installing.php?guid=2ED92742-89DC-DD72-92E8-869FA5A66493&winver=19045&version=fa
Source: chrome.exe, 00000002.00000002.3655848022.00000404002C0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3668011896.00000404009E8000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3678214566.0000040400D20000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3688622523.000004040155C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690451680.000004040176C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3680587527.0000040400F08000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/lp/appstore/img/favicon.ico
Source: chrome.exe, 00000002.00000002.3555704146.0000016517417000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://pcapp.store/lp/lpd_installing_r2/src/lpd_installing_r2.min.css?nocache=1709636059406
Source: chrome.exe, 00000002.00000002.3685446296.000004040106A000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3683022838.0000040400FD0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/lp/lpd_installing_r2/src/lpd_installing_r2.min.js?nocache=1709636059406
Source: Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2249431363.0000000000700000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246288853.0000000000700000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2074265969.0000000002A75000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773861819.00000000005CB000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000003.2613673315.0000000003868000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773861819.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773861819.0000000000520000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3392448432.000001A1B048A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/pixel.gif?guid=2ED92742-89DC-DD72-92E8-869FA5A66493&version=fa.1092c&evt_src=fa_
Source: chrome.exe, 00000002.00000002.3658279825.00000404004F4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687479873.0000040401160000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689687108.000004040166C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3678638424.0000040400D64000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/pixelgif.php
Source: chrome.exe, 00000002.00000002.3689687108.000004040166C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/pixelgif.phpderValidator
Source: chrome.exe, 00000002.00000002.3687479873.0000040401160000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/pixelgif.phpm
Source: Setup.exe, 00000000.00000002.2248700845.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/privacy.html?guid=welhttps://pcapp.store/pixel.gif?guid=&version=&evt_src=fa_min
Source: chrome.exe, 00000002.00000002.3689890302.000004040169C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690451680.000004040176C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/src/main.js
Source: Setup.exe, 00000000.00000002.2248700845.000000000062A000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773861819.000000000056C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/tos.html?guid=
Source: Setup.exe, 00000000.00000003.2246288853.0000000000710000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2249431363.0000000000710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store/~1
Source: chrome.exe, 00000002.00000002.3679230480.0000040400E7F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store1
Source: chrome.exe, 00000002.00000002.3663505489.00000404007B0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.store:443
Source: chrome.exe, 00000002.00000002.3656980976.000004040040C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3695531384.0000040402330000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.storeAccess-Control-Allow-Credentials:
Source: chrome.exe, 00000002.00000002.3563532130.0000016519AE7000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3687862249.00000404013DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.storeH
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://pcapp.storeHX
Source: chrome.exe, 00000002.00000002.3691712183.00000404018A4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://redirector.gvt1.com/edgedl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win6
Source: chrome.exe, 00000002.00000002.3687862249.00000404013DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://repository.pcapp.store/pcapp/images/front_img/lp/lpd_installing_r2/img/done_windows_icon.svg
Source: chrome.exe, 00000002.00000002.3601866986.0000040400068000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000002.00000002.3601866986.0000040400068000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000002.00000002.3646364960.00000404001C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000002.00000002.3663505489.00000404007B0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3663412141.000004040079C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000002.00000002.3663505489.00000404007B0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3663412141.000004040079C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000002.00000002.3646364960.00000404001C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net
Source: chrome.exe, 00000002.00000002.3692069212.0000040401904000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3691292518.0000040401838000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net/
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3688622523.000004040155C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net/td/bjs
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3688622523.000004040155C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net/td/bts
Source: chrome.exe, 00000002.00000002.3687862249.00000404013DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net/td/buyer.wasm
Source: chrome.exe, 00000002.00000002.3600025879.000004040005C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net/td/ga/rul?tid=G-VFQWFX3X1C&gacid=1491451011.1731359724&gtm=45
Source: chrome.exe, 00000002.00000002.3600025879.000004040005C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net/td/ga/rul?tid=G-VFQWFX3X1C&gacid=1491451011.1731359724&gtm=45C
Source: chrome.exe, 00000002.00000002.3688404654.0000040401508000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689582365.0000040401648000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net/td/ga/rul?tid=G-VFQWFX3X1C&gacid=1491451011.1731359724&gtm=45je4b70v89864
Source: chrome.exe, 00000002.00000002.3670250185.0000040400AB8000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3688622523.000004040155C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3673797299.0000040400BD0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3551213465.00000165173ED000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net/td/rul/858128210?random=1731359724105&cv=11&fst=1731359724105&fmt=3&bg=ff
Source: chrome.exe, 00000002.00000002.3680700958.0000040400F18000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687359663.0000040401154000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3551213465.00000165173E7000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3673797299.0000040400BD0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3551213465.00000165173ED000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net/td/rul/858128210?random=1731359724139&cv=11&fst=1731359724139&fmt=3&bg=ff
Source: chrome.exe, 00000002.00000002.3666185350.0000040400910000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3551213465.00000165173E7000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3673797299.0000040400BD0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3551213465.00000165173ED000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net/td/rul/858128210?random=1731359724364&cv=11&fst=1731359724364&fmt=3&bg=ff
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3688622523.000004040155C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net/td/update?ig_name=4s1848060374.1731359724
Source: chrome.exe, 00000002.00000002.3687862249.00000404013DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net/td/update?ig_name=4s1848060374.1731359724&ig_key=1sNHMxODQ4MDYwMzc0LjE3Mz
Source: chrome.exe, 00000002.00000002.3687862249.00000404013DC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net4s1848060374.1731359724
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net4s1848060374.1731359724/
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.nethttps://pcapp.store
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.nethttps://pcapp.store/
Source: chrome.exe, 00000002.00000002.3687862249.00000404013DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_
Source: chrome.exe, 00000002.00000002.3687862249.00000404013DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_4b48-b8b7-a4eb590d34b3
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=156786411258&cr_id=681164326060&cv_id=1&format=$
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=156786411258&cr_id=681210400247&cv_id=2&format=$
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=156786411258&cr_id=682239234212&cv_id=0&format=$
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3688622523.000004040155C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928&cr_id=688766820411&cv_id=0&format=$
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928&cr_id=688766820414&cv_id=0&format=$
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928&cr_id=688766820429&cv_id=0&format=$
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928&cr_id=688766820432&cv_id=0&format=$
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928&cr_id=688766820444&cv_id=0&format=$
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928&cr_id=688766820450&cv_id=
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928&cr_id=688766820450&cv_id=0&format=$
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928&cr_id=688766820453&cv_id=0&format=$
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928&cr_id=688766820456&cv_id=0&format=$
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928&cr_id=688795175019&cv_id=0&format=$
Source: chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928&cr_id=688917203998&cv_id=0&format=$
Source: chrome.exe, 00000002.00000002.3595364004.0000040400028000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://update.googleapis.com/service/update2/json?cup2key=13:8ORGPc2K8WWe018Y6NamooqhCqCFMWwd60sA08
Source: chrome.exe, 00000002.00000002.3657857046.0000040400484000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000002.00000002.3673114267.0000040400B7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000002.00000002.3673114267.0000040400B7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000002.00000002.3673114267.0000040400B7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000002.00000002.3658279825.00000404004F4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3661990200.00000404006D8000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660424391.00000404005DC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3661579568.0000040400684000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000002.00000002.3663587125.00000404007D0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3666185350.0000040400910000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000002.00000002.3663587125.00000404007D0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3666185350.0000040400910000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00MGQ5LTg
Source: chrome.exe, 00000002.00000002.3664978898.0000040400820000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64_win_thi
Source: chrome.exe, 00000002.00000002.3680281468.0000040400EEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx3
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/ac3jaavoltgfyc34eshs22baaooq_1128/efniojlnjndmcb
Source: chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmpp
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcn
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/acccxbt6wwsvpxzpob4hojndwkqq_4.10.2830.0/oimompe
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/ad3skwo2srs5xchyxzz6ujgnedha_9.52.0/gcmjkmgdlgnk
Source: chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/adm5fg7myczym5ugfpmw2lireirq_2024.11.8.0/gonpemd
Source: chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/adpcjrzq66vnkuggykvi4ijjqtva_9291/hfnkpimlhhgiea
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/ee
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocnca
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/cxxqn654fg7hzrcrrnqcniqqye_2024.10.11.1/kiabhabj
Source: chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindg
Source: chrome.exe, 00000002.00000002.3636663103.0000040400184000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/kqmxxzhbsp5oqnjc3nlsphfboa_20241101.690810062.14
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.1201/ggkke
Source: chrome.exe, 00000002.00000002.3658279825.00000404004F4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3671091086.0000040400B2C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3663239631.0000040400758000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660424391.00000404005DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000002.00000002.3690623544.0000040401791000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/pagead/1p-user-list/858128210/?random=1731359724364&cv=11&fst=1731358800000&b
Source: chrome.exe, 00000002.00000002.3692142561.0000040401910000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3556725840.0000016517C1D000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: chrome.exe, 00000002.00000002.3595364004.0000040400028000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3563532130.0000016519AE7000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3678390982.0000040400D2C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687862249.00000404013DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000002.00000002.3679230480.0000040400E7F000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3688922854.000004040159C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3688622523.000004040155C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3693108906.0000040401D08000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/
Source: chrome.exe, 00000002.00000002.3661385422.0000040400650000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3667289268.0000040400980000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=AW-858128210
Source: chrome.exe, 00000002.00000002.3661385422.0000040400650000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3667289268.0000040400980000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-VFQWFX3X1C
Source: chrome.exe, 00000002.00000002.3688404654.0000040401508000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3685125055.000004040103C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-VFQWFX3X1C&l=dataLayer&cx=c&gtm=45be4b70v9103256652za2
Source: chrome.exe, 00000002.00000002.3679230480.0000040400E7F000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3657857046.0000040400484000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690245714.000004040172C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689582365.0000040401648000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3686282433.00000404010D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/static/service_worker/4al0/sw.js?origin=https%3A%2F%2Fpcapp.store
Source: chrome.exe, 00000002.00000002.3661699795.00000404006B0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690245714.000004040172C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/static/service_worker/4al0/sw.js?origin=https%3A%2F%2Fpcapp.storepp
Source: chrome.exe, 00000002.00000002.3678390982.0000040400D2C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/static/service_worker/4al0/sw.js?origin=https%3A%2F%2Fpcapp.storeto
Source: chrome.exe, 00000002.00000002.3690451680.000004040177C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3679230480.0000040400E7F000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3691154331.000004040180C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3556725840.0000016517C1D000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3688622523.000004040155C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690245714.000004040172C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3683022838.0000040400FD0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689582365.0000040401648000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3686282433.00000404010D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/static/service_worker/4al0/sw_iframe.html?origin=https%3A%2F%2Fpcap
Source: chrome.exe, 00000002.00000002.3555704146.0000016517417000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.comH
Source: chrome.exe, 00000002.00000002.3657974653.00000404004B4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3683022838.0000040400FD0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000002.00000002.3679615766.0000040400E8E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.jsdelivr.com/using-sri-with-dynamic-files
Source: chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660757093.0000040400618000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3678638424.0000040400D64000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000002.00000002.3660757093.0000040400618000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytcaogl
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000002.00000002.3662305073.0000040400724000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690102260.00000404016F4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3677982006.0000040400CE8000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660424391.00000404005DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global mouse hook

Source: C:\Users\user\PCAppStore\PcAppStore.exe

Windows user hook set: 0 mouse low level C:\Users\user\PCAppStore\PcAppStore.exe

System Summary

PE file contains more sections than normal

Source: NW_store.exe.9.dr	Static PE information: Number of sections : 13 > 10
Source: nw.dll.9.dr	Static PE information: Number of sections : 15 > 10
Source: vk_swiftshader.dll.9.dr	Static PE information: Number of sections : 11 > 10
Source: ffmpeg.dll.9.dr	Static PE information: Number of sections : 11 > 10
Source: vulkan-1.dll.9.dr	Static PE information: Number of sections : 11 > 10
Source: libEGL.dll.9.dr	Static PE information: Number of sections : 12 > 10
Source: node.dll.9.dr	Static PE information: Number of sections : 11 > 10
Source: nw_elf.dll.9.dr	Static PE information: Number of sections : 14 > 10
Source: libGLESv2.dll.9.dr	Static PE information: Number of sections : 12 > 10
Source: notification_helper.exe.9.dr	Static PE information: Number of sections : 13 > 10

Sample file is different than original file name gathered from version info

Source: Setup.exe, 00000000.00000002.2247284425.000000000040A000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameinetc.dllF vs Setup.exe

Uses 32bit PE files

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal51.spyw.evad.winEXE@35/306@0/31

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsnEE13.tmp

Jump to behavior

Source: Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT sql FROM%d UNION ALL SELECT shell_add_schema(sql,mainNULL,name) AS sql, type, tbl_name, name, rowid, AS snum, AS sname FROM .sqlite_schema UNION ALL SELECT shell_module_schema(name), 'table', name, name, name, 9e+99, 'main' FROM pragma_module_list) WHERE %Qlower(printf('%s.%s',sname,tbl_name))lower(tbl_name) GLOB LIKE ESCAPE '\' AND name NOT LIKE 'sqlite_%%' AND sql IS NOT NULL ORDER BY snum, rowidSQL: %s;
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: INSERT INTO sqlite_schema(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');%s
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT max(length(key)) FROM temp.sqlite_parameters;
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: CREATE TABLE ColNames( cpos INTEGER PRIMARY KEY, name TEXT, nlen INT, chop INT, reps INT, suff TEXT);CREATE VIEW RepeatedNames AS SELECT DISTINCT t.name FROM ColNames t WHERE t.name COLLATE NOCASE IN ( SELECT o.name FROM ColNames o WHERE o.cpos<>t.cpos);
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT type,name,tbl_name,sql FROM sqlite_schema ORDER BY name;
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT key, quote(value) FROM temp.sqlite_parameters;
Source: chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT 'CREATE TEMP' \|\| substr(sql, 7) FROM sqlite_schema WHERE tbl_name = %Q AND type IN ('table', 'trigger') ORDER BY type;
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: INSERT INTO selftest(tno,op,cmd,ans) SELECT rowid*10,op,cmd,ans FROM [_shell$self];
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT * FROM "%w" ORDER BY rowid DESC;Warning: cannot step "%s" backwardsSELECT name, sql FROM sqlite_schema WHERE %sError: (%d) %s on [%s]
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: INSERT INTO sqlite_schema(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT * FROM "%w" ORDER BY rowid DESC;
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT tbl,idx,stat FROM sqlite_stat1 ORDER BY tbl,idx;
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT 'EXPLAIN QUERY PLAN SELECT 1 FROM ' \|\| quote(s.name) \|\| ' WHERE ' \|\| group_concat(quote(s.name) \|\| '.' \|\| quote(f.[from]) \|\| '=?' \|\| fkey_collate_clause( f.[table], COALESCE(f.[to], p.[name]), s.name, f.[from]),' AND '), 'SEARCH ' \|\| s.name \|\| ' USING COVERING INDEX(' \|\| group_concat('=?', ' AND ') \|\| ')', s.name \|\| '(' \|\| group_concat(f.[from], ', ') \|\| ')', f.[table] \|\| '(' \|\| group_concat(COALESCE(f.[to], p.[name])) \|\| ')', 'CREATE INDEX ' \|\| quote(s.name \|\|'_'\|\| group_concat(f.[from], '_')) \|\| ' ON ' \|\| quote(s.name) \|\| '(' \|\| group_concat(quote(f.[from]) \|\| fkey_collate_clause( f.[table], COALESCE(f.[to], p.[name]), s.name, f.[from]), ', ') \|\| ');', f.[table] FROM sqlite_schema AS s, pragma_foreign_key_list(s.name) AS f LEFT JOIN pragma_table_info AS p ON (pk-1=seq AND p.arg=f.[table]) GROUP BY s.name, f.id ORDER BY (CASE WHEN ? THEN f.[table] ELSE s.name END)
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT 'CREATE TEMP' \|\| substr(sql, 7) FROM sqlite_schema WHERE tbl_name = %Q AND type IN ('table', 'trigger') ORDER BY type;ALTER TABLE temp.%Q RENAME TO %QINSERT INTO %Q VALUES(, %s?)UPDATE %Q SET , %s%Q=?DELETE FROM %QSELECT type, name, sql, 1 FROM sqlite_schema WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' UNION ALL SELECT type, name, sql, 2 FROM sqlite_schema WHERE type = 'trigger' AND tbl_name IN(SELECT name FROM sqlite_schema WHERE type = 'view') ORDER BY 4, 1CREATE TABLE x(, %s%Q COLLATE %s)CREATE VIRTUAL TABLE %Q USING expert(%Q)SELECT max(i.seqno) FROM sqlite_schema AS s, pragma_index_list(s.name) AS l, pragma_index_info(l.name) AS i WHERE s.type = 'table', %sx.%Q IS rem(%d, x.%Q) COLLATE %s%s%dSELECT %s FROM %Q x ORDER BY %sSELECT %s FROM temp.t592690916721053953805701627921227776 x ORDER BY %s%d %dDROP TABLE IF EXISTS temp.t592690916721053953805701627921227776CREATE TABLE temp.t592690916721053953805701627921227776 AS SELECT * FROM %QSELECT s.rowid, s.name, l.name FROM sqlite_schema AS s, pragma_index_list(s.name) AS l WHERE s.type = 'table'SELECT name, coll FROM pragma_index_xinfo(?) WHERE keyINSERT INTO sqlite_stat1 VALUES(?, ?, ?)ANALYZE; PRAGMA writable_schema=1remsampleDROP TABLE IF EXISTS temp.t592690916721053953805701627921227776ANALYZE sqlite_schemaDROP TABLE IF EXISTS temp.t592690916721053953805701627921227776:memory::memory:SELECT sql FROM sqlite_schema WHERE name NOT LIKE 'sqlite_%%' AND sql NOT LIKE 'CREATE VIRTUAL %%'Cannot find a unique index name to propose. -- stat1: %s;%s%s
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: INSERT OR IGNORE INTO "%s" VALUES(?,?);Error %d: %s on [%s]
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3479789162.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000000.2629842166.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725376026.00007FF6E4AA2000.00000008.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733843544.00007FF6E4AA3000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT name,seq FROM sqlite_sequence ORDER BY name;

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pcapp.store/installing.php?guid=2ED92742-89DC-DD72-92E8-869FA5A66493&winver=19045&version=fa.1092c&nocache=20241111161519.190&_fcid=1731354202975821
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 --field-trial-handle=2020,i,9919245016783265167,1368110808741966562,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4964 --field-trial-handle=2020,i,9919245016783265167,1368110808741966562,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=2020,i,9919245016783265167,1368110808741966562,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsi70C.tmp "C:\Users\user\AppData\Local\Temp\nsi70C.tmp" /internal 1731354202975821 /force
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Process created: C:\Users\user\PCAppStore\PcAppStore.exe "C:\Users\user\PCAppStore\PcAppStore.exe" /init default
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Process created: C:\Users\user\PCAppStore\Watchdog.exe "C:\Users\user\PCAppStore\Watchdog.exe" /guid=2ED92742-89DC-DD72-92E8-869FA5A66493 /rid=20241111161614.1886019781 /ver=fa.1092c
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\PCAppStore\PcAppStore.exe "C:\Users\user\PCAppStore\PCAppStore.exe" /init default
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pcapp.store/installing.php?guid=2ED92742-89DC-DD72-92E8-869FA5A66493&winver=19045&version=fa.1092c&nocache=20241111161519.190&_fcid=1731354202975821	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsi70C.tmp "C:\Users\user\AppData\Local\Temp\nsi70C.tmp" /internal 1731354202975821 /force	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 --field-trial-handle=2020,i,9919245016783265167,1368110808741966562,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\PCAppStore\PcAppStore.exe "C:\Users\user\PCAppStore\PCAppStore.exe" /init default	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4964 --field-trial-handle=2020,i,9919245016783265167,1368110808741966562,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=2020,i,9919245016783265167,1368110808741966562,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Process created: C:\Users\user\PCAppStore\PcAppStore.exe "C:\Users\user\PCAppStore\PcAppStore.exe" /init default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Process created: C:\Users\user\PCAppStore\Watchdog.exe "C:\Users\user\PCAppStore\Watchdog.exe" /guid=2ED92742-89DC-DD72-92E8-869FA5A66493 /rid=20241111161614.1886019781 /ver=fa.1092c	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\PCAppStore\PcAppStore.exe "C:\Users\user\PCAppStore\PCAppStore.exe" /init default
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: apphelp.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: urlmon.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: winhttp.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: iertutil.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: srvcli.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: netutils.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: wldp.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: wininet.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: sspicli.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: profapi.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: mswsock.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: winnsi.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: schannel.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: msasn1.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: dpapi.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: gpapi.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\PCAppStore\Watchdog.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: urlmon.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: version.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: wlanapi.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: winhttp.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: secur32.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: iertutil.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: srvcli.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: netutils.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: profapi.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: sspicli.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: amsi.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: userenv.dll
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	Section loaded: oleacc.dll

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: PC App Store.lnk.9.dr	LNK file: ..\..\..\..\..\..\PCAppStore\PcAppStore.exe

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Creates a software uninstall entry

Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCAppStore

Jump to behavior

PE / OLE file has a valid certificate

Source: Setup.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\Build\Build_1092c_D20241025T171023\fa_rss\Watchdog\x64\Release\Watchdog.pdb source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002758000.00000004.00000020.00020000.00000000.sdmp, Watchdog.exe, 0000000C.00000002.3324189168.00007FF761CCA000.00000002.00000001.01000000.00000017.sdmp, Watchdog.exe, 0000000C.00000000.2630518343.00007FF761CCA000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\Build\Build_1092c_D20241025T171023\fa_rss\AppStoreUpdater\Release\auto_updater.pdb1 source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002E43000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: RoXOpwnzkOItZgrk.exe, 0000000F.00000000.2724803813.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000012.00000002.3300428885.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000013.00000000.2733660287.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000014.00000000.2735365384.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000015.00000000.2747064508.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000016.00000000.2756709624.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000017.00000000.2759556225.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000018.00000000.2762059491.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000019.00000000.2763201593.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 0000001A.00000000.2770181198.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 0000001B.00000000.2773002586.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 0000001C.00000002.3300472723.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 0000001D.00000002.3300451691.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 0000001E.00000002.3300423057.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 0000001F.00000000.2778470087.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000020.00000002.3300436152.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000021.00000002.3300418666.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000022.00000000.2782813093.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000023.00000000.2783909157.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000024.00000002.3312589178.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000025.00000002.3300434189.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000026.00000000.2789493677.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000027.00000000.2791526301.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000028.00000002.3300420741.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 00000029.00000000.2798103734.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 0000002A.00000002.3309239153.000000000063E000.00000002.00000001.01000000.0000001A.sdmp, RoXOpwnzkOItZgrk.exe, 0000002B.00000000.2800370739.000
Source:	Binary string: C:\Users\zak\Downloads\Inetc\Unicode\Plugins\inetc.pdb source: Setup.exe, 00000000.00000002.2247284425.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Build\Build_1092c_D20241025T171023\fa_rss\engine\Release\PCAppStore.pdb source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000000.2629799617.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000002.3472679435.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000002.2733579179.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp, PcAppStore.exe, 00000010.00000000.2725223567.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\Build\Build_1092c_D20241025T171023\fa_rss\AppStoreUpdater\Release\auto_updater.pdb source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002E43000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

PE file contains an invalid checksum

Source: Setup.exe	Static PE information: real checksum: 0x3937f should be: 0x3361c
Source: NW_store.exe.9.dr	Static PE information: real checksum: 0x0 should be: 0x23ab08
Source: System.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x3d68
Source: System.dll.9.dr	Static PE information: real checksum: 0x0 should be: 0x3d68
Source: vk_swiftshader.dll.9.dr	Static PE information: real checksum: 0x0 should be: 0x44caa7
Source: ffmpeg.dll.9.dr	Static PE information: real checksum: 0x0 should be: 0x1f8136
Source: nsJSON.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x6718
Source: NSISFastLib.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x30512
Source: inetc.dll.9.dr	Static PE information: real checksum: 0x0 should be: 0x13c41
Source: vulkan-1.dll.9.dr	Static PE information: real checksum: 0x0 should be: 0xe0b14
Source: libEGL.dll.9.dr	Static PE information: real checksum: 0x0 should be: 0x7ddc6
Source: nsJSON.dll.9.dr	Static PE information: real checksum: 0x0 should be: 0x6718
Source: Math.dll.9.dr	Static PE information: real checksum: 0x0 should be: 0x155a8
Source: nw_elf.dll.9.dr	Static PE information: real checksum: 0x0 should be: 0x124d11
Source: NSISFastLib.dll.9.dr	Static PE information: real checksum: 0x0 should be: 0x30512
Source: inetc.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x13c41
Source: libGLESv2.dll.9.dr	Static PE information: real checksum: 0x0 should be: 0x7b9652
Source: notification_helper.exe.9.dr	Static PE information: real checksum: 0x0 should be: 0x11edb8
Source: nsDialogs.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x2f9b

PE file contains sections with non-standard names

Source: NW_store.exe.9.dr	Static PE information: section name: .gxfg
Source: NW_store.exe.9.dr	Static PE information: section name: .retplne
Source: NW_store.exe.9.dr	Static PE information: section name: .voltbl
Source: NW_store.exe.9.dr	Static PE information: section name: CPADinfo
Source: NW_store.exe.9.dr	Static PE information: section name: _RDATA
Source: NW_store.exe.9.dr	Static PE information: section name: malloc_h
Source: ffmpeg.dll.9.dr	Static PE information: section name: .gxfg
Source: ffmpeg.dll.9.dr	Static PE information: section name: .retplne
Source: ffmpeg.dll.9.dr	Static PE information: section name: .voltbl
Source: ffmpeg.dll.9.dr	Static PE information: section name: _RDATA
Source: libEGL.dll.9.dr	Static PE information: section name: .gxfg
Source: libEGL.dll.9.dr	Static PE information: section name: .retplne
Source: libEGL.dll.9.dr	Static PE information: section name: .voltbl
Source: libEGL.dll.9.dr	Static PE information: section name: _RDATA
Source: libEGL.dll.9.dr	Static PE information: section name: malloc_h
Source: libGLESv2.dll.9.dr	Static PE information: section name: .gxfg
Source: libGLESv2.dll.9.dr	Static PE information: section name: .retplne
Source: libGLESv2.dll.9.dr	Static PE information: section name: .voltbl
Source: libGLESv2.dll.9.dr	Static PE information: section name: _RDATA
Source: libGLESv2.dll.9.dr	Static PE information: section name: malloc_h
Source: node.dll.9.dr	Static PE information: section name: .gxfg
Source: node.dll.9.dr	Static PE information: section name: .retplne
Source: node.dll.9.dr	Static PE information: section name: .voltbl
Source: node.dll.9.dr	Static PE information: section name: _RDATA
Source: notification_helper.exe.9.dr	Static PE information: section name: .gxfg
Source: notification_helper.exe.9.dr	Static PE information: section name: .retplne
Source: notification_helper.exe.9.dr	Static PE information: section name: .voltbl
Source: notification_helper.exe.9.dr	Static PE information: section name: CPADinfo
Source: notification_helper.exe.9.dr	Static PE information: section name: _RDATA
Source: notification_helper.exe.9.dr	Static PE information: section name: malloc_h
Source: nw.dll.9.dr	Static PE information: section name: .gxfg
Source: nw.dll.9.dr	Static PE information: section name: .retplne
Source: nw.dll.9.dr	Static PE information: section name: .rodata
Source: nw.dll.9.dr	Static PE information: section name: .voltbl
Source: nw.dll.9.dr	Static PE information: section name: CPADinfo
Source: nw.dll.9.dr	Static PE information: section name: LZMADEC
Source: nw.dll.9.dr	Static PE information: section name: _RDATA
Source: nw.dll.9.dr	Static PE information: section name: malloc_h
Source: nw_elf.dll.9.dr	Static PE information: section name: .crthunk
Source: nw_elf.dll.9.dr	Static PE information: section name: .gxfg
Source: nw_elf.dll.9.dr	Static PE information: section name: .retplne
Source: nw_elf.dll.9.dr	Static PE information: section name: .voltbl
Source: nw_elf.dll.9.dr	Static PE information: section name: CPADinfo
Source: nw_elf.dll.9.dr	Static PE information: section name: _RDATA
Source: nw_elf.dll.9.dr	Static PE information: section name: malloc_h
Source: vk_swiftshader.dll.9.dr	Static PE information: section name: .gxfg
Source: vk_swiftshader.dll.9.dr	Static PE information: section name: .retplne
Source: vk_swiftshader.dll.9.dr	Static PE information: section name: .voltbl
Source: vk_swiftshader.dll.9.dr	Static PE information: section name: _RDATA
Source: vulkan-1.dll.9.dr	Static PE information: section name: .gxfg
Source: vulkan-1.dll.9.dr	Static PE information: section name: .retplne
Source: vulkan-1.dll.9.dr	Static PE information: section name: .voltbl
Source: vulkan-1.dll.9.dr	Static PE information: section name: _RDATA

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\nwjs\node.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\AppData\Local\Temp\nsc44E0.tmp\NSISFastLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\nwjs\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\nwjs\nw_elf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsnEE14.tmp\nsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\nwjs\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsnEE14.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\Watchdog.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\PcAppStore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\Uninstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\nwjs\notification_helper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\AppData\Local\Temp\nsc44E0.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\AppData\Local\Temp\nsc44E0.tmp\inetc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\nwjs\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\AppData\Local\Temp\nsc44E0.tmp\Math.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsnEE14.tmp\inetc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\nwjs\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\nwjs\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\AutoUpdater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\nwjs\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsnEE14.tmp\NSISFastLib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsnEE14.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\nwjs\nw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\AppData\Local\Temp\nsc44E0.tmp\nsJSON.dll	Jump to dropped file

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\ui\static\js\2.801b9d83.chunk.js.LICENSE.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\PCAppStore\ReadMe.txt			Jump to behavior

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PcAppStoreUpdater	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Watchdog	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PCAppStore	Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC App Store.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PCAppStore	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PCAppStore	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PcAppStoreUpdater	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PcAppStoreUpdater	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Watchdog	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Watchdog	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive

Contains long sleeps (>= 3 min)

Source: C:\Users\user\PCAppStore\Watchdog.exe

Thread delayed: delay time: 300000

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\PCAppStore\PcAppStore.exe	Window / User API: threadDelayed 451	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Window / User API: threadDelayed 748	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Window / User API: threadDelayed 2202	Jump to behavior
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Window / User API: foregroundWindowGot 573

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\node.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc44E0.tmp\NSISFastLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\nw_elf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc44E0.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc44E0.tmp\inetc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc44E0.tmp\Math.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnEE14.tmp\nsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnEE14.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnEE14.tmp\inetc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\AutoUpdater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\Uninstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnEE14.tmp\NSISFastLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\notification_helper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc44E0.tmp\nsJSON.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnEE14.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\nw.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\PCAppStore\Watchdog.exe TID: 7948	Thread sleep count: 244 > 30
Source: C:\Users\user\PCAppStore\Watchdog.exe TID: 7948	Thread sleep time: -14640000s >= -30000s
Source: C:\Users\user\PCAppStore\Watchdog.exe TID: 4476	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\PCAppStore\Watchdog.exe TID: 7948	Thread sleep time: -60000s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\PCAppStore\PcAppStore.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\PCAppStore\PcAppStore.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\PCAppStore\PcAppStore.exe	Last function: Thread delayed
Source: C:\Users\user\PCAppStore\Watchdog.exe	Last function: Thread delayed
Source: C:\Users\user\PCAppStore\Watchdog.exe	Last function: Thread delayed

Source: C:\Users\user\PCAppStore\Watchdog.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\PCAppStore\Watchdog.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\PCAppStore\Watchdog.exe	Thread delayed: delay time: 60000

Source: chrome.exe, 00000002.00000002.3670250185.0000040400AB8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware
Source: explorer.exe, 0000000D.00000002.3363711962.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: nsi70C.tmp, 00000009.00000002.2773861819.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWw
Source: explorer.exe, 0000000D.00000000.2659320457.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.3095799951.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3461771412.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: PcAppStore.exe, 00000010.00000002.2732644579.000001B721B2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWB=
Source: explorer.exe, 0000000D.00000003.3095799951.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 0000000D.00000003.3101046480.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: PcAppStore.exe, 00000010.00000003.2731665345.000001B721B3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: Setup.exe, 00000000.00000003.2031433619.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stem_stats":{"os_name":"Microsoft+Windows+10+Pro","os_installdate":"20231003105718%2E000000%2B120","os_processes":"110","os_architecture":"64-bit","os_virtmem":"8387636","os_mem":"4193332","cpu_name":"Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz","cpu_maxclock":"2000","cpu_cores":"4","cpu_logicalproc":"1","pc_vendor":"VMware%2C+Inc%2E","pc_version":"None","gpu_name":"2TYVF5YR","gpu_ram":"0","gpu_bitsperpixel":"32","gpu_x":"1280","gpu_y":"1024","disk_name":"56HUGF4C+SCSI+Disk+Device","disk_size":"412300001200","sec_as":"","sec_av":"Windows+Defender","sec_fw":"","bios_releasedate":"20221121000000%2E000000%2B000"},"pcapps":{"0":"7-Zip+23%2E01+%28x64%29","1":"Mozilla+Firefox+%28x64+en-US%29","2":"Mozilla+Maintenance+Service","3":"Microsoft+Office+Professional+Plus+2019+-+en-us","4":"Microsoft+Visual+C%2B%2B+2022+X64+Additional+Runtime+-+14%2E36%2E32532","5":"Office+16+Click-to-Run+Licensing+Component","6":"Office+16+Click-to-Run+Extensibility+Component+64-bit+Registration","7":"Adobe+Acrobat+%2864-bit%29","8":"Microsoft+Visual+C%2B%2B+2022+X64+Minimum+Runtime+-+14%2E36%2E32532","9":"Google+Chrome","10":"Microsoft+Edge","11":"Microsoft+Edge+Update","12":"Microsoft+Edge+WebView2+Runtime","13":"Java+Auto+Updater","14":"Java+8+Update+381","15":"Microsoft+Visual+C%2B%2B+2015-2022+Redistributable+%28x64%29+-+14%2E36%2E32532","16":"Office+16+Click-to-Run+Extensibility+Component"},"processes":{"0":"ApplicationFrameHost%2Eexe","1":"Memory+Compression","2":"OfficeClickToRun%2Eexe","3":"Registry",
Source: explorer.exe, 0000000D.00000000.2642754992.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: Setup.exe, 00000000.00000003.2031096568.00000000006CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"system_stats":{"os_name":"Microsoft+Windows+10+Pro","os_installdate":"20231003105718%2E000000%2B120","os_processes":"110","os_architecture":"64-bit","os_virtmem":"8387636","os_mem":"4193332","cpu_name":"Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz","cpu_maxclock":"2000","cpu_cores":"4","cpu_logicalproc":"1","pc_vendor":"VMware%2C+Inc%2E","pc_version":"None","gpu_name":"2TYVF5YR","gpu_ram":"0","gpu_bitsperpixel":"32","gpu_x":"1280","gpu_y":"1024","disk_name":"56HUGF4C+SCSI+Disk+Device","disk_size":"412300001200","sec_as":"","sec_av":"Windows+Defender","sec_fw":"","bios_releasedate":"20221121000000%2E000000%2B000"},"pcapps":{"0":"7-Zip+23%2E01+%28x64%29",
Source: PcAppStore.exe, 00000010.00000003.2731665345.000001B721B3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductUC93RT2ED92742-89DC-DD72-92E8-869FA5A66493VMware, Inc.Noney*
Source: chrome.exe, 00000002.00000002.3686382804.00000404010E4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual USB Mouse`
Source: PcAppStore.exe, 00000010.00000003.2731665345.000001B721B3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductUC93RT2ED92742-89DC-DD72-92E8-869FA5A66493VMware, Inc.None+
Source: Setup.exe, 00000000.00000002.2254144337.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2249431363.0000000000700000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246288853.0000000000700000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773861819.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773861819.00000000005CB000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3348473600.000001A1ADE74000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3348473600.000001A1ADDE5000.00000004.00000020.00020000.00000000.sdmp, Watchdog.exe, 0000000C.00000002.3308422428.0000021F84B2A000.00000004.00000020.00020000.00000000.sdmp, Watchdog.exe, 0000000C.00000003.3243181016.0000021F84B2A000.00000004.00000020.00020000.00000000.sdmp, Watchdog.exe, 0000000C.00000002.3308422428.0000021F84AB3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.3095799951.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: nsi70C.tmp, 00000009.00000003.2617023583.000000000385C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware%2C+Inc%2E
Source: Setup.exe, 00000000.00000003.2031096568.00000000006CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware%2C+Inc%2EA
Source: Setup.exe, 00000000.00000003.2031096568.00000000006CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mstem_stats":{"os_name":"Microsoft+Windows+10+Pro","os_installdate":"20231003105718%2E000000%2B120","os_processes":"110","os_architecture":"64-bit","os_virtmem":"8387636","os_mem":"4193332","cpu_name":"Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz","cpu_maxclock":"2000","cpu_cores":"4","cpu_logicalproc":"1","pc_vendor":"VMware%2C+Inc%2E","pc_version":"None","gpu_name":"2TYVF5YR","gpu_ram":"0","gpu_bitsperpixel":"32","gpu_x":"1280","gpu_y":"1024","disk_name":"56HUGF4C+SCSI+Disk+Device",
Source: explorer.exe, 0000000D.00000003.3100244666.000000000C511000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}Z
Source: Setup.exe, 00000000.00000003.2031433619.00000000006CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"system_stats":{"os_name":"Microsoft+Windows+10+Pro","os_installdate":"20231003105718%2E000000%2B120","os_processes":"110","os_architecture":"64-bit","os_virtmem":"8387636","os_mem":"4193332","cpu_name":"Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz","cpu_maxclock":"2000","cpu_cores":"4","cpu_logicalproc":"1","pc_vendor":"VMware%2C+Inc%2E","pc_version":"None","gpu_name":"2TYVF5YR","gpu_ram":"0","gpu_bitsperpixel":"32","gpu_x":"1280","gpu_y":"1024","disk_name":"56HUGF4C+SCSI+Disk+Device","disk_size":"412300001200","sec_as":"","sec_av":"Windows+Defender","sec_fw":"","bios_releasedate":"20221121000000%2E000000%2B000"},"pcapps":{"0":"7-Zip+23%2E01+%28x64%29","1":"Mozilla+Firefox+%28x64+en-US%29","2":"Mozilla+Maintenance+Service","3":"Microsoft+Office+Professional+Plus+2019+-+en-us","4":"Microsoft+Visual+C%2B%2B+2022+X64+Additional+Runtime+-+14%2E36%2E32532","5":"Office+16+Click-to-Run+Licensing+Component","6":"Office+16+Click-to-Run+Extensibility+Component+64-bit+Registration","7":"Adobe+Acrobat+%2864-bit%29","8":"Microsoft+Visual+C%2B%2B+2022+X64+Minimum+Runtime+-+14%2E36%2E32532","9":"Google+Chrome","10":"Microsoft+Edge","11":"Microsoft+Edge+Update","12":"Microsoft+Edge+WebView2+Runtime","13":"Java+Auto+Updater","14":"Java+8+Update+381","15":"Microsoft+Visual+C%2B%2B+2015-2022+Redistributable+%28x64%29+-+14%2E36%2E32532","16":"Office+16+Click-to-Run+Extensibility+Component"},"processes":{"0":"ApplicationFrameHost%2Eexe","1":"Memory+Compression","2":"OfficeClickToRun%2Eexe","3":"Registry","4":"RoXOpwnzkOItZgrk%2Eexe","5":"RuntimeBroker%2Eexe","6":"SearchApp%2Eexe","7":"Setup%2Eexe","8":"SgrmBroker%2Eexe","9":"ShellExperienceHost%2Eexe","10":"StartMenuExperienceHost%2Eexe","11":"System","12":"SystemSettings%2Eexe",
Source: chrome.exe, 00000002.00000002.3486064200.0000016513547000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Setup.exe, 00000000.00000003.2032598636.00000000006CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stem_stats":{"os_name":"Microsoft+Windows+10+Pro","os_installdate":"20231003105718%2E000000%2B120","os_processes":"110","os_architecture":"64-bit","os_virtmem":"8387636","os_mem":"4193332","cpu_name":"Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz","cpu_maxclock":"2000","cpu_cores":"4","cpu_logicalproc":"1","pc_vendor":"VMware%2C+Inc%2E","pc_version":"None","gpu_name":"2TYVF5YR","gpu_ram":"0","gpu_bitsperpixel":"32","gpu_x":"1280","gpu_y":"1024","disk_name":"56HUGF4C+SCSI+Disk+Device","disk_size":"412300001200","sec_as":"","sec_av":"Windows+Defender","sec_fw":"","bios_releasedate":"20221121000000%2E000000%2B000"},"pcapps":{"0":"7-Zip+23%2E01+%28x64%29","1":"Mozilla+Firefox+%28x64+en-US%29","2":"Mozilla+Maintenance+Service","3":"Microsoft+Office+Professional+Plus+2019+-+en-us","4":"Microsoft+Visual+C%2B%2B+2022+X64+Additional+Runtime+-+14%2E36%2E32532","5":"Office+16+Click-to-Run+Licensing+Component","6":"Office+16+Click-to-Run+Extensibility+Component+64-bit+Registration","7":"Adobe+Acrobat+%2864-bit%29","8":"Microsoft+Visual+C%2B%2B+2022+X64+Minimum+Runtime+-+14%2E36%2E32532","9":"Google+Chrome","10":"Microsoft+Edge","11":"Microsoft+Edge+Update","12":"Microsoft+Edge+WebView2+Runtime","13":"Java+Auto+Updater","14":"Java+8+Update+381","15":"Microsoft+Visual+C%2B%2B+2015-2022+Redistributable+%28x64%29+-+14%2E36%2E32532","16":"Office+16+Click-to-Run+Extensibility+Component"},"processes":{"0":"ApplicationFrameHost%2Eexe","1":"Memory+Compression","2":"OfficeClickToRun%2Eexe","3":"Registry","4":"RoXOpwnzkOItZgrk%2Eexe","5":"RuntimeBroker%2Eexe","6":"SearchApp%2Eexe","7":"Setup%2Eexe","8":"SgrmBroker%2Eexe","9":"ShellExperienceHost%2Eexe","10":"StartMenuExperienceHost%2Eexe","11":"System","12":"SystemSettings%2Eexe","13":"TextInputHost%2Eexe","14":"WinStore%2EApp%2Eexe","15":"WmiPrvSE%2Eexe","16":"%5BSystem+Process%5D","17":"audiodg%2Eexe","18":"backgroundTaskHost%2Eexe","19":"conhost%2Eexe","20":"csrss%2Eexe","21":"ctfmon%2Eexe","22":"dasHost%2Eexe","23":"dllhost%2Eexe","24":"dwm%2Eexe","25":"explorer%2Eexe",
Source: chrome.exe, 00000002.00000002.3673114267.0000040400B7C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=3cb9ba41-9f45-4299-b922-82294633f909
Source: explorer.exe, 0000000D.00000000.2659320457.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: PcAppStore.exe, 0000000B.00000002.3392448432.000001A1B048A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDev
Source: explorer.exe, 0000000D.00000003.3101046480.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000D.00000003.3095799951.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: PcAppStore.exe, 0000000B.00000002.3348473600.000001A1ADE74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpM
Source: explorer.exe, 0000000D.00000003.3101046480.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: Setup.exe, 00000000.00000003.2031607257.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stem_stats":{"os_name":"Microsoft+Windows+10+Pro","os_installdate":"20231003105718%2E000000%2B120","os_processes":"110","os_architecture":"64-bit","os_virtmem":"8387636","os_mem":"4193332","cpu_name":"Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz","cpu_maxclock":"2000","cpu_cores":"4","cpu_logicalproc":"1","pc_vendor":"VMware%2C+Inc%2E","pc_version":"None","gpu_name":"2TYVF5YR","gpu_ram":"0","gpu_bitsperpixel":"32","gpu_x":"1280","gpu_y":"1024","disk_name":"56HUGF4C+SCSI+Disk+Device","disk_size":"412300001200","sec_as":"","sec_av":"Windows+Defender","sec_fw":"","bios_releasedate":"20221121000000%2E000000%2B000"},"pcapps":{"0":"7-Zip+23%2E01+%28x64%29","1":"Mozilla+Firefox+%28x64+en-US%29","2":"Mozilla+Maintenance+Service","3":"Microsoft+Office+Professional+Plus+2019+-+en-us","4":"Microsoft+Visual+C%2B%2B+2022+X64+Additional+Runtime+-+14%2E36%2E32532","5":"Office+16+Click-to-Run+Licensing+Component","6":"Office+16+Click-to-Run+Extensibility+Component+64-bit+Registration","7":"Adobe+Acrobat+%2864-bit%29","8":"Microsoft+Visual+C%2B%2B
Source: PcAppStore.exe, 0000000B.00000003.2636349165.000001A1ADE08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3RT2ED92742-89DC-DD72-92E8-869FA5A66493VMware, Inc.Noney*
Source: explorer.exe, 0000000D.00000000.2649191382.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 0000000D.00000002.3363711962.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: Setup.exe, 00000000.00000003.2031856710.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mstem_stats":{"os_name":"Microsoft+Windows+10+Pro","os_installdate":"20231003105718%2E000000%2B120","os_processes":"110","os_architecture":"64-bit","os_virtmem":"8387636","os_mem":"4193332","cpu_name":"Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz","cpu_maxclock":"2000","cpu_cores":"4","cpu_logicalproc":"1","pc_vendor":"VMware%2C+Inc%2E","pc_version":"None","gpu_name":"2TYVF5YR","gpu_ram":"0","gpu_bitsperpixel":"32","gpu_x":"1280","gpu_y":"1024","disk_name":"56HUGF4C+SCSI+Disk+Device","disk_size":"412300001200","sec_as":"","sec_av":"Windows+Defender","sec_fw":"","bios_releasedate":"20221121000000%2E000000%2B000"},"pcapps":{"0":"7-Zip+23%2E01+%28x64%29","1":"Mozilla+Firefox+%28x64+en-US%29","2":"Mozilla+Maintenance+Service","3":"Microsoft+Office+Professional+Plus+2019+-+en-us","4":"Microsoft+Visual+C%2B%2B+2022+X64+Additional+Runtime+-+14%2E36%2E32532","5":"Office+16+Click-to-Run+Licensing+Component","6":"Office+16+Click-to-Run+Extensibility+Component+64-bit+Registration","7":"Adobe+Acrobat+%2864-bit%29","8":"Microsoft+Visual+C%2B%2B
Source: nsi70C.tmp, 00000009.00000003.2617004651.0000000003863000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "VMware%2C+Inc%2E"
Source: explorer.exe, 0000000D.00000000.2649191382.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: tempPOSTData.9.dr	Binary or memory string: {"system_stats":{"os_name":"Microsoft+Windows+10+Pro","os_installdate":"20231003105718%2E000000%2B120","os_processes":"110","os_architecture":"64-bit","os_virtmem":"8387636","os_mem":"4193332","cpu_name":"Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz","cpu_maxclock":"2000","cpu_cores":"4","cpu_logicalproc":"1","pc_vendor":"VMware%2C+Inc%2E","pc_version":"None","gpu_name":"2TYVF5YR","gpu_ram":"0","gpu_bitsperpixel":"32","gpu_x":"1280","gpu_y":"1024","disk_name":"56HUGF4C+SCSI+Disk+Device","disk_size":"412300001200","sec_as":"","sec_av":"Windows+Defender","sec_fw":"","bios_releasedate":"20221121000000%2E000000%2B000"},"pcapps":{"0":"7-Zip+23%2E01+%28x64%29","1":"Mozilla+Firefox+%28x64+en-US%29","2":"Mozilla+Maintenance+Service","3":"Microsoft+Office+Professional+Plus+2019+-+en-us","4":"Microsoft+Visual+C%2B%2B+2022+X64+Additional+Runtime+-+14%2E36%2E32532","5":"Office+16+Click-to-Run+Licensing+Component","6":"Office+16+Click-to-Run+Extensibility+Component+64-bit+Registration","7":"Adobe+Acrobat+%2864-bit%29","8":"Microsoft+Visual+C%2B%2B+2022+X64+Minimum+Runtime+-+14%2E36%2E32532","9":"YouTube","10":"Sheets","11":"Slides","12":"Docs","13":"Gmail","14":"Google+Drive","15":"YouTube","16":"Sheets","17":"Slides","18":"Docs","19":"Gmail","20":"Google+Drive","21":"Microsoft+Edge","22":"Microsoft+Edge+Update","23":"Microsoft+Edge+WebView2+Runtime","24":"Java+Auto+Updater","25":"Java+8+Update+381","26":"Microsoft+Visual+C%2B%2B+2015-2022+Redistributable+%28x64%29+-+14%2E36%2E32532","27":"Office+16+Click-to-Run+Extensibility+Component"},"processes":{"0":"ApplicationFrameHost%2Eexe","1":"Memory+Compression","2":"OfficeClickToRun%2Eexe","3":"Registry","4":"RoXOpwnzkOItZgrk%2Eexe","5":"RuntimeBroker%2Eexe","6":"SIHClient%2Eexe","7":"SearchApp%2Eexe","8":"SgrmBroker%2Eexe","9":"ShellExperienceHost%2Eexe","10":"StartMenuExperienceHost%2Eexe","11":"System","12":"SystemSettings%2Eexe","13":"TextInputHost%2Eexe","14":"WMIADAP%2Eexe","15":"WinStore%2EApp%2Eexe","16":"WmiPrvSE%2Eexe","17":"%5BSystem+Process%5D","18":"audiodg%2Eexe","19":"chrome%2Eexe","20":"conhost%2Eexe","21":"csrss%2Eexe","22":"ctfmon%2Eexe","23":"dasHost%2Eexe","24":"dllhost%2Eexe","25":"dwm%2Eexe","26":"explorer%2Eexe","27":"fontdrvhost%2Eexe","28":"lsass%2Eexe","29":"nsi70C%2Etmp","30":"services%2Eexe","31":"sihost%2Eexe","32":"smartscreen%2Eexe","33":"smss%2Eexe","34":"spoolsv%2Eexe","35":"svchost%2Eexe","36":"wininit%2Eexe","37":"winlogon%2Eexe"}}
Source: explorer.exe, 0000000D.00000000.2649191382.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: Watchdog.exe, 0000000C.00000002.3308422428.0000021F84AB3000.00000004.00000020.00020000.00000000.sdmp, Watchdog.exe, 0000000C.00000003.3243181016.0000021F84AE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: explorer.exe, 0000000D.00000003.3101046480.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 0000000D.00000003.3101046480.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 0000000D.00000000.2642754992.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000D.00000003.3095799951.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000000.2650976090.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Setup.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtCreateMutant: Direct from: 0x76EF35CC
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtOpenSection: Direct from: 0x76EF2E0C
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtAddAtomEx: Direct from: 0x76EF312C
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtQueryValueKey: Direct from: 0x76EF2BEC
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtSetInformationThread: Direct from: 0x76EF2ECC
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtCreateFile: Direct from: 0x76EF2FEC
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtOpenFile: Direct from: 0x76EF2DCC
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtTerminateThread: Direct from: 0x76EF2FCC
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtOpenKeyEx: Direct from: 0x76EF3C9C
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C
Source: C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Setup.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pcapp.store/installing.php?guid=2ED92742-89DC-DD72-92E8-869FA5A66493&winver=19045&version=fa.1092c&nocache=20241111161519.190&_fcid=1731354202975821

Jump to behavior

Source: explorer.exe, 0000000D.00000000.2659320457.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3522857196.0000000009B9B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.3099880316.0000000009B98000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000000.2629799617.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000002.3472679435.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: C++/WinRT version:2.0.220110.5productr_binErreCode=%dproductcreate_shortcutshortcut_erroroid=%luSHGetFolderPath_error_code=%X&oid=%luQueryInterface_error_code=%X&oid=%luCoCreateInstance_error_code=%X&oid=%lu.lnknfinityan.lnkindsnanproductshortcut_delete_erroreC=%XnfinityanindsnanShell_TrayWnd0p+00p+0unknowninfnan(ind)nannan(snan)infnan(ind)nannan(snan)infnan(ind)nannan(snan)infnan(ind)nannan(snan)unknownLTRRTLLTRinfnan(ind)nannan(snan)infnan(ind)nannan(snan)type must be string, but is type must be number, but is type must be number, but is \\\HKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_CURRENT_CONFIGCurrentBuildBuildNumberSOFTWARE\Microsoft\Windows NT\CurrentVersionSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon%lu%02X\/Software\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunSoftware\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunSoftware\PCAppStoreAppParamdefaultauto_start_oncontextual_offersperiodical_offerspersonilized_notifications%us%5B%5D=\uparamsnametype must be string, but is paramsnameurloidentryAppfilePath0e+000e+00RoGetActivationFactorycombase.dllCoIncrementMTAUsagecombase.dll^(https?://(?:www.)?([^/]+))(/.*)?$.dllDllGetActivationFactoryURL format is not valid : %wsWinHTTP 1.0handle initialization failuretimeout init failurehandle connection failureGEThandle request creation failurehandle request or response failurefile creation failurequery data not availableurloidlastTimeoTypesessionIdtagretmessageRoGetActivationFactorycombase.dllCoIncrementMTAUsagecombase.dll.dllDllGetActivationFactoryiconnamepathoidanimationsoundmenu_storemenu_searchhttps://pcapp.storenamepathmicrosoftIdregpathkeydisplaycountblinkingnotificationIconrunParampathalt_linkmicrosoftIdregpathkeyidwinGetParamsaltActionaltActionParamsid
Source: PcAppStore.exe, 0000000B.00000003.2821645484.000001A1B0482000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd{
Source: chrome.exe, 00000002.00000002.3519761492.0000016513EE1000.00000002.00000001.00040000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3392448432.000001A1B048A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.2646951862.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: chrome.exe, 00000002.00000002.3519761492.0000016513EE1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.2650728756.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3363330175.0000000004B00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000000.2629799617.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000002.3472679435.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: productui_creation_failedcreation_error=%wsui_termination_errordirectory_switching_error.\nwjs\NW_store.exe.\ui\.ENDING_EVT_HANDLERWindows Default Lock ScreenLocalPCAppStore\productsystem_eventmsg=shutdownshutdownproductsystem_eventmsg=logofflogoff{"app":{"menu_search":{"search_request":"", "page":"b"},"show_window": "menu_search"}}ClosingEventproducttaskbar_handler_erroreCode=%luShell_TrayWndStartTrayDummySearchControlTrayButton
Source: chrome.exe, 00000002.00000002.3519761492.0000016513EE1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.2646951862.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.3319579846.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000000.2629799617.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000002.3472679435.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: list too longStartMenuExperienceHost.exeShellExperienceHost.exeexplorer.exeSearchApp.exeSearchUI.exeSearchHost.exe{"app":{"menu_search":{"search_request":"", "page":"a", "top":%d,"left":%d,"bottom":%d,"right":%d},"show_window": "menu_search"}}{"app": {"hide_window": "menu_search"}}Shell_TrayWndStartTrayDummySearchControlTrayButton
Source: chrome.exe, 00000002.00000002.3519761492.0000016513EE1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.2646951862.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.3319579846.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000D.00000000.2642754992.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3301914543.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000000.2629799617.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000002.3472679435.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: TTaskbarShell_TrayWnd{"app": {"init":{"direction":"%c","screen_size":{"with_topbar":%d,"t":%d,"l":%d,"b":%d,"r":%d}}}}
Source: nsi70C.tmp, 00000009.00000002.2774771157.0000000002B4C000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000000.2629799617.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp, PcAppStore.exe, 0000000B.00000002.3472679435.00007FF6E4A5B000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: NWidgetShell_TrayWndTrayNotifyWnd+TrayButtonPNGArial++

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\nsi70C.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\PCAppStore\PcAppStore.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Jump to behavior

OS version to string mapping found (often used in BOTs)

Source: pt-PT.pak.info.9.dr	Binary or memory string: IDS_WIN_8_1_OBSOLETE,943,../../chrome/app/chromium_strings.grd
Source: pt-PT.pak.info.9.dr	Binary or memory string: IDS_WIN_XP_VISTA_OBSOLETE,940,../../chrome/app/chromium_strings.grd
Source: pt-PT.pak.info.9.dr	Binary or memory string: IDS_WIN_8_OBSOLETE,942,../../chrome/app/chromium_strings.grd
Source: pt-PT.pak.info.9.dr	Binary or memory string: IDS_WIN_7_OBSOLETE,941,../../chrome/app/chromium_strings.grd

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	141 Windows Management Instrumentation	1 Windows Service	1 Windows Service	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Input Capture	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	111 Registry Run Keys / Startup Folder	12 Process Injection	141 Virtualization/Sandbox Evasion	1 Input Capture	231 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Search Order Hijacking	111 Registry Run Keys / Startup Folder	1 Abuse Elevation Control Mechanism	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	133 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\nsc44E0.tmp\Math.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsc44E0.tmp\NSISFastLib.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsc44E0.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsc44E0.tmp\inetc.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsc44E0.tmp\nsJSON.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsi70C.tmp	46%	ReversingLabs	Win32.PUA.Generic
C:\Users\user\AppData\Local\Temp\nsnEE14.tmp\NSISFastLib.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsnEE14.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsnEE14.tmp\inetc.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsnEE14.tmp\nsDialogs.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsnEE14.tmp\nsJSON.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\AutoUpdater.exe	5%	ReversingLabs
C:\Users\user\PCAppStore\PcAppStore.exe	8%	ReversingLabs
C:\Users\user\PCAppStore\Uninstaller.exe	29%	ReversingLabs
C:\Users\user\PCAppStore\Watchdog.exe	5%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\NW_store.exe	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\ffmpeg.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\libEGL.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\node.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\notification_helper.exe	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\nw.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\nw_elf.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\vk_swiftshader.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\vulkan-1.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://pcapp.storeHX	0%	Avira URL Cloud	safe
https://pcapp.store1	0%	Avira URL Cloud	safe
https://pcapp.storeH	0%	Avira URL Cloud	safe
https://pcapp.st	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://mail.google.com/mail/?usp=installed_webapp	chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3686382804.00000404010E4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3674242073.0000040400C0C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687359663.0000040401154000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dl.google.com/release2/chrome_component/adm5fg7myczym5ugfpmw2lireirq_2024.11.8.0/gonpemdgkjc	chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	chrome.exe, 00000002.00000002.3673114267.0000040400B7C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing	chrome.exe, 00000002.00000002.3601866986.0000040400068000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pcapp.store/pixelgif.phpm	chrome.exe, 00000002.00000002.3687479873.0000040401160000.00000004.00000001.00020000.00000000.sdmp	false		high
http://dl.google.com/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcji	chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://dl.google.com/release2/chrome_component/cxxqn654fg7hzrcrrnqcniqqye_2024.10.11.1/kiabhabjdbkjd	chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://docs.google.com/document/J	chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687359663.0000040401154000.00000004.00000001.00020000.00000000.sdmp	false		high
https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone	chrome.exe, 00000002.00000002.3663239631.0000040400758000.00000004.00000001.00020000.00000000.sdmp	false		high
http://anglebug.com/4633	chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.google.com/dl/release2/chrome_component/ad3skwo2srs5xchyxzz6ujgnedha_9.52.0/gcmjkmgdlgnkk	chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://anglebug.com/7382	chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://td.doubleclick.net/td/ga/rul?tid=G-VFQWFX3X1C&gacid=1491451011.1731359724&gtm=45C	chrome.exe, 00000002.00000002.3600025879.000004040005C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://csp.withgoogle.com/csp/clientupdate-aus/1Cache-Control:	chrome.exe, 00000002.00000002.3680904402.0000040400F3C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/284462263	chrome.exe, 00000002.00000002.3682583023.0000040400F98000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dl.google.com/release2/chrome_component/ac3jaavoltgfyc34eshs22baaooq_1128/efniojlnjndmcbiiee	chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pcapp.store/inst_cpg.php?guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&ve	Setup.exe, 00000000.00000002.2249431363.00000000006CF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://csp.withgoogle.com/csp/report-to/scaffolding/ascgcycc:838:0	chrome.exe, 00000002.00000002.3685029643.0000040401028000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.google.com/dl/release2/chrome_component/kqmxxzhbsp5oqnjc3nlsphfboa_20241101.690810062.14	chrome.exe, 00000002.00000002.3636663103.0000040400184000.00000004.00000001.00020000.00000000.sdmp	false		high
https://td.doubleclick.net/td/ga/rul?tid=G-VFQWFX3X1C&gacid=1491451011.1731359724&gtm=45	chrome.exe, 00000002.00000002.3600025879.000004040005C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly	chrome.exe, 00000002.00000002.3663505489.00000404007B0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3663412141.000004040079C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://delivery.pcapp.store/download.php?&src=mini_installer&file=1&mini_ver=&evt_src=fa_mini_insta	Setup.exe, 00000000.00000002.2248700845.000000000062A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://dns-tunnel-check.googlezip.net/connect	chrome.exe, 00000002.00000002.3688922854.000004040159C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dl.google.com/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eeigpn	chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	false		high
https://csp.withgoogle.com/csp/	chrome.exe, 00000002.00000002.3691154331.000004040180C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://docs.google.com/	chrome.exe, 00000002.00000002.3656212723.00000404002FC000.00000004.00000001.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000003.2920310089.000001A1B0518000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/document/:	chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687359663.0000040401154000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dl.google.com/release2/chrome_component/kuv6sxh4r3bgt6ctayzn6cl44e_3049/jflookgnkcckhobaglnd	chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp	false		high
https://anglebug.com/7714	chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://td.doubleclick.net/	chrome.exe, 00000002.00000002.3692069212.0000040401904000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3691292518.0000040401838000.00000004.00000001.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/ogl	chrome.exe, 00000002.00000002.3686959351.00000404010FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://unisolated.invalid/	chrome.exe, 00000002.00000002.3667032695.0000040400960000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/tips/	chrome.exe, 00000002.00000002.3663587125.00000404007D0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3666185350.0000040400910000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.google.com/dl/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocncan	chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	false		high
https://drive.google.com/?lfhs=2	chrome.exe, 00000002.00000002.3687579647.000004040116C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3686959351.00000404010FC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3678638424.0000040400D64000.00000004.00000001.00020000.00000000.sdmp	false		high
http://anglebug.com/6248	chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://drive.google.com/?lfhs=2ation.Result	chrome.exe, 00000002.00000002.3686959351.00000404010FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://anglebug.com/6929	chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://tdsf.doubleclick.net/td/adfetch/gda?adg_4b48-b8b7-a4eb590d34b3	chrome.exe, 00000002.00000002.3687862249.00000404013DC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://anglebug.com/5281	chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pcapp.store/tos.html?guid=	Setup.exe, 00000000.00000002.2248700845.000000000062A000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773861819.000000000056C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/dl/release2/chrome_component/acccxbt6wwsvpxzpob4hojndwkqq_4.10.2830.0/oimompe	chrome.exe, 00000002.00000002.3666319979.0000040400930000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.youtube.com/?feature=ytca	chrome.exe, 00000002.00000002.3660913501.000004040062E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660757093.0000040400618000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3678638424.0000040400D64000.00000004.00000001.00020000.00000000.sdmp	false		high
https://docs.googl0	chrome.exe, 00000002.00000002.3656212723.00000404002FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://dl.google.com/release2/chrome_component/ac3jaavoltgfyc34eshs22baaooq_1128/efniojlnjndmcbiieeg	chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp	false		high
https://docs.google.com/document/u/0/create?usp=chrome_actions	chrome.exe, 00000002.00000002.3663505489.00000404007B0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3663412141.000004040079C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pcapp.store/pixelgif.php	chrome.exe, 00000002.00000002.3658279825.00000404004F4000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687479873.0000040401160000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689687108.000004040166C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3678638424.0000040400D64000.00000004.00000001.00020000.00000000.sdmp	false		high
https://anglebug.com/7369	chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://anglebug.com/7489	chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/	chrome.exe, 00000002.00000002.3686959351.00000404010FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://duckduckgo.com/?q=	chrome.exe, 00000002.00000002.3661990200.00000404006D8000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3673797299.0000040400BD0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pcapp.store/api/api.phpo	chrome.exe, 00000002.00000002.3689890302.000004040169C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pcapp.store/pixel.gif?guid=2ED92742-89DC-DD72-92E8-869FA5A66493&version=fa.1092c&evt_src=fa_	Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2249431363.0000000000700000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246288853.0000000000700000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2074265969.0000000002A75000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773861819.00000000005CB000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000003.2613673315.0000000003868000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773861819.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, nsi70C.tmp, 00000009.00000002.2773861819.0000000000520000.00000004.00000020.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000002.3392448432.000001A1B048A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	chrome.exe, 00000002.00000002.3593070850.000004040000C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660424391.00000404005DC000.00000004.00000001.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000003.2920310089.000001A1B0518000.00000004.00000020.00020000.00000000.sdmp	false		high
https://csp.withgoogle.com/csp/analytics-container-tag-servingy	chrome.exe, 00000002.00000002.3686382804.00000404010E4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://googleads.g.doubleclick.net/pagead/viewthroughconversion/858128210/?random=1731359724105&cv=	chrome.exe, 00000002.00000002.3680700958.0000040400F18000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3691154331.000004040180C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pcapp.st	chrome.exe, 00000002.00000002.3661385422.0000040400650000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928&cr_id=688766820456&cv_id=0&format=$	chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.google.com/dl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmppe	chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dl.google.com/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx3	chrome.exe, 00000002.00000002.3680281468.0000040400EEC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://dl.google.com/release2/chrome_component/adpcjrzq66vnkuggykvi4ijjqtva_9291/hfnkpimlhhgieaddgfe	chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.ico	chrome.exe, 00000002.00000002.3673114267.0000040400B7C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pcapp.store	chrome.exe, 00000002.00000002.3679230480.0000040400E7F000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687862249.00000404013DC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000003.2811042443.0000040400294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3556725840.0000016517C1D000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3695531384.0000040402330000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000003.2931707195.0000040400294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3656635886.000004040036C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3676927127.0000040400C58000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000003.3012166842.0000040400294000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dl.google.com/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcj	chrome.exe, 00000002.00000002.3620878025.00000404000EC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/161903006	chrome.exe, 00000002.00000002.3682583023.0000040400F98000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	chrome.exe, 00000002.00000002.3657857046.0000040400484000.00000004.00000001.00020000.00000000.sdmp	false		high
http://dl.google.com/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.1201/ggkkehgbnf	chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pcapp.store1	chrome.exe, 00000002.00000002.3679230480.0000040400E7F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.youtube.com/	chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pcapp.store/	Setup.exe, 00000000.00000002.2254222810.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246122848.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2246288853.0000000000710000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2074265969.0000000002A75000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.2249431363.0000000000710000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690623544.0000040401791000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3638669538.000004040018C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3625339408.0000040400120000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3660000463.0000040400590000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3632853896.0000040400164000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3600025879.000004040005C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3687579647.000004040116C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3661385422.0000040400650000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689387733.000004040160C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3657179727.000004040045E000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3667289268.0000040400980000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690385893.0000040401760000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3661484612.0000040400678000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3686959351.00000404010FC000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3689822811.0000040401688000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3677025922.0000040400C68000.00000004.00000001.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions	chrome.exe, 00000002.00000002.3663239631.0000040400758000.00000004.00000001.00020000.00000000.sdmp	false		high
https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy	chrome.exe, 00000002.00000002.3663239631.0000040400758000.00000004.00000001.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/	chrome.exe, 00000002.00000002.3687579647.000004040116C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dl.google.com/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64_win_third_p	chrome.exe, 00000002.00000002.3657974653.00000404004B4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pcapp.store/src/main.js	chrome.exe, 00000002.00000002.3689890302.000004040169C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3690451680.000004040176C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928&cr_id=688766820411&cv_id=0&format=$	chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	false		high
http://anglebug.com/3078	chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://anglebug.com/7553	chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://anglebug.com/5375	chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pcapp.storeHX	chrome.exe, 00000002.00000002.3670003384.0000040400A84000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928&cr_id=688766820429&cv_id=0&format=$	chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	false		high
http://dl.google.com/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64_win_third_pa	chrome.exe, 00000002.00000002.3657974653.00000404004B4000.00000004.00000001.00020000.00000000.sdmp	false		high
http://anglebug.com/5371	chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://anglebug.com/4722	chrome.exe, 00000002.00000002.3671444446.0000040400B54000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dl.google.com/release2/chrome_component/kqmxxzhbsp5oqnjc3nlsphfboa_20241101.690810062.14/obe	chrome.exe, 00000002.00000002.3636663103.0000040400184000.00000004.00000001.00020000.00000000.sdmp	false		high
https://m.google.com/devicemanagement/data/api	chrome.exe, 00000002.00000002.3650954190.000004040020C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/u/0/create?usp=chrome_actions	chrome.exe, 00000002.00000002.3663239631.0000040400758000.00000004.00000001.00020000.00000000.sdmp	false		high
https://googletagmanager.com/cy	chrome.exe, 00000002.00000002.3689890302.000004040169C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928&cr_id=688766820450&cv_id=0&format=$	chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	false		high
http://anglebug.com/7556	chrome.exe, 00000002.00000002.3674028754.0000040400BEC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://drive-daily-4.c	chrome.exe, 00000002.00000002.3656212723.00000404002FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=156786411258&cr_id=682239234212&cv_id=0&format=$	chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/	chrome.exe, 00000002.00000002.3593070850.000004040000C000.00000004.00000001.00020000.00000000.sdmp, PcAppStore.exe, 0000000B.00000003.2920310089.000001A1B0518000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pcapp.storeH	chrome.exe, 00000002.00000002.3563532130.0000016519AE7000.00000004.00000001.00040000.00000000.sdmp, chrome.exe, 00000002.00000002.3687862249.00000404013DC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.youtube.com/?feature=ytcaogl	chrome.exe, 00000002.00000002.3660757093.0000040400618000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pcapp.store/pixelgif.phpderValidator	chrome.exe, 00000002.00000002.3689687108.000004040166C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pcapp.store/privacy.html?guid=welhttps://pcapp.store/pixel.gif?guid=&version=&evt_src=fa_min	Setup.exe, 00000000.00000002.2248700845.000000000062A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://analytics.google.com/g/collect?v=2&tid=G-VFQWFX3X1C&gtm=45je4b70v898645365za200zb9103256652&	chrome.exe, 00000002.00000002.3690623544.0000040401791000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000002.00000002.3555704146.000001651741D000.00000004.00000001.00040000.00000000.sdmp	false		high
https://clients4.google.com/chrome-sync	chrome.exe, 00000002.00000002.3646364960.00000404001C4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://tdsf.doubleclick.net/td/adfetch/gda?adg_id=163766597928&cr_id=688766820414&cv_id=0&format=$	chrome.exe, 00000002.00000002.3691644418.0000040401898000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.68	unknown	United States	15169	GOOGLEUS	false
74.125.133.157	unknown	United States	15169	GOOGLEUS	false
142.250.185.99	unknown	United States	15169	GOOGLEUS	false
142.250.185.206	unknown	United States	15169	GOOGLEUS	false
142.250.186.170	unknown	United States	15169	GOOGLEUS	false
142.250.74.206	unknown	United States	15169	GOOGLEUS	false
209.222.21.115	unknown	United States	20473	AS-CHOOPAUS	false
3.161.119.118	unknown	United States	16509	AMAZON-02US	false
173.194.76.84	unknown	United States	15169	GOOGLEUS	false
216.239.38.181	unknown	United States	15169	GOOGLEUS	false
142.250.185.100	unknown	United States	15169	GOOGLEUS	false
142.250.185.104	unknown	United States	15169	GOOGLEUS	false
147.182.211.77	unknown	United States	27555	BV-PUBLIC-ASNUS	false
142.250.185.162	unknown	United States	15169	GOOGLEUS	false
142.250.186.132	unknown	United States	15169	GOOGLEUS	false
172.217.18.98	unknown	United States	15169	GOOGLEUS	false
142.250.184.200	unknown	United States	15169	GOOGLEUS	false
104.248.126.225	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
172.217.16.142	unknown	United States	15169	GOOGLEUS	false
142.250.185.67	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
195.181.170.19	unknown	United Kingdom	60068	CDN77GB	false
142.250.185.232	unknown	United States	15169	GOOGLEUS	false
172.217.18.2	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
212.102.56.178	unknown	Italy	60068	CDN77GB	false
45.32.1.23	unknown	United States	20473	AS-CHOOPAUS	false
37.19.194.81	unknown	Ukraine	31343	INTERTELECOMUA	false
216.58.212.163	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5
192.168.2.13

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554012
Start date and time:	2024-11-11 22:14:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	28
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.exe
Detection:	MAL
Classification:	mal51.spyw.evad.winEXE@35/306@0/31
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: Setup.exe

Simulations

Behavior and APIs

Time	Type	Description
16:16:14	API Interceptor	495x Sleep call for process: Watchdog.exe modified
16:16:35	API Interceptor	293x Sleep call for process: explorer.exe modified
16:16:42	API Interceptor	1x Sleep call for process: PcAppStore.exe modified
22:16:15	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run PCAppStore "C:\Users\user\PCAppStore\PCAppStore.exe" /init default
22:16:23	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run PcAppStoreUpdater "C:\Users\user\PCAppStore\AutoUpdater.exe" /i
22:16:32	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Watchdog "C:\Users\user\PCAppStore\Watchdog.exe" /guid=2ED92742-89DC-DD72-92E8-869FA5A66493 /rid=20241111161614.1886019781 /ver=fa.1092c
22:16:40	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run PCAppStore "C:\Users\user\PCAppStore\PCAppStore.exe" /init default
22:16:49	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run PcAppStoreUpdater "C:\Users\user\PCAppStore\AutoUpdater.exe" /i
22:16:58	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Watchdog "C:\Users\user\PCAppStore\Watchdog.exe" /guid=2ED92742-89DC-DD72-92E8-869FA5A66493 /rid=20241111161614.1886019781 /ver=fa.1092c

LLM Input / Output

Input	Output
URL: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&_winver=19045&version=fa.1092c Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "We're on it, hold on", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&_winver=19045&version=fa.1092c Model: claude-3-haiku-20240307	```json { "brands": [ "PC APP STORE" ] }
	```json { "brands": [ "PC APP STORE" ] }
URL: Model: claude-3-5-sonnet-latest	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": true, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://pcapp.store
URL: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&_winver=19045&version=fa.1092c Model: claude-3-haiku-20240307	```json { "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&_winver=19045&version=fa.1092c Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "We're on it, hold on", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&_winver=19045&version=fa.1092c Model: claude-3-haiku-20240307	```json { "brands": [ "PC APP STORE" ] }
	```json { "brands": [ "PC APP STORE" ] }
URL: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&_winver=19045&version=fa.1092c Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Summoning the app wizard", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&_winver=19045&version=fa.1092c Model: claude-3-haiku-20240307	```json { "brands": [ "PC APP STORE" ] }
	```json { "brands": [ "PC APP STORE" ] }
URL: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&_winver=19045&version=fa.1092c Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Sprinkling some app magic", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&_winver=19045&version=fa.1092c Model: claude-3-haiku-20240307	```json { "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false } ``` The provided image appears to be a blank webpage with minimal content. There are no visible trigger phrases, prominent buttons or links, text input fields, PDF icons, CAPTCHAs, urgent text, or QR codes. The page appears to be a generic landing page or placeholder without any clear indicators of a potential security risk or sensitive information.

URL: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&_winver=19045&version=fa.1092c Model: claude-3-haiku-20240307	```json { "brands": [ "PC APP STORE" ] }
	```json { "brands": [ "PC APP STORE" ] }
URL: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&_winver=19045&version=fa.1092c Model: claude-3-haiku-20240307	```json { "brands": [ "PC APP STORE" ] }
	```json { "brands": [ "PC APP STORE" ] }
URL: https://pcapp.store/?p=lpd_installing_r2&guid=2ED92742-89DC-DD72-92E8-869FA5A66493&_fcid=1731354202975821&_winver=19045&version=fa.1092c Model: claude-3-haiku-20240307	```json { "brands": [ "PC APP STORE" ] }
	```json { "brands": [ "PC APP STORE" ] }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.182.211.77	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
209.222.21.115	Setup (1).exe	Get hash	malicious	Unknown	Browse	pcapp.store/notify_app_v2.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&lastid=0&lasttime=0&end_v=fa.1079b&nocache=6015250
3.161.119.118	https://treezoriostart.github.io/	Get hash	malicious	Unknown	Browse
3.161.119.118	http://encr.pw/KE2tz	Get hash	malicious	Unknown	Browse
104.248.126.225	Setup.exe	Get hash	malicious	Unknown	Browse
	https://pcapp.store/pixel.gif	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup (1).exe	Get hash	malicious	Unknown	Browse
	MDE_File_Sample_c30dd28cb119f2aa20ddabe8968b8cadbe80bcb2.zip	Get hash	malicious	Unknown	Browse
	nso7806.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	http://pcapp.store	Get hash	malicious	Unknown	Browse
	http://pcapp.store	Get hash	malicious	Unknown	Browse
	PcAppStore.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	allpdfpro.msi	Get hash	malicious	Unknown	Browse	3.161.193.27
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	108.138.128.93
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	108.139.47.108
	http://invoicehome.uk/invoice.zip	Get hash	malicious	Unknown	Browse	35.162.159.57
	Invoice #16468.docx	Get hash	malicious	Unknown	Browse	3.5.128.100
	https://www.hopp.bio/hawksridgefarms	Get hash	malicious	Mamba2FA	Browse	18.239.69.79
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	18.244.18.38
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	76.223.67.189
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	76.223.67.189
	https://axieu.com/terma/GeHDLf	Get hash	malicious	Unknown	Browse	18.245.187.38
AS-CHOOPAUS	http://muse.krazzykriss.com	Get hash	malicious	Unknown	Browse	45.77.78.73
	fK4N7E6bFV.exe	Get hash	malicious	Remcos	Browse	155.138.180.2
	72BF1aHUKl.msi	Get hash	malicious	NetSupport RAT	Browse	95.179.156.158
	sora.mips.elf	Get hash	malicious	Mirai	Browse	149.28.47.121
	7sugT5Gudk.exe	Get hash	malicious	Unknown	Browse	45.32.92.201
	8WdO7I87E1.elf	Get hash	malicious	Mirai, Moobot	Browse	204.80.129.87
	e5AiOG6uDI.elf	Get hash	malicious	Mirai, Moobot	Browse	217.163.25.106
	Setup.exe	Get hash	malicious	Unknown	Browse	209.222.21.115
	Setup.exe	Get hash	malicious	Unknown	Browse	45.32.1.23
	yakuza.sparc.elf	Get hash	malicious	Unknown	Browse	144.203.17.212
BV-PUBLIC-ASNUS	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	147.182.229.60
	ACTION REQUIRED Revised Billing #NL992-071 From Robinson Aviation Inc.msg	Get hash	malicious	Unknown	Browse	147.182.200.48
	Setup.exe	Get hash	malicious	Unknown	Browse	147.182.211.77
	Setup.exe	Get hash	malicious	Unknown	Browse	147.182.211.77
	Setup.exe	Get hash	malicious	Unknown	Browse	147.182.211.77
	Setup.exe	Get hash	malicious	Unknown	Browse	147.182.211.77
	https://averellharriman.sharefile.com/public/share/web-s3b96c17360cd43e7bdcaf25a23709fd0	Get hash	malicious	Unknown	Browse	147.182.200.48
	Setup.exe	Get hash	malicious	Unknown	Browse	147.182.211.77
	Setup.exe	Get hash	malicious	Unknown	Browse	147.182.211.77
	Setup.exe	Get hash	malicious	Unknown	Browse	147.182.211.77

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsc44E0.tmp\Math.dll	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	https://pcapp.store/pixel.gif	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	112680
Entropy (8bit):	4.023502723250981
Encrypted:	false
SSDEEP:	768:gtlMHbkSGwTDkrkzljk0ZdHHzS4XNcL6roQjCILZP1PER1v4jtN5GmWypye2t35G:Vk2D7zRHHzS4eQ3hvigG4nv1hF4KHY3k
MD5:	7595881D100CB31855D8BAECB070EA26
SHA1:	4F47BAE57FFF09925102CD22E03D5ACE554D4E72
SHA-256:	8642BDE29AC0ED04F1141E2432E1D7248E90D2228F8A5378BC186410F3A07D84
SHA-512:	DF57F530554EBCC38BAA17189FC49EC9B33E680F9BA3A6808112CA4DB8A1EAB9FB69D993BAAFF0015B624ACCEB83B640C6D9D6EB600B1558613EEB5DFA97D4D5
Malicious:	false
Preview:	....h... ...(...x.......P...........x..._.......d...h...................].......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>...........................................

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	93386616
Entropy (8bit):	7.99999306217129
Encrypted:	true
SSDEEP:	1572864:52KX1mfH5AoIZnp9/pkhKzHjrSADzxet6X3mRsDqpszbyxjpB3ayh1sN1KGoMy1u:5jExAJh/pksTnFet6mu2G0jptggJ+flP
MD5:	84EE733F8014D22DAD2DFEF725489980
SHA1:	950A437488464103B9BF34610962C22192585BFC
SHA-256:	F42D2BF4A50AB0CDB4A1C43964F0429C4663E27C76D8C61AFA174A531A7819A1
SHA-512:	132C9BE1217804B73F8A99EA44D702E9DA0782CB6BBCC80DB2C2C72BDA1A93D06B2ADEF1B464F9163311F7482B2400553BA082C0F7F3CCF3B42C8C9B881306EB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 46%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*......@6............@.......................... ............@.............................................HO.......... ..X)...........................................................................................text...vf.......h.................. ..`.rdata...............l..............@..@.data...x...........................@....ndata... ...............................rsrc...HO.......P..................@..@................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 11 20:15:23 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.980428197361339
Encrypted:	false
SSDEEP:	48:82d8TAMcHjidAKZdA19ehwiZUklqehyy+3:8dnody
MD5:	4296345754BD15770CEA0615367359E8
SHA1:	7D79E4403A2120F3DFBAFF84A2E462F88419675C
SHA-256:	F93E47A14FD862081B77C513C0646EB0019DDB6F34C24C7325F8AE47FF336BFF
SHA-512:	1647421399EDDCB24CB8D629D1C2ED7DB5F3B2AEE6BD6E2747A4D114A02E9DD3EB9EE0087528809A707DAE05C36D1339CE5EF9709705CFD9C4A83555B00F9E4A
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....Mf.~4..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IkY.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VkY.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VkY.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VkY............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VkY............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............6......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Entrypoint:	0x40352d
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	08/05/2024 02:00:00 14/02/2025 00:59:59
Subject Chain	CN=FAST CORPORATION LTD, O=FAST CORPORATION LTD, L=Ra'anana, C=IL, SERIALNUMBER=515636181, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IL
Version:	3
Thumbprint MD5:	04786BD703B906E22AECB2AD38CE4D94
Thumbprint SHA-1:	07BE42727905BE32C822A638502C1B8FAAE6540A
Thumbprint SHA-256:	FDB017BB88E5D453E22A73810690C72534F58EFB109EA0D4494EC393F2307DBC
Serial:	0E5C655E1CBE9A8879372F58A5BC0302

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6c000	0x4f40	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2bd00	0x2968	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6897	0x6a00	ce9df19df15aa7bfbc0a8d0af0b841d0	False	0.6661261792452831	data	6.458398214928006	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a6	0x1600	a118375c929d970903c1204233b7583d	False	0.4392755681818182	data	5.024109281264143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2b018	0x600	82a10c59a8679bb952fc8316070b8a6c	False	0.521484375	data	4.15458210408643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x36000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6c000	0x4f40	0x5000	6147c56de0951034d77b52b0075b790f	False	0.1015625	data	2.760740823683962	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x6c208	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m	English	United States	0.036372224846480866
RT_DIALOG	0x70430	0x202	data	English	United States	0.4085603112840467
RT_DIALOG	0x70638	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x70730	0xa0	data	English	United States	0.60625
RT_DIALOG	0x707d0	0xee	data	English	United States	0.6302521008403361
RT_GROUP_ICON	0x708c0	0x14	data	English	United States	1.1
RT_VERSION	0x708d8	0x240	data	English	United States	0.4895833333333333
RT_MANIFEST	0x70b18	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States	0.5127478753541076

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Target ID:	0
Start time:	16:15:13
Start date:	11/11/2024
Path:	C:\Users\user\Desktop\Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x400000
File size:	190'056 bytes
MD5 hash:	92C35FBE82BF7E416805C9286746AC4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	16:15:19
Start date:	11/11/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pcapp.store/installing.php?guid=2ED92742-89DC-DD72-92E8-869FA5A66493&winver=19045&version=fa.1092c&nocache=20241111161519.190&_fcid=1731354202975821
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	16:15:23
Start date:	11/11/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4964 --field-trial-handle=2020,i,9919245016783265167,1368110808741966562,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	9
Start time:	16:15:35
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\nsi70C.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\nsi70C.tmp" /internal 1731354202975821 /force
Imagebase:	0x400000
File size:	93'386'616 bytes
MD5 hash:	84EE733F8014D22DAD2DFEF725489980
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 46%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	13
Start time:	16:16:15
Start date:	11/11/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	15
Start time:	16:16:23
Start date:	11/11/2024
Path:	C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe"
Imagebase:	0x630000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	18
Start time:	16:16:24
Start date:	11/11/2024
Path:	C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe"
Imagebase:	0x630000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	21
Start time:	16:16:25
Start date:	11/11/2024
Path:	C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe"
Imagebase:	0x630000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	22
Start time:	16:16:26
Start date:	11/11/2024
Path:	C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe"
Imagebase:	0x630000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	23
Start time:	16:16:27
Start date:	11/11/2024
Path:	C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe"
Imagebase:	0x630000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	27
Start time:	16:16:28
Start date:	11/11/2024
Path:	C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe"
Imagebase:	0x630000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Privilege Escalation

Phishing

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\p7U2V3SLL.gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\p9P86HCZW.gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\p[10].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\p[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\p[2].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\p[3].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\p[4].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\p[5].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\p[6].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\p[7].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\p[8].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\p[9].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\p7BE3C87L.gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\pHPS3AGSM.gif

Windows Analysis Report
Setup.exe

Target ID:	32
Start time:	16:16:29
Start date:	11/11/2024
Path:	C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe"
Imagebase:	0x630000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	38
Start time:	16:16:30
Start date:	11/11/2024
Path:	C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe"
Imagebase:	0x630000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	42
Start time:	16:16:31
Start date:	11/11/2024
Path:	C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\STnbPUBnkXHdMrjoXRqZBmgHBCFvxGtaVuMxvyCeqdAoRnLgPh\RoXOpwnzkOItZgrk.exe"
Imagebase:	0x630000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre