Windows Analysis Report
SwitchAutoSetup_v0.7.0.3.exe

Overview

General Information

Sample name:	SwitchAutoSetup_v0.7.0.3.exe
Analysis ID:	1632615
MD5:	4ce764cccf817c7f6f527e8d2c69c7e6
SHA1:	ab533c671d0da276e5096455cc841b2703c0f3ef
SHA256:	2959bef771b11c5180c49ab65c8e1db4d2a1c1b079a842f2300fefad35f7bb11
Tags:	exevidaruser-aachum
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

Found many strings related to Crypto-Wallets (likely being stolen)

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe (copy)	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-QSQJJ.tmp	ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Source: SwitchAutoSetup_v0.7.0.3.exe	Virustotal: Detection: 19%			Perma Link
Source: SwitchAutoSetup_v0.7.0.3.exe	ReversingLabs: Detection: 15%

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00986A10 StrStrA,lstrlen,LocalAlloc,CryptUnprotectData,LocalAlloc,LocalFree,lstrlen,		5_2_00986A10
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00990830 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree,		5_2_00990830

Uses 32bit PE files

Source: SwitchAutoSetup_v0.7.0.3.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49781 version: TLS 1.2

Source: SwitchAutoSetup_v0.7.0.3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: x64\ship\0\ietag.dll\bbtopt\ietagO.pdb source: is-2NH1K.tmp.3.dr
Source:	Binary string: D:\a\git-credential-manager\git-credential-manager\out\windows\GitLab.UI.Windows\obj\WindowsRelease\net472\GitLab.UI.pdbSHA256 source: is-MMEK3.tmp.3.dr
Source:	Binary string: t:\mso\x64\ship\0\ietag.pdb source: is-2NH1K.tmp.3.dr
Source:	Binary string: cryptosetup.pdbGCTL source: SystemScannerSetup.exe, 00000005.00000002.2415946862.000000000362D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptosetup.pdb source: SystemScannerSetup.exe, 00000005.00000002.2415946862.000000000362D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: t:\mso\x64\ship\0\ietag.pdbx64\ship\0\ietag.dll\bbtopt\ietagO.pdbh source: is-2NH1K.tmp.3.dr
Source:	Binary string: D:\a\git-credential-manager\git-credential-manager\out\windows\GitLab.UI.Windows\obj\WindowsRelease\net472\GitLab.UI.pdb source: is-MMEK3.tmp.3.dr
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00402910 FindFirstFileW,	5_2_00402910
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_004069DF FindFirstFileW,FindClose,	5_2_004069DF
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00405D8E DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_00405D8E
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_0098B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,	5_2_0098B6B0
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00987210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,memset,CopyFileA,DeleteFileA,memset,FindClose,	5_2_00987210
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00993580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindClose,	5_2_00993580
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_009897B0 FindFirstFileA,FindNextFileA,strlen,	5_2_009897B0
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_009813F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,	5_2_009813F0
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00988360 FindFirstFileA,CopyFileA,FindNextFileA,strlen,CopyFileA,FindClose,	5_2_00988360
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00988C90 lstrcpy,lstrcat,FindFirstFileA,FindNextFileA,strlen,lstrcpy,memset,lstrcpy,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpy,lstrcpy,CopyFileA,FindClose,FindClose,DeleteFileA,	5_2_00988C90
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00995EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,_mbscpy,_splitpath,_mbscpy,strlen,isupper,wsprintfA,_mbscpy,strlen,SHFileOperation,FindClose,	5_2_00995EB0
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_0098ACD0 wsprintfA,FindFirstFileA,strlen,lstrlen,DeleteFileA,CopyFileA,FindClose,	5_2_0098ACD0
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00994E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,CopyFileA,FindClose,	5_2_00994E70
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00993FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,FindClose,	5_2_00993FD0
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00994950 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrlen,lstrlen,	5_2_00994950

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe

Code function: 5_2_00993AF0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrlen,

5_2_00993AF0

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 8MB later: 41MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.4:49724 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49756 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49757 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49728 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49730 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49730 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49758 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49758 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49763 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49763 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.4:49726 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49729 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49731 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49731 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49759 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49759 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49732 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49732 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 95.217.31.199:443 -> 192.168.2.4:49727
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49760 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49760 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49762 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49762 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.217.31.199:443 -> 192.168.2.4:49726
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49767 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49770 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49768 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49771 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49775 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49761 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49761 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49773 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49780 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49772 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49769 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49777 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49776 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49774 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49779 -> 95.217.31.199:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49766 -> 95.217.31.199:443

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /l793oy HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.77.188
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.77.188
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe

Code function: 5_2_00982690 lstrlen,StrCmpCA,InternetOpenA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,GetProcessHeap,RtlAllocateHeap,memcpy,lstrlen,memcpy,lstrlen,memcpy,lstrlen,HttpSendRequestA,Sleep,HttpQueryInfoA,InternetReadFile,InternetReadFile,StrCmpCA,InternetCloseHandle,InternetCloseHandle,

5_2_00982690

Source: global traffic	HTTP traffic detected: GET /l793oy HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0Host: us.f.goldenloafuae.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJOhywEInP7MAQiFoM0BCL7VzgEIgdbOAQjI3M4BCIrgzgEIruTOAQiG5c4BCIvlzgE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJOhywEInP7MAQiFoM0BCL7VzgEIgdbOAQjI3M4BCIrgzgEIruTOAQiG5c4BCIvlzgE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000C.00000003.1676167786.00000E5401538000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1676249298.00000E54014B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 0000000C.00000003.1676167786.00000E5401538000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1676249298.00000E54014B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000C.00000002.1765214144.00000E5400640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000C.00000002.1763118071.00000E540014C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: l="https://www.facebook. equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: us.f.goldenloafuae.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----as26fu3ekf37qie37y5fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0Host: us.f.goldenloafuae.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 0000000C.00000002.1766289085.00000E5400848000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: SystemScannerSetup.exe, 00000005.00000003.1426749596.0000000000634000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1461705210.0000000000630000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1491933351.0000000000633000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1426803738.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m&
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: is-CDLA5.tmp.3.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000002.1263324542.000000000018D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: chrome.exe, 0000000C.00000002.1762643984.00000E5400040000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
Source: chrome.exe, 0000000C.00000002.1770593010.00000E5401094000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: chrome.exe, 0000000C.00000002.1762808398.00000E54000B5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: SystemScannerSetup.exe, 00000005.00000002.2410104804.000000000040A000.00000008.00000001.01000000.00000011.sdmp, is-QSQJJ.tmp.3.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: is-CDLA5.tmp.3.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000002.1263324542.000000000018D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0?
Source: chrome.exe, 0000000C.00000002.1770060021.00000E5400F60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://subca.ocsp-certum.com01
Source: is-CDLA5.tmp.3.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: is-CDLA5.tmp.3.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: is-CDLA5.tmp.3.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: chrome.exe, 0000000C.00000002.1769101880.00000E5400DA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://www.certum.pl/CPS0
Source: chrome.exe, 0000000C.00000002.1771032649.00000E540116C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/update2/response
Source: chrome.exe, 0000000C.00000002.1769336205.00000E5400DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: SystemScannerSetup.exe, 00000005.00000003.1426749596.0000000000634000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1461705210.0000000000630000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1426803738.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000002.1263324542.000000000018D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: chrome.exe, 0000000C.00000002.1751274379.0000024B207A0000.00000002.00000001.00040000.00000019.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: is-CDLA5.tmp.3.dr	String found in binary or memory: http://www.vmware.com/0
Source: chrome.exe, 0000000C.00000002.1769028706.00000E5400D94000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 0000000C.00000002.1762643984.00000E5400040000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 0000000C.00000003.1675579088.00000E5400710000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1765716117.00000E5400710000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1775425096.00000E5401A44000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1771758681.00000E540128C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 0000000C.00000002.1775425096.00000E5401A44000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AccountChooser
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 0000000C.00000003.1675910854.00000E54010E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowser
Source: chrome.exe, 0000000C.00000003.1675910854.00000E54010E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 0000000C.00000002.1763012808.00000E5400109000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/samlredirect
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 0000000C.00000003.1675579088.00000E5400710000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1765716117.00000E5400710000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 0000000C.00000002.1776703584.00000E5401FC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776829622.00000E5401FD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540203C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: chrome.exe, 0000000C.00000002.1766704820.00000E5400944000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: chrome.exe, 0000000C.00000003.1712373986.00000E5401508000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711364407.00000E5401558000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713115103.00000E5401538000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com
Source: chrome.exe, 0000000C.00000002.1768285555.00000E5400C78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767447600.00000E5400AFC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773068670.00000E5401478000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 0000000C.00000002.1769028706.00000E5400D94000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769028706.00000E5400D94000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769028706.00000E5400D94000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 0000000C.00000003.1712030400.00000E5401528000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: chrome.exe, 0000000C.00000002.1769494238.00000E5400E04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1774517924.00000E540187C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769336205.00000E5400DC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1756562218.0000024B26B97000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: chrome.exe, 0000000C.00000002.1771188780.00000E5401198000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675988183.00000E54012E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1712030400.00000E5401528000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000000C.00000003.1666418449.00000E5000468000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666347199.00000E5000458000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000C.00000002.1766009646.00000E54007C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 0000000C.00000002.1766009646.00000E54007C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 0000000C.00000002.1763731535.00000E54002CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 0000000C.00000002.1763731535.00000E54002CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: chrome.exe, 0000000C.00000002.1763405975.00000E54001D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 0000000C.00000002.1767044155.00000E54009BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/category/extensions
Source: chrome.exe, 0000000C.00000002.1766704820.00000E5400944000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/category/themes
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 0000000C.00000003.1664450207.00000778000DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 0000000C.00000002.1763405975.00000E54001D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766652476.00000E5400908000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766289085.00000E5400848000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763291723.00000E5400198000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1771032649.00000E540116C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 0000000C.00000002.1765842218.00000E540078F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 0000000C.00000002.1766179166.00000E5400804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 0000000C.00000002.1766179166.00000E5400804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 0000000C.00000002.1766289085.00000E5400848000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: chrome.exe, 0000000C.00000002.1764437647.00000E5400430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/368855.)
Source: chrome.exe, 0000000C.00000002.1764183680.00000E54003D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 0000000C.00000002.1765214144.00000E5400640000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000C.00000002.1768285555.00000E5400C78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767447600.00000E5400AFC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773068670.00000E5401478000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000C.00000002.1768285555.00000E5400C78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767447600.00000E5400AFC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773068670.00000E5401478000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 0000000C.00000002.1765214144.00000E5400640000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000C.00000002.1768285555.00000E5400C78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767447600.00000E5400AFC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773068670.00000E5401478000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 0000000C.00000002.1765214144.00000E5400640000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000C.00000002.1768285555.00000E5400C78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767447600.00000E5400AFC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773068670.00000E5401478000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 0000000C.00000002.1765807932.00000E5400784000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 0000000C.00000002.1765214144.00000E5400640000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chrome.exe, 0000000C.00000003.1711519779.00000E54016F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711519779.00000E54016A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fonts.google.com/icons?selected=Material
Source: chrome.exe, 0000000C.00000002.1769028706.00000E5400D94000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B78000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic
Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B78000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic/intro?
Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711722751.00000E5401660000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic/intro?20
Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711722751.00000E5401660000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic2
Source: chrome.exe, 0000000C.00000003.1666347199.00000E5000458000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000000C.00000003.1666418449.00000E5000468000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666347199.00000E5000458000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666347199.00000E5000458000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 0000000C.00000002.1762530557.00000E5400004000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 0000000C.00000002.1766578185.00000E54008E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713907864.00000E5401B08000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: https://jrsoftware.org/
Source: SwitchAutoSetup_v0.7.0.3.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: https://jrsoftware.org0
Source: chrome.exe, 0000000C.00000002.1768948060.00000E5400D74000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1771256346.00000E54011C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767817560.00000E5400B90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 0000000C.00000002.1764365926.00000E5400404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 0000000C.00000003.1711364407.00000E5401558000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/gen204
Source: chrome.exe, 0000000C.00000002.1763938996.00000E5400328000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
Source: chrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/comon
Source: chrome.exe, 0000000C.00000002.1763731535.00000E54002CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 0000000C.00000002.1770593010.00000E5401094000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770740981.00000E54010E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766652476.00000E5400908000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769596352.00000E5400E2C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1771758681.00000E540128C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675910854.00000E54010E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/
Source: chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/:
Source: chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/J
Source: chrome.exe, 0000000C.00000002.1770668945.00000E54010C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766970543.00000E540099C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1774625425.00000E54018C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770212051.00000E5400FB4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default
Source: chrome.exe, 0000000C.00000002.1770212051.00000E5400FB4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_defaultValidator
Source: chrome.exe, 0000000C.00000002.1774625425.00000E54018C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_defaultfault
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 0000000C.00000002.1764365926.00000E5400404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 0000000C.00000002.1765214144.00000E5400640000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000C.00000002.1767379255.00000E5400A7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1768879134.00000E5400D4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1774004353.00000E540176C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 0000000C.00000002.1767218758.00000E5400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770002682.00000E5400F28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1768458225.00000E5400CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 0000000C.00000002.1767218758.00000E5400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770002682.00000E5400F28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1768458225.00000E5400CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 0000000C.00000003.1666497628.00000E5000498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome
Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 0000000C.00000002.1767218758.00000E5400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770002682.00000E5400F28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1768458225.00000E5400CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 0000000C.00000002.1768135751.00000E5400C1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp, chrome.exe, 0000000C.00000003.1675837986.00000E54011A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 0000000C.00000002.1776703584.00000E5401FC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776829622.00000E5401FD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540203C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 0000000C.00000002.1770500622.00000E5401084000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 0000000C.00000002.1776703584.00000E5401FC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776829622.00000E5401FD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540203C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 0000000C.00000002.1776703584.00000E5401FC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776829622.00000E5401FD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540203C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 0000000C.00000002.1774730234.00000E54018F4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675777847.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773682706.00000E5401604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 0000000C.00000002.1770500622.00000E5401088000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773541487.00000E54015D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773575636.00000E54015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773436687.00000E54015A5000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675777847.00000E5401084000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 0000000C.00000002.1762763876.00000E5400088000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773436687.00000E54015A5000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675777847.00000E5401084000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 0000000C.00000002.1773541487.00000E54015D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770160353.00000E5400FA0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773575636.00000E54015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773436687.00000E54015A5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 0000000C.00000002.1773541487.00000E54015D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770160353.00000E5400FA0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773436687.00000E54015A5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 0000000C.00000002.1773541487.00000E54015D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773436687.00000E54015A5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 0000000C.00000002.1773575636.00000E54015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1775248788.00000E5401A28000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1774730234.00000E54018F4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773682706.00000E5401604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1696267841&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 0000000C.00000002.1775021024.00000E5401990000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675777847.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773682706.00000E5401604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1728324084&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 0000000C.00000002.1770160353.00000E5400FA0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773575636.00000E54015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1775021024.00000E5401990000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773682706.00000E5401604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739808228&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 0000000C.00000002.1770500622.00000E5401088000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773575636.00000E54015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1775021024.00000E5401990000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675777847.00000E5401084000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739808249&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 0000000C.00000002.1775208989.00000E5401A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773263320.00000E54014F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773575636.00000E54015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773682706.00000E5401604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739894676&target=OPTIMIZATION_TARGET_CLI
Source: chrome.exe, 0000000C.00000002.1770500622.00000E5401088000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773575636.00000E54015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773436687.00000E54015A5000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675777847.00000E5401084000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 0000000C.00000002.1775021024.00000E5401990000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773682706.00000E5401604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=240731042075&target=OPTIMIZATION_TARGET_S
Source: chrome.exe, 0000000C.00000002.1770500622.00000E5401088000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773541487.00000E54015D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773436687.00000E54015A5000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713055404.00000E5401084000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1675777847.00000E5401084000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=4&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 0000000C.00000002.1775208989.00000E5401A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773575636.00000E54015E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773611001.00000E54015F0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766179166.00000E5400804000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1771032649.00000E540116C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773682706.00000E5401604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=5&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 0000000C.00000003.1711364407.00000E5401558000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713115103.00000E5401538000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/calendar/
Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://passwords.google.comSaved
Source: chrome.exe, 0000000C.00000002.1767044155.00000E54009BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google/
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://people.googleapis.com/
Source: chrome.exe, 0000000C.00000002.1768135751.00000E5400C1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp, chrome.exe, 0000000C.00000003.1675837986.00000E54011A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 0000000C.00000003.1675579088.00000E5400710000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1765716117.00000E5400710000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 0000000C.00000003.1675579088.00000E5400710000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1765716117.00000E5400710000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 0000000C.00000002.1762877466.00000E54000E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1764570210.00000E5400450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 0000000C.00000002.1762841931.00000E54000C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: chrome.exe, 0000000C.00000002.1769336205.00000E5400DC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 0000000C.00000002.1773182996.00000E54014DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1768740720.00000E5400D1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767817560.00000E5400B90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000C.00000002.1764437647.00000E5400430000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: SystemScannerSetup.exe, 00000005.00000002.2414264528.0000000002510000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000002.2413439900.00000000009A2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199829660832
Source: SystemScannerSetup.exe, 00000005.00000002.2413439900.00000000009A2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199829660832ir7amMozilla/5.0
Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/96817
Source: chrome.exe, 0000000C.00000003.1713172327.00000E5400540000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1764735847.00000E5400540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome?p=desktop_tab_groups
Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: SystemScannerSetup.exe, 00000005.00000002.2420351688.0000000003EB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SystemScannerSetup.exe, 00000005.00000002.2420351688.0000000003EB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: chrome.exe, 0000000C.00000002.1773716137.00000E5401610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: chrome.exe, 0000000C.00000002.1773716137.00000E5401610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20161
Source: chrome.exe, 0000000C.00000002.1773716137.00000E5401610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: chrome.exe, 0000000C.00000002.1773716137.00000E5401610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e175
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: SystemScannerSetup.exe, 00000005.00000003.1461796705.0000000000612000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000620000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000002.2413439900.00000000009A2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/l793oy
Source: SystemScannerSetup.exe, 00000005.00000003.1426749596.0000000000634000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/l793oy-
Source: SystemScannerSetup.exe, 00000005.00000002.2413439900.00000000009A2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/l793oyir7amMozilla/5.0
Source: chrome.exe, 0000000C.00000002.1769336205.00000E5400DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000620000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1491933351.0000000000633000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1582040519.0000000000631000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1426803738.000000000066F000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1552809969.0000000000630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.com
Source: SystemScannerSetup.exe, 00000005.00000003.1491933351.0000000000633000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.com#
Source: SystemScannerSetup.exe, 00000005.00000003.1491933351.0000000000633000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1582040519.0000000000631000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1552809969.0000000000630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.com/
Source: SystemScannerSetup.exe, 00000005.00000003.1521581095.0000000000633000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1461705210.0000000000630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.com/#
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.com/.
Source: SystemScannerSetup.exe, 00000005.00000003.1491933351.0000000000633000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.com/6
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.com/:
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.com/B
Source: SystemScannerSetup.exe, 00000005.00000003.1461705210.0000000000630000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1491933351.0000000000633000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.com/Ch3uo
Source: SystemScannerSetup.exe, 00000005.00000003.1491933351.0000000000633000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.com/G
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.com/denloafuae.com/
Source: SystemScannerSetup.exe, 00000005.00000003.1552809969.0000000000630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.com/qh
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.com/s
Source: SystemScannerSetup.exe, 00000005.00000002.2416786437.0000000003840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.com/sts
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.com2
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1461705210.0000000000630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.comH
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1461705210.0000000000630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.comd
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://us.f.goldenloafuae.com~
Source: SystemScannerSetup.exe, 00000005.00000003.1426749596.0000000000634000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1461796705.0000000000620000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1491978923.0000000000620000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1521641183.0000000000620000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000003.1173004151.0000000002363000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261596583.0000000000AB3000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: https://www.certum.pl/CPS0
Source: SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769028706.00000E5400D94000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1611815430.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: chrome.exe, 0000000C.00000002.1763118071.00000E540014C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.
Source: chrome.exe, 0000000C.00000003.1712030400.00000E5401528000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769336205.00000E5400DC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1771758681.00000E540128C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766578185.00000E54008E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 0000000C.00000002.1771032649.00000E540116C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 0000000C.00000002.1774433539.00000E5401840000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 0000000C.00000002.1767044155.00000E54009BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/#safe
Source: chrome.exe, 0000000C.00000002.1766704820.00000E5400944000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/browser-features/
Source: chrome.exe, 0000000C.00000002.1766704820.00000E5400944000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/browser-tools/
Source: chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711722751.00000E5401660000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 0000000C.00000002.1753523156.0000024B22FF0000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: chrome.exe, 0000000C.00000002.1770593010.00000E5401094000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1768879134.00000E5400D4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767697553.00000E5400B68000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: SystemScannerSetup.exe, 00000005.00000002.2416786437.000000000385B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1764048514.00000E5400388000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1767520370.00000E5400B24000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1769951709.00000E5400EFC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1764693613.00000E5400500000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763246356.00000E540018C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711933931.00000E5400500000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766179166.00000E5400804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: chrome.exe, 0000000C.00000002.1764365926.00000E5400404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 0000000C.00000002.1764437647.00000E5400430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab
Source: chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540203C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1714114840.00000E5401B78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713907864.00000E5401B08000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1711722751.00000E5401660000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1713870726.00000E5401AFC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 0000000C.00000002.1765080772.00000E5400620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 0000000C.00000002.1765080772.00000E5400620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit7E
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 0000000C.00000003.1666590184.00000E50004B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666530567.00000E50004AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666634617.00000E50004C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666497628.00000E5000498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 0000000C.00000003.1714114840.00000E5401B20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666168201.00000E5000184000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 0000000C.00000003.1666590184.00000E50004B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666530567.00000E50004AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666634617.00000E50004C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666497628.00000E5000498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.managerForcedOn_PlusAddressAndroidOpenGmsCoreManagementP
Source: chrome.exe, 0000000C.00000003.1666590184.00000E50004B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666439200.00000E500048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666530567.00000E50004AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666634617.00000E50004C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1666497628.00000E5000498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.managerPlusAddressOfferCreationIfPasswordFieldIsNotVisib
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 0000000C.00000002.1763615612.00000E5400214000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 0000000C.00000002.1766056559.00000E54007E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1773068670.00000E5401478000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 0000000C.00000002.1776588751.00000E5401F5C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 0000000C.00000002.1777268667.00000E5402058000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776331079.00000E5401D7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776629547.00000E5401F6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776979255.00000E5402004000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1774141831.00000E54017A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776588751.00000E5401F5C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 0000000C.00000002.1766578185.00000E54008E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.WcyoQrvsWY0.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 0000000C.00000002.1776703584.00000E5401FC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1776829622.00000E5401FD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540201C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1777037326.00000E540203C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.L8bgMGq1rcI.L.W.O/m=qmd
Source: SwitchAutoSetup_v0.7.0.3.exe, 00000000.00000003.1165812488.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000000.1167130222.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SwitchAutoSetup_v0.7.0.3.tmp.0.dr	String found in binary or memory: https://www.innosetup.com/
Source: SystemScannerSetup.exe, 00000005.00000002.2420351688.0000000003EB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: SystemScannerSetup.exe, 00000005.00000002.2420351688.0000000003EB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: SystemScannerSetup.exe, 00000005.00000002.2420351688.0000000003EB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: SystemScannerSetup.exe, 00000005.00000002.2420351688.0000000003EB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SystemScannerSetup.exe, 00000005.00000002.2420351688.0000000003EB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: SwitchAutoSetup_v0.7.0.3.exe, 00000000.00000003.1165812488.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000000.1167130222.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SwitchAutoSetup_v0.7.0.3.tmp.0.dr	String found in binary or memory: https://www.remobjects.com/ps
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000003.1261160569.0000000002EAD000.00000004.00001000.00020000.00000000.sdmp, SwitchAutoSetup_v0.7.0.3.tmp, 00000003.00000002.1263324542.000000000018D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.ssl.com/repository0
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 0000000C.00000002.1765214144.00000E5400640000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1766891254.00000E5400995000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.31.199:443 -> 192.168.2.4:49781 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe

Code function: 5_2_00405846 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

5_2_00405846

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe

Code function: 5_2_00990A90 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,malloc,StrCmpCW,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,ReleaseDC,CloseWindow,

5_2_00990A90

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe

Code function: 5_2_00986480 memcpy,OpenDesktopA,CreateDesktopA,lstrcpy,CreateProcessA,Sleep,CloseDesktop,

5_2_00986480

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00511F3B NtAllocateVirtualMemory,	5_2_00511F3B
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00511FCC NtProtectVirtualMemory,	5_2_00511FCC
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00511F8E NtFreeVirtualMemory,	5_2_00511F8E
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_0059066E NtProtectVirtualMemory,	5_2_0059066E
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00590CD8 NtAllocateVirtualMemory,	5_2_00590CD8
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00590B72 NtGetContextThread,NtSetContextThread,NtResumeThread,	5_2_00590B72
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_005911E5 CreateThread,malloc,NtClose,free,	5_2_005911E5
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_005910E8 NtClose,	5_2_005910E8
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00591084 NtClose,	5_2_00591084
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_0059114C NtClose,	5_2_0059114C
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_005919C5 free,NtClose,free,	5_2_005919C5

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00403645	5_2_00403645
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_0040464D	5_2_0040464D
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00404668	5_2_00404668
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00404636	5_2_00404636
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00403CF4	5_2_00403CF4
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00406DA0	5_2_00406DA0
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00510531	5_2_00510531
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00510001	5_2_00510001
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00984A20	5_2_00984A20
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00998630	5_2_00998630
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_009993D0	5_2_009993D0
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_0099A7D0	5_2_0099A7D0
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_0099B300	5_2_0099B300
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_0099C100	5_2_0099C100
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_0099B770	5_2_0099B770

PE / OLE file has an invalid certificate

Source: SwitchAutoSetup_v0.7.0.3.exe

Static PE information: invalid certificate

PE file contains executable resources (Code or Archives)

Source: SwitchAutoSetup_v0.7.0.3.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: SwitchAutoSetup_v0.7.0.3.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

PE file contains more sections than normal

Source: is-GTHAH.tmp.3.dr	Static PE information: Number of sections : 11 > 10
Source: is-JL3NL.tmp.3.dr	Static PE information: Number of sections : 11 > 10
Source: is-P0TS2.tmp.3.dr	Static PE information: Number of sections : 11 > 10
Source: is-FJU40.tmp.3.dr	Static PE information: Number of sections : 11 > 10
Source: is-T2KNG.tmp.3.dr	Static PE information: Number of sections : 11 > 10
Source: is-J3R4N.tmp.3.dr	Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: SwitchAutoSetup_v0.7.0.3.exe, 00000000.00000003.1165812488.000000007FB60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SwitchAutoSetup_v0.7.0.3.exe
Source: SwitchAutoSetup_v0.7.0.3.exe, 00000000.00000003.1178944856.0000000002348000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs SwitchAutoSetup_v0.7.0.3.exe
Source: SwitchAutoSetup_v0.7.0.3.exe, 00000000.00000000.1164868537.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs SwitchAutoSetup_v0.7.0.3.exe
Source: SwitchAutoSetup_v0.7.0.3.exe, 00000000.00000003.1178944856.000000000228A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SwitchAutoSetup_v0.7.0.3.exe
Source: SwitchAutoSetup_v0.7.0.3.exe, 00000002.00000003.1264484208.000000000220A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SwitchAutoSetup_v0.7.0.3.exe
Source: SwitchAutoSetup_v0.7.0.3.exe, 00000002.00000003.1264484208.00000000022C8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs SwitchAutoSetup_v0.7.0.3.exe
Source: SwitchAutoSetup_v0.7.0.3.exe	Binary or memory string: OriginalFileName vs SwitchAutoSetup_v0.7.0.3.exe

Uses 32bit PE files

Source: SwitchAutoSetup_v0.7.0.3.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: is-QSQJJ.tmp.3.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@25/62@5/5

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe

Code function: 5_2_00510C41 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,Thread32Next,CloseHandle,

5_2_00510C41

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe

Code function: 5_2_004021AF CoCreateInstance,

5_2_004021AF

Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: chrome.exe, 0000000C.00000002.1774987898.00000E5401980000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 45;
Source: chrome.exe, 0000000C.00000002.1774987898.00000E5401980000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '756F6A466879157E';
Source: chrome.exe, 0000000C.00000002.1771820943.00000E54012C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763810558.00000E54002FC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770830222.00000E5401134000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1774987898.00000E5401980000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'AD411B741D0DA012' AND metrics.metric_value > 0;
Source: chrome.exe, 0000000C.00000002.1765447436.00000E54006C1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: chrome.exe, 0000000C.00000002.1774987898.00000E5401980000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 120;
Source: chrome.exe, 0000000C.00000002.1771820943.00000E54012C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1763810558.00000E54002FC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1770830222.00000E5401134000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1774987898.00000E5401980000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'B4CFE8741404B691' AND metrics.metric_value > 0;
Source: chrome.exe, 0000000C.00000002.1774987898.00000E5401980000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '19E16122849E343B';
Source: chrome.exe, 0000000C.00000002.1774912505.00000E540194C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(id) FROM metrics WHERE metrics.metric_hash = '64BD7CCE5A95BF00';
Source: 79h47yuk6.5.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: chrome.exe, 0000000C.00000002.1774987898.00000E5401980000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '79964621D357AB88';
Source: chrome.exe, 0000000C.00000002.1770002682.00000E5400F28000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '534661B278B11BD';

Source: unknown	Process created: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe "C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe"
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Process created: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp" /SL5="$2043C,22688416,781824,C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe"
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process created: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe "C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe" /VERYSILENT
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Process created: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp" /SL5="$20446,22688416,781824,C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe "C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe"
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2436,i,7230122723258020460,16503310506373257666,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2508 /prefetch:3
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Process created: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp" /SL5="$2043C,22688416,781824,C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process created: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe "C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Process created: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp" /SL5="$20446,22688416,781824,C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe "C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2436,i,7230122723258020460,16503310506373257666,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2508 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: SwitchAutoSetup_v0.7.0.3.exe	Static PE information: section name: .didata
Source: SwitchAutoSetup_v0.7.0.3.tmp.0.dr	Static PE information: section name: .didata
Source: SwitchAutoSetup_v0.7.0.3.tmp.2.dr	Static PE information: section name: .didata
Source: is-P0TS2.tmp.3.dr	Static PE information: section name: .xdata
Source: is-GTHAH.tmp.3.dr	Static PE information: section name: .xdata
Source: is-JL3NL.tmp.3.dr	Static PE information: section name: .xdata
Source: is-T2KNG.tmp.3.dr	Static PE information: section name: .xdata
Source: is-FJU40.tmp.3.dr	Static PE information: section name: .xdata
Source: is-J3R4N.tmp.3.dr	Static PE information: section name: .xdata

Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\p11-kit.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\pkcs1-conv.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-547IQ.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	File created: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-P0TS2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-JL3NL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\kvno.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\libopencore-amrnb.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\blocked-file-util.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-FJU40.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\IETAG.DLL (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-J3R4N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-CDLA5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\tclsh86.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-QSQJJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-GTHAH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-T2KNG.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	File created: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\wish86.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File created: C:\ProgramData\glxbs\wlfk6f	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\bzip2recover.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-2NH1K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\GitLab.UI.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	File created: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-MMEK3.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SwitchAutoSetup_v0.7.0.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\pkcs1-conv.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\p11-kit.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-547IQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-P0TS2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-JL3NL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\kvno.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\libopencore-amrnb.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\blocked-file-util.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-FJU40.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\IETAG.DLL (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-J3R4N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\tclsh86.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-CDLA5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-GTHAH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-T2KNG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\wish86.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Dropped PE file which has not been started: C:\ProgramData\glxbs\wlfk6f	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\bzip2recover.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-2NH1K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\GitLab.UI.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-MMEK3.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00510AF1 mov eax, dword ptr fs:[00000030h]	5_2_00510AF1
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00510531 mov edx, dword ptr fs:[00000030h]	5_2_00510531
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00510EA1 mov eax, dword ptr fs:[00000030h]	5_2_00510EA1
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00511141 mov eax, dword ptr fs:[00000030h]	5_2_00511141
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00511140 mov eax, dword ptr fs:[00000030h]	5_2_00511140
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Code function: 5_2_00511B2F mov eax, dword ptr fs:[00000030h]	5_2_00511B2F

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000005.00000003.1521581095.0000000000633000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SystemScannerSetup.exe PID: 7612, type: MEMORYSTR

Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.,*.txt
Source: SystemScannerSetup.exe, 00000005.00000002.2417747470.0000000003920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: SystemScannerSetup.exe, 00000005.00000002.2417747470.0000000003920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: SystemScannerSetup.exe, 00000005.00000002.2417747470.0000000003920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: SystemScannerSetup.exe, 00000005.00000002.2417747470.0000000003920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.,*.txt
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.,*.txt
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000604000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \MultiDoge\
Source: SystemScannerSetup.exe, 00000005.00000002.2417747470.0000000003920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: SystemScannerSetup.exe, 00000005.00000002.2417747470.0000000003920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
95.217.31.199	us.f.goldenloafuae.com	Germany	24940	HETZNER-ASDE	true
142.250.185.196	www.google.com	United States	15169	GOOGLEUS	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false

Name	Malicious	Antivirus Detection	Reputation
https://t.me/l793oy	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE	false		high

ID:	1632615
Product:	CloudBasic
Start time:	14:07:20
Start date:	08.03.2025
Sample:	SwitchAutoSetup_v0.7.0.3.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	4ce764cccf817c7f6f527e8d2c69c7e6
SHA1:	ab533c671d0da276e5096455cc841b2703c0f3ef
SHA256:	2959bef771b11c5180c49ab65c8e1db4d2a1c1b079a842f2300fefad35f7bb11
Filetype:	Win32 Executable (generic) a (10002005/4) 98.45%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\glxbs\0zuaie	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\ProgramData\glxbs\2djmo8	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	C7E301D9DD77A21C1CDBD73A63AF205C	715D25AA0C06B2AD162F52A8DE06FB5040C389B1	239C9A49ACDA9FC9845B87819A33D07F359803153FEFFE4D2212989F82DE71E1
C:\ProgramData\glxbs\2ny5p8	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	477F010FDB6BD5E5E57D6DEC5449F2FB	73F9C03AF35B29EC2404BB70FEDC8C9ADADE74F6	2DBEDD5D4D6645E9ED45563FDB1DC42387EF24C9CF5D6A08EC3BE448073C4696
C:\ProgramData\glxbs\3wtj5f	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\glxbs\6fcb1v	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	60145F68B1CF9440FA663820AE11CE4B	10195A2926015E3024D769673E004AA60DFEC0A3	4805E01EB0C9B3DFEB6B754D4148588E2FB798734D9EDE20E53EB8E75158B64F
C:\ProgramData\glxbs\79h47yuk6	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2	BDDE4AD11E732420E7ABCCA946B11611	278C3386A37BAFCA507CF4C128600B01B312DDA0	099AB6B902097361832FC2485E96C71C827E722FA74C09C7D08DCE9091094C1D
C:\ProgramData\glxbs\89r1ng	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6	C5CFBCA422AD1353E7116A02424C59FD	38F032839FC5E1F890FAA636390A3CC9556AD350	F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
C:\ProgramData\glxbs\aa1ng4	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	3A9306662FE93D09B05B9AE44128BCF1	77A917FFE8FF0EAAD8F3D3B764836C810E4C9DF5	1988183ECBC3C6987DA9CB598C78B52D7563D995FA94D1E91E0470392E765374
C:\ProgramData\glxbs\aa1ng4wba	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\ProgramData\glxbs\as26fu	SQLite 3.x database, last written using SQLite version 3046000, file counter 6, database pages 41, 1st free page 29, free pages 1, cookie 0x25, schema 4, UTF-8, version-valid-for 6	33642526D21BAF34FB5D5AAF11B3FB91	A64B4A7605D8B449C085474A3484921975EF6C14	3ED06184837C7FF625C54589CA2037F127E0525E3541DE8960A9D5503625862B
C:\ProgramData\glxbs\bsriec	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	381138FA1B1C4C298AD2441898677ED6	B8A0B0ECAAF6F3BBD7C27DD54ACD4BC3366DD0A4	D4EE07BC2183E3D013B68B080B9E2F603676B27F8B0C95CCA2ED533BC671FAFA
C:\ProgramData\glxbs\d2dba1	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2	A2D1F4CF66465F9F0CAC61C4A95C7EDE	BA6A845E247B221AAEC96C4213E1FD3744B10A27	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
C:\ProgramData\glxbs\f3wl6x	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	63F04FB9936532B21E616E88E3EBED14	56CEC96A0D4B10C6FC28C726B76BEF278CBC512F	61C5B3D0FD4051236AD00A0A39BE2F75F7E0DEC2AFBFF85617AED19AEF3FC650
C:\ProgramData\glxbs\fcbimy	ASCII text, with very long lines (1809), with CRLF line terminators	5D8E5D85E880FB2D153275FCBE9DA6E5	72332A8A92B77A8B1E3AA00893D73FC2704B0D13	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
C:\ProgramData\glxbs\l6xlf3	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	E68A33BDAF7AEBE6D5BBBCEFDED6AC5C	A1120341BB4452FCA47EB5EA8FA62A08BFC48073	A5DC5B9F31D69E6F65F405EF4E187BAB262746AAAC08E95C195AA77A0B310DE1
C:\ProgramData\glxbs\ppzus2	XML 1.0 document, ASCII text, with CRLF line terminators	CD55A48FE382A6820EC4FB55A66C2858	70A0A7B0E12DF915BD5E68FF0432637EFC2153DE	97838AB994B53DFADEEF63955EECB05A7F118C2066EF97B0B0EB7BB48A526451
C:\ProgramData\glxbs\sr90zu	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	6F0056EC818D4FC20158F3FF190D6D6A	9E2108FE560CC2187395C5EED011559D201CE45D	2F9596801DBE57D73C292BE4F93BD0C05F6D0A44C7A45F5F03FDBE35993B7DEC
C:\ProgramData\glxbs\tjeukx	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	2948FF1C0804EC7DB473BB77EB3FBE4E	98A97AFC0E4E2B09A17AA0746F455DFD24356357	2F6B99F5915A462CAFF60950839E1498F12C9F8194DB3DA02251C5BD2CAD700E
C:\ProgramData\glxbs\usrqq1	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	4DBFCA3B87A59186D2612A95CA2CD899	4C84BD2D60CE789B44070CDDC296C09D2F52B1CC	2C229D8DA31E17FCEF244A8A2029CA8FE8374738A9ECBFED9E23FB89DB8DF059
C:\ProgramData\glxbs\v3e3wl	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	ECC51190BD585AB376691BBDDF2A638B	84DE01CF25B71C0BC4D16FAF65BE1589E385EAF0	6F15C7E90A3C414BEAD4C1C50DC5E7CAB987D72E2F49953B717A879D7745038C
C:\ProgramData\glxbs\vs0hvs	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	2D6ACF2AEC5E5349B16581C8AE23BF3E	0AA7B29E8F13EB16F3DFC503D4E8CC55424ECB15	B48F54A1F8A4C3A25D7E0FBCB95BF2C825C89ACD9C80EBACE8C15681912EDEA2
C:\ProgramData\glxbs\wlfk6f	PE32+ executable (DLL) (console) x86-64, for MS Windows	6AEAEBF650EFC93CD3B6670A05724FE8	A4FE07E6C678AC8D4DC095997DB5043668D103B4	C86891B9DF9FEEA2E98F50C9950CB446DB97A513AF0C23810F7CA818A6187329
C:\ProgramData\glxbs\y5fc2v	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2	2CD2840E30F477F23438B7C9D031FC08	03D5410A814B298B068D62ACDF493B2A49370518	49F56AAA16086F2A9DB340CC9A6E8139E076765C1BFED18B1725CC3B395DC28D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\json[1].json	JSON data	E960921B37959BA8C1E8D0DDF14E52F5	31DA673B61F329E6BB6B5007C49A9BFF0B21A79A	F17A0D50B134205F036CEC723D8F9D4DC6A07BD4B3AA4ED1775DF0C0B1D5C7A4
C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_iscrypt.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A69559718AB506675E907FE49DEB71E9	BC8F404FFDB1960B50C12FF9413C893B56F2E36F	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_isdecmp.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	077CB4461A2767383B317EB0C50F5F13	584E64F1D162398B7F377CE55A6B5740379C4282	8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
C:\Users\user\AppData\Local\Temp\is-2P8JE.tmp\_isetup\_setup64.tmp	PE32+ executable (console) x86-64, for MS Windows	E4211D6D009757C078A9FAC7FF4F03D4	019CD56BA687D39D12D4B13991C9A42EA6BA03DA	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
C:\Users\user\AppData\Local\Temp\is-7PC5R.tmp\SwitchAutoSetup_v0.7.0.3.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	936F45C3C0CFC53736EBA6F1D614855E	A69A8FCB35CC9B88C4484FAF5AA35B178B22D6DB	942BD934C51C6C940FB003F14FCAED6C6CC04043FDA765C1A5B4928F86EFFEAE
C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_iscrypt.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A69559718AB506675E907FE49DEB71E9	BC8F404FFDB1960B50C12FF9413C893B56F2E36F	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_isdecmp.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	077CB4461A2767383B317EB0C50F5F13	584E64F1D162398B7F377CE55A6B5740379C4282	8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
C:\Users\user\AppData\Local\Temp\is-H7329.tmp\_isetup\_setup64.tmp	PE32+ executable (console) x86-64, for MS Windows	E4211D6D009757C078A9FAC7FF4F03D4	019CD56BA687D39D12D4B13991C9A42EA6BA03DA	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
C:\Users\user\AppData\Local\Temp\is-P16Q6.tmp\SwitchAutoSetup_v0.7.0.3.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	936F45C3C0CFC53736EBA6F1D614855E	A69A8FCB35CC9B88C4484FAF5AA35B178B22D6DB	942BD934C51C6C940FB003F14FCAED6C6CC04043FDA765C1A5B4928F86EFFEAE
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\IETAG.DLL (copy)	PE32+ executable (DLL) (console) x86-64, for MS Windows	D14F2096164045863F27495C77454C03	BFA7E8E9D2B450CD2990B7F289779FDB252294C3	D93C2D20D382968034C3F6000EE927762EDF58501AE3448C7E87739C5C9CAFDF
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\SystemScannerSetup.exe (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	810FE193D35FE0D6577E9E3455F70579	4F9DF106BA785B6D9A118895C5513262D1C53B27	B118A257A03910F6A7E0F5E1ED05F414961796A07F4C881E4237E1F672369448
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\GitLab.UI.exe (copy)	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	C647366EEF0DBF13980CD384F8E75363	9D3269E05CE8BC9D8FEEACDD70DBBAA4D9AD65DD	A85E6A39274AD80848B5C3E2F9CDBC1CC1E333AB17178FF4FB8FCFEE25E63399
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\blocked-file-util.exe (copy)	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows	3B39E7D454B522240CE14DAAE58B78D4	83B9DF7998E1B074D2AD5F98B85523F9D26D38B2	04743E4E01EF9667B5910403003BE730F3B85477A72AB0A76608F1B569206DA3
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\bzip2recover.exe (copy)	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows	34FC582D9D8770DC02504FC8563762D3	37CF62D05D8422740D7D3516F41521CB8392ACB5	89BE78A91F98FEC41F28797A769CF87D2E14586862B759BC05C57853A56D6405
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-CDLA5.tmp	PE32+ executable (console) x86-64, for MS Windows	B7E5D9A2DC7E37D13DCFA24E7C81C0F8	F87BDDA9FF570FF3D53CDFA3393B7A2D826B8DDA	B51EB89D1DFB794095E98FBF1B87373006A1BC6DDA6FCEBFC86402804C32F7C6
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-FJU40.tmp	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows	B94CE9A4C4630BD89BC1755216EB3E9E	E957F674AC78D27304A493BA9795DD2FA4056E32	C924DCF0B11ACF90F268CE5BAF415DC25F07A680CE7691AFE07A0A2F996A8DC3
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-GTHAH.tmp	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows	34FC582D9D8770DC02504FC8563762D3	37CF62D05D8422740D7D3516F41521CB8392ACB5	89BE78A91F98FEC41F28797A769CF87D2E14586862B759BC05C57853A56D6405
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-J3R4N.tmp	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	04E5E2F8AD46008A4691874BFC4A7A5D	94A08EEE1B13612CC11B77EBF44ECE901362DF31	FC199EE77BC8AB131CF21BA332FAFCC8A7132E7006D69A6E4195D48962C87FA0
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-JL3NL.tmp	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows	8DCB2D2E4BBE3B57BEA6F9CE03579A3B	32751471DDADD3A1E0D258E81FA8AEAF74631118	3F0D9D8B94AE07A4147069541FB4A1E581632841E3067E67A788706E82D31510
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-MMEK3.tmp	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	C647366EEF0DBF13980CD384F8E75363	9D3269E05CE8BC9D8FEEACDD70DBBAA4D9AD65DD	A85E6A39274AD80848B5C3E2F9CDBC1CC1E333AB17178FF4FB8FCFEE25E63399
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-P0TS2.tmp	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows	3B39E7D454B522240CE14DAAE58B78D4	83B9DF7998E1B074D2AD5F98B85523F9D26D38B2	04743E4E01EF9667B5910403003BE730F3B85477A72AB0A76608F1B569206DA3
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\is-T2KNG.tmp	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows	4B5DAD83B33A44E85274CFBCDADD1F20	3A2693AABF6A149E320CEBAECAC070EE80740A6B	898B9219F3F1F380E11F056AB9CD030469699124326622D6C0A5F5580B35A55E
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\kvno.exe (copy)	PE32+ executable (console) x86-64, for MS Windows	B7E5D9A2DC7E37D13DCFA24E7C81C0F8	F87BDDA9FF570FF3D53CDFA3393B7A2D826B8DDA	B51EB89D1DFB794095E98FBF1B87373006A1BC6DDA6FCEBFC86402804C32F7C6
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\p11-kit.exe (copy)	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows	8DCB2D2E4BBE3B57BEA6F9CE03579A3B	32751471DDADD3A1E0D258E81FA8AEAF74631118	3F0D9D8B94AE07A4147069541FB4A1E581632841E3067E67A788706E82D31510
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\pkcs1-conv.exe (copy)	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows	4B5DAD83B33A44E85274CFBCDADD1F20	3A2693AABF6A149E320CEBAECAC070EE80740A6B	898B9219F3F1F380E11F056AB9CD030469699124326622D6C0A5F5580B35A55E
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\tclsh86.exe (copy)	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows	B94CE9A4C4630BD89BC1755216EB3E9E	E957F674AC78D27304A493BA9795DD2FA4056E32	C924DCF0B11ACF90F268CE5BAF415DC25F07A680CE7691AFE07A0A2F996A8DC3
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\bin\wish86.exe (copy)	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	04E5E2F8AD46008A4691874BFC4A7A5D	94A08EEE1B13612CC11B77EBF44ECE901362DF31	FC199EE77BC8AB131CF21BA332FAFCC8A7132E7006D69A6E4195D48962C87FA0
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-2NH1K.tmp	PE32+ executable (DLL) (console) x86-64, for MS Windows	D14F2096164045863F27495C77454C03	BFA7E8E9D2B450CD2990B7F289779FDB252294C3	D93C2D20D382968034C3F6000EE927762EDF58501AE3448C7E87739C5C9CAFDF
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-547IQ.tmp	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	1B7E5942B6922B0002D1684BD07C172E	4F066E55BE98BB28FB95CA499E0BE34CF28A435D	C12ABEFB806D963B097B58405E5E945DA194CD2F564D2CF395E5B9CEFF000553
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\is-QSQJJ.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	810FE193D35FE0D6577E9E3455F70579	4F9DF106BA785B6D9A118895C5513262D1C53B27	B118A257A03910F6A7E0F5E1ED05F414961796A07F4C881E4237E1F672369448
C:\Users\user\AppData\Roaming\{A7F7D5A3-B325-4F57-929C-68BC253DBE9A}\libopencore-amrnb.dll (copy)	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	1B7E5942B6922B0002D1684BD07C172E	4F066E55BE98BB28FB95CA499E0BE34CF28A435D	C12ABEFB806D963B097B58405E5E945DA194CD2F564D2CF395E5B9CEFF000553
Chrome Cache Entry: 100	ASCII text, with very long lines (4268)	82A6FBB66FDCBCF28E20DDD9F9A5D616	8D6955D73CF6FB226C12C9677A186A6927483DD4	DE431A6403C9E92F552E5F258A65DA422F14A306EA208720C6179F032E137173
Chrome Cache Entry: 101	ASCII text, with very long lines (5162), with no line terminators	70A8F21806E7F1B739937970EBE49A0C	6BE9EEBCE438DE91FEB20E6A5458774B327AA9B4	C8B531CFD6E9BE13762E289820F67406331303CD5111A885DE959BF83DD0F5AC
Chrome Cache Entry: 98	ASCII text	6FED308183D5DFC421602548615204AF	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
Chrome Cache Entry: 99	ASCII text, with very long lines (65531)	17664E915B445A49BD4A0EDE879CE2F8	D1EA51624335D98680F224EA0FE3F1FF69B7F8D6	4ECFE31940FF08EA1A2B79FE0B8422D28C242EC1B721F3DBDCD337FC7E1DB574

Source: chrome.exe, 0000000C.00000002.1772994935.00000E540144C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: chrome.exe, 0000000C.00000002.1754446407.0000024B2403F000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: is-CDLA5.tmp.3.dr	Binary or memory string: d:\build\ob\bora-1188790\generic\krb5-1.11.3\src\vmware\src\include\k5-thread.hres != WAIT_TIMEOUTm->is_locked == 0d:\build\ob\bora-1188790\generic\krb5-1.11.3\src\vmware\src\include\k5-thread.hres != WAIT_ABANDONEDd:\build\ob\bora-1188790\generic\krb5-1.11.3\src\vmware\src\include\k5-thread.hres == WAIT_OBJECT_0d:\build\ob\bora-1188790\generic\krb5-1.11.3\src\vmware\src\include\k5-thread.hd:\build\ob\bora-1188790\generic\krb5-1.11.3\src\vmware\src\include\k5-thread.h(m)->h == INVALID_HANDLE_VALUE%s: %s while initializing krb5 librarywhile converting etypewhile opening ccacheresolving keytab %swhile parsing principal name %swhile getting client principal namewhile parsing principal name %swhile formatting parsed principal name for '%s'client and server principal names must matchwhile getting credentials for %swhile decoding ticket for %s%s: kvno = %d, keytab entry invalid
Source: is-CDLA5.tmp.3.dr	Binary or memory string: http://www.vmware.com/0
Source: chrome.exe, 0000000C.00000002.1754446407.0000024B2403F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service?a(
Source: SwitchAutoSetup_v0.7.0.3.tmp, 00000001.00000002.1177180087.000000000086D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: SystemScannerSetup.exe, 00000005.00000003.1461796705.0000000000620000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1491978923.0000000000620000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000003.1521641183.0000000000620000.00000004.00000020.00020000.00000000.sdmp, SystemScannerSetup.exe, 00000005.00000002.2411980678.0000000000620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SystemScannerSetup.exe, 00000005.00000002.2411980678.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: chrome.exe, 0000000C.00000002.1754446407.0000024B2403F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes)]G
Source: is-CDLA5.tmp.3.dr	Binary or memory string: VMware, Inc.0
Source: chrome.exe, 0000000C.00000003.1701480510.0000024B2630E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses
Source: chrome.exe, 0000000C.00000002.1754446407.0000024B2403F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor.sysgap
Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service<f
Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: chrome.exe, 0000000C.00000002.1755024146.0000024B26229000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: chrome.exe, 0000000C.00000003.1698333011.0000024B299F5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1697329287.0000024B299F5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1701727729.0000024B299F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Tim

Windows Analysis Report SwitchAutoSetup_v0.7.0.3.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
SwitchAutoSetup_v0.7.0.3.exe

Malware Threat Intel
Provided by