Edit tour

Windows Analysis Report
ZEemZXPukh.exe

Overview

General Information

Sample name:	ZEemZXPukh.exe renamed because original name is a hash value
Original sample name:	5f2908cd862899534c760c7d046e3f1d75264507eb29127d2c4e6c19d1771da6.exe
Analysis ID:	1638539
MD5:	4fd16b0aab0ef410b9b617d9c1abf13f
SHA1:	e645323b6e25208f22926c31429151259f9b9b97
SHA256:	5f2908cd862899534c760c7d046e3f1d75264507eb29127d2c4e6c19d1771da6
Tags:	exesuperreuser-JAMESWT_MHT
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Suricata IDS alerts with low severity for network traffic

Tries to resolve many domain names, but no domain seems valid

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ZEemZXPukh.exe (PID: 7876 cmdline: "C:\Users\user\Desktop\ZEemZXPukh.exe" MD5: 4FD16B0AAB0EF410B9B617D9C1ABF13F)

ZEemZXPukh.tmp (PID: 7896 cmdline: "C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp" /SL5="$20466,19707157,858112,C:\Users\user\Desktop\ZEemZXPukh.exe" MD5: E334F61860603877E314C1E872B9832A)

ZEemZXPukh.exe (PID: 7932 cmdline: "C:\Users\user\Desktop\ZEemZXPukh.exe" /VERYSILENT MD5: 4FD16B0AAB0EF410B9B617D9C1ABF13F)

ZEemZXPukh.tmp (PID: 7972 cmdline: "C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp" /SL5="$2046A,19707157,858112,C:\Users\user\Desktop\ZEemZXPukh.exe" /VERYSILENT MD5: E334F61860603877E314C1E872B9832A)

EuAccountCenter.exe (PID: 5688 cmdline: "C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe" MD5: 067620AA1755BDA551B519E6B2D56AD9)

AppLaunch.exe (PID: 5852 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" MD5: 89D41E1CF478A3D3C2C701A27A5692B2)

chrome.exe (PID: 1212 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5900 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2312,i,15222031722940320858,8343438720841088650,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2468 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["fusrryfables.today/aNWus", "begindecafer.world/QwdZdf", "garagedrootz.top/oPsoJAN", "modelshiverd.icu/bJhnsj", "arisechairedd.shop/JnsHY", "catterjur.run/boSnzhu", "orangemyther.live/IozZ", "fostinjec.today/LksNAz"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.1533270031.00000000044AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000A.00000002.1518989296.0000000003381000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000A.00000002.1517644912.0000000000F50000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x132744:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x135cda:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
0000000A.00000003.1507895636.00000000044D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000A.00000002.1534561169.00000000062F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000B.00000002.2520808657.0000000004B88000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000003.1507895636.0000000004630000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: EuAccountCenter.exe PID: 5688	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: AppLaunch.exe PID: 5852	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.EuAccountCenter.exe.62f0000.8.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
10.3.EuAccountCenter.exe.45311c4.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
10.2.EuAccountCenter.exe.62f0000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
10.2.EuAccountCenter.exe.f524b8.1.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x12e48c:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
11.2.AppLaunch.exe.4700000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
10.2.EuAccountCenter.exe.f524b8.1.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x13028c:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x133822:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
10.3.EuAccountCenter.exe.46309b0.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
10.3.EuAccountCenter.exe.45311c4.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
10.3.EuAccountCenter.exe.46309b0.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223, CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, ParentProcessId: 5852, ParentProcessName: AppLaunch.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223, ProcessId: 1212, ProcessName: chrome.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:06:47.419235+0100	2028371	3	Unknown Traffic	192.168.2.4	65443	149.154.167.99	443	TCP
2025-03-14T14:06:48.927469+0100	2028371	3	Unknown Traffic	192.168.2.4	65446	23.197.127.21	443	TCP
2025-03-14T14:06:50.151857+0100	2028371	3	Unknown Traffic	192.168.2.4	65447	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ZEemZXPukh.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://fusrryfables.today/aNWus	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/JnsHY	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000A.00000002.1533270031.00000000044AE000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["fusrryfables.today/aNWus", "begindecafer.world/QwdZdf", "garagedrootz.top/oPsoJAN", "modelshiverd.icu/bJhnsj", "arisechairedd.shop/JnsHY", "catterjur.run/boSnzhu", "orangemyther.live/IozZ", "fostinjec.today/LksNAz"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe (copy)	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-EGV3K.tmp	ReversingLabs: Detection: 15%

Multi AV Scanner detection for submitted file

Source: ZEemZXPukh.exe	Virustotal: Detection: 23%			Perma Link
Source: ZEemZXPukh.exe	ReversingLabs: Detection: 28%

Sample uses string decryption to hide its real strings

Source: 0000000A.00000002.1533270031.00000000044AE000.00000004.00000800.00020000.00000000.sdmp	String decryptor: fusrryfables.today/aNWus
Source: 0000000A.00000002.1533270031.00000000044AE000.00000004.00000800.00020000.00000000.sdmp	String decryptor: begindecafer.world/QwdZdf
Source: 0000000A.00000002.1533270031.00000000044AE000.00000004.00000800.00020000.00000000.sdmp	String decryptor: garagedrootz.top/oPsoJAN
Source: 0000000A.00000002.1533270031.00000000044AE000.00000004.00000800.00020000.00000000.sdmp	String decryptor: modelshiverd.icu/bJhnsj
Source: 0000000A.00000002.1533270031.00000000044AE000.00000004.00000800.00020000.00000000.sdmp	String decryptor: arisechairedd.shop/JnsHY
Source: 0000000A.00000002.1533270031.00000000044AE000.00000004.00000800.00020000.00000000.sdmp	String decryptor: catterjur.run/boSnzhu
Source: 0000000A.00000002.1533270031.00000000044AE000.00000004.00000800.00020000.00000000.sdmp	String decryptor: orangemyther.live/IozZ
Source: 0000000A.00000002.1533270031.00000000044AE000.00000004.00000800.00020000.00000000.sdmp	String decryptor: fostinjec.today/LksNAz

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0471B1D8 CryptUnprotectData,		11_2_0471B1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0471B1D8 CryptUnprotectData,		11_2_0471B1D8

Source: ZEemZXPukh.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 131.253.33.254:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:65443 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.4:65446 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:65447 version: TLS 1.2

Source: ZEemZXPukh.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: d:\build\ob\bora-811341\generic\boost-1.47.0\buildroot\win64\boost\bin.v2\libs\python\build\msvc-9.0\rls\adrs-mdl-64\dbg-symbl-on\thrd-mlt\boost_python-vc90-mt-1_47.pdb source: is-5E4VC.tmp.4.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: EuAccountCenter.exe, 0000000A.00000002.1533270031.0000000004634000.00000004.00000800.00020000.00000000.sdmp, EuAccountCenter.exe, 0000000A.00000002.1534824722.0000000006520000.00000004.08000000.00040000.00000000.sdmp, EuAccountCenter.exe, 0000000A.00000002.1533270031.0000000004528000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: EuAccountCenter.exe, EuAccountCenter.exe, 0000000A.00000002.1533270031.0000000004634000.00000004.00000800.00020000.00000000.sdmp, EuAccountCenter.exe, 0000000A.00000002.1534824722.0000000006520000.00000004.08000000.00040000.00000000.sdmp, EuAccountCenter.exe, 0000000A.00000002.1533270031.0000000004528000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: t:\nlg\x64\ship\0\mshy7en.pdb source: is-96BRU.tmp.4.dr
Source:	Binary string: 4\ship\0\mshy7en.dll\bbtopt\mshy7enO.pdb source: is-96BRU.tmp.4.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: EuAccountCenter.exe, 0000000A.00000002.1534785594.00000000064D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: EuAccountCenter.exe, 0000000A.00000002.1534785594.00000000064D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: AXEDOMCore.pdb source: is-RGB48.tmp.4.dr
Source:	Binary string: t:\nlg\x64\ship\0\mshy7en.pdb4\ship\0\mshy7en.dll\bbtopt\mshy7enO.pdb source: is-96BRU.tmp.4.dr
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: ZEemZXPukh.tmp, 00000001.00000003.1264021066.0000000002383000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.1.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then cmp word ptr [ebp+eax+00h], 0000h	11_2_0471A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	11_2_0471EEFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000084h]	11_2_0471EEFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then lea eax, dword ptr [ecx-6C0B83CEh]	11_2_0470D780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov word ptr [eax], cx	11_2_04711822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi-000000FEh]	11_2_0474D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F7D6D3F6h	11_2_0474D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	11_2_0474C1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	11_2_0471B1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov word ptr [edx], cx	11_2_0471B1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	11_2_0471B1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	11_2_0471B1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	11_2_0471B1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+14h]	11_2_0470DA3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+317AB538h]	11_2_0470DA3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov edx, edi	11_2_04723A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov eax, ecx	11_2_0471EB66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	11_2_0471B1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov word ptr [edx], cx	11_2_0471B1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	11_2_0471B1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	11_2_0471B1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	11_2_0471B1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov byte ptr [esi], al	11_2_0473845D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+03h]	11_2_04724430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov byte ptr [edi], cl	11_2_047374D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+5Dh]	11_2_0470DC9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov word ptr [edx], cx	11_2_0471B55A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	11_2_0471B55A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	11_2_0471B55A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	11_2_0471B55A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov word ptr [eax], cx	11_2_04732540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-52h]	11_2_04730670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+2Ch]	11_2_04730650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	11_2_04733EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	11_2_0474B680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then jmp eax	11_2_0470F769
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 8D94E5DFh	11_2_04744750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax]	11_2_04744750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+03h]	11_2_04725F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ebp+02h]	11_2_04729F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68h]	11_2_0471FF37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+08h]	11_2_04722792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	11_2_0474B790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+62h]	11_2_04712F82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	11_2_047490EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	11_2_0474C8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	11_2_047300B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-443B8DA2h]	11_2_0471E0AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov word ptr [eax], dx	11_2_0471E0AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	11_2_04740880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movsx edx, byte ptr [ebx+ecx]	11_2_0474A88E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	11_2_0470E174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+12h]	11_2_0470C130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-38B2FA5Ch]	11_2_04732120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov word ptr [eax], cx	11_2_04732120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-25088CECh]	11_2_04712124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov word ptr [eax], cx	11_2_04729910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	11_2_0474B900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov dword ptr [esp], ebx	11_2_047369C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	11_2_0474B9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000B2h]	11_2_04710994
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-443B8DA2h]	11_2_0471D99F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov word ptr [eax], dx	11_2_0471D99F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 720EEED4h	11_2_04748240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+08h]	11_2_04748240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6C0B83D6h]	11_2_04748240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	11_2_0474BA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000084h]	11_2_0471E2C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-79B0712Ah]	11_2_0472DAA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx edx, word ptr [eax]	11_2_0472DAA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	11_2_0472DAA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	11_2_047292A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	11_2_0471A370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then cmp word ptr [eax+edx+02h], 0000h	11_2_04744B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+02h]	11_2_04711368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov byte ptr [esi], al	11_2_0473836E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+10h]	11_2_04720B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+10h]	11_2_04720B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+12EB444Ah]	11_2_0470FB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov ebp, eax	11_2_04708B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov ebp, edx	11_2_0474C320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	11_2_0472D32F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	11_2_0471D315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2B12B9D2h]	11_2_0472F3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov byte ptr [edi], cl	11_2_047373CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then mov word ptr [eax], cx	11_2_0472CBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	11_2_0470A390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	11_2_0470A390

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: fusrryfables.today/aNWus
Source: Malware configuration extractor	URLs: begindecafer.world/QwdZdf
Source: Malware configuration extractor	URLs: garagedrootz.top/oPsoJAN
Source: Malware configuration extractor	URLs: modelshiverd.icu/bJhnsj
Source: Malware configuration extractor	URLs: arisechairedd.shop/JnsHY
Source: Malware configuration extractor	URLs: catterjur.run/boSnzhu
Source: Malware configuration extractor	URLs: orangemyther.live/IozZ
Source: Malware configuration extractor	URLs: fostinjec.today/LksNAz

Source: global traffic

TCP traffic: 192.168.2.4:65442 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /bhgnf453 HTTP/1.1Connection: Keep-AliveHost: t.me
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:65443 -> 149.154.167.99:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:65446 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:65447 -> 188.114.97.3:443

Source: unknown	DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: garagedrootz.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: arisechairedd.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orangemyther.live replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fusrryfables.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: begindecafer.world replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sterpickced.digital replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fostinjec.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: catterjur.run replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: modelshiverd.icu replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.184.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.184.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.184.227
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.184.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.184.227
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.184.227
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.150.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.150.101
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.184.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.184.227
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 11_2_04723E50 recv,

11_2_04723E50

Source: global traffic	HTTP traffic detected: GET /bhgnf453 HTTP/1.1Connection: Keep-AliveHost: t.me
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJOhywEInP7MAQiFoM0BCOqpzgEIyNHOAQi+1c4BCIDWzgEIwNjOAQjI3M4BCIrgzgEIruTOAQjl5M4BCIvlzgE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJOhywEInP7MAQiFoM0BCOqpzgEIyNHOAQi+1c4BCIDWzgEIwNjOAQjI3M4BCIrgzgEIruTOAQjl5M4BCIvlzgE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000C.00000003.1579095196.0000421C01644000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 0000000C.00000003.1579095196.0000421C01644000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 0000000C.00000002.2537257024.0000421C006B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: fusrryfables.today
Source: global traffic	DNS traffic detected: DNS query: begindecafer.world
Source: global traffic	DNS traffic detected: DNS query: garagedrootz.top
Source: global traffic	DNS traffic detected: DNS query: modelshiverd.icu
Source: global traffic	DNS traffic detected: DNS query: arisechairedd.shop
Source: global traffic	DNS traffic detected: DNS query: catterjur.run
Source: global traffic	DNS traffic detected: DNS query: orangemyther.live
Source: global traffic	DNS traffic detected: DNS query: fostinjec.today
Source: global traffic	DNS traffic detected: DNS query: sterpickced.digital
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: guntac.bet
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: beacons.gcp.gvt2.com
Source: global traffic	DNS traffic detected: DNS query: beacons.gvt2.com
Source: global traffic	DNS traffic detected: DNS query: beacons2.gvt2.com

Source: unknown

HTTP traffic detected: POST /bSHsyZD HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 73Host: guntac.bet

Source: is-V4EL8.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-AKARE.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: is-V4EL8.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-AKARE.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-AKARE.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 0000000C.00000002.2537684148.0000421C00860000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: chrome.exe, 0000000C.00000002.2545744356.0000421C01950000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2534855848.0000421C00004000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/uma/v2
Source: ZEemZXPukh.tmp, 00000001.00000003.1264021066.0000000002383000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000003.1381390895.0000000002384000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.1.dr	String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: ZEemZXPukh.tmp, 00000001.00000003.1264021066.0000000002383000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000003.1381390895.0000000002384000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.1.dr	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: ZEemZXPukh.tmp, 00000001.00000003.1264021066.0000000002383000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-AKARE.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: is-V4EL8.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-AKARE.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-AKARE.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: is-V4EL8.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: is-V4EL8.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: is-V4EL8.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: ZEemZXPukh.tmp, 00000001.00000003.1264021066.0000000002383000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: ZEemZXPukh.tmp, 00000001.00000003.1264021066.0000000002383000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000003.1381390895.0000000002384000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.1.dr	String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: chrome.exe, 0000000C.00000002.2538112828.0000421C009A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
Source: chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537917960.0000421C00924000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00MGQ5LTgyNjAt
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/
Source: chrome.exe, 0000000C.00000002.2547469085.0000421C01F48000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64_win_third_pa
Source: chrome.exe, 0000000C.00000002.2543863346.0000421C01498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx3
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/ac6ci5mwrvihfwmuttvglzv6q75a_2024.11.26.0/mcfjlbnicoc
Source: chrome.exe, 0000000C.00000002.2537606874.0000421C00804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmppeemjh
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkihi
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/acuigjey24xakmge43ocbxrkkfbq_490/lmelglejhemejginpboa
Source: chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/acwdvlndwbio5flgptu6licnn44q_2025.2.25.0/
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/acwdvlndwbio5flgptu6licnn44q_2025.2.25.0/gonpemdgkjce
Source: chrome.exe, 0000000C.00000002.2537606874.0000421C00804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/ad6bqrogtrdeb2aualzvp3izob2a_3/hajigopbbjhghbfimgkfmp
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/adachi2g2co7ajxpgopfjwjj5rta_3065/jflookgnkcckhobagln
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/adjgpjmra4jmuwfmqagvooxa7hua_1249/
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/adjgpjmra4jmuwfmqagvooxa7hua_1249/efniojlnjndmcbiieeg
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/adnnf2xkczyschn5rjlarpymlqwq_2025.3.12.0/niikhdgajlph
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/adp7lmscefogeldj4te6xerqth3a_9.55.0/gcmjkmgdlgnkkcocm
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eeigpng
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1/
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1/kiabhabjdbkj
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocncanleaf
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/fpm7b3lyymiazxgd7zkf5fvmra_2024.10.17.0/pmagihnlncbce
Source: chrome.exe, 0000000C.00000002.2537606874.0000421C00804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/j2hxfei2occ5siitujtlwgp6xi_3/ojhpjlocmbogdgmfpkhlaaea
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/l7xtcygg3vebugalfkm3b3dp3u_6.7431.9692/pkomkdjpmjfbkg
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/mkivtge3msks7oojy4pnek42py_2025.3.13.1/jflhchccmppkfe
Source: chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/pbwyzbupba5reuzm6ecrvr5xzm_9616/
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/pbwyzbupba5reuzm6ecrvr5xzm_9616/hfnkpimlhhgieaddgfemj
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/pmztx7tk73bjttcb4b6ys6fixq_2025.1.3.1202/ggkkehgbnfjp
Source: chrome.exe, 0000000C.00000002.2541555077.0000421C010F4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00
Source: chrome.exe, 0000000C.00000002.2537606874.0000421C00804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/diffgen-puffin/niikhdgajlphfehepabhhblakbdgeefj/5ce9624f6cd20b48002
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/
Source: chrome.exe, 0000000C.00000002.2547469085.0000421C01F48000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64_
Source: chrome.exe, 0000000C.00000002.2543863346.0000421C01498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac6ci5mwrvihfwmuttvglzv6q75a_2024.11.26.0
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebnd
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acuigjey24xakmge43ocbxrkkfbq_490/lmelglej
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwdvlndwbio5flgptu6licnn44q_2025.2.25.0/
Source: chrome.exe, 0000000C.00000002.2537917960.0000421C00924000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad6bqrogtrdeb2aualzvp3izob2a_3/hajigopbbj
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adachi2g2co7ajxpgopfjwjj5rta_3065/jflookg
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adjgpjmra4jmuwfmqagvooxa7hua_1249/
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adjgpjmra4jmuwfmqagvooxa7hua_1249/efniojl
Source: chrome.exe, 0000000C.00000002.2535250367.0000421C00100000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adnnf2xkczyschn5rjlarpymlqwq_2025.3.12.0/
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adp7lmscefogeldj4te6xerqth3a_9.55.0/gcmjk
Source: chrome.exe, 0000000C.00000002.2535250367.0000421C00100000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.23
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1/
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/fpm7b3lyymiazxgd7zkf5fvmra_2024.10.17.0/p
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/j2hxfei2occ5siitujtlwgp6xi_3/ojhpjlocmbog
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/l7xtcygg3vebugalfkm3b3dp3u_6.7431.9692/pk
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/mkivtge3msks7oojy4pnek42py_2025.3.13.1/jf
Source: chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/pbwyzbupba5reuzm6ecrvr5xzm_9616/
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/pbwyzbupba5reuzm6ecrvr5xzm_9616/hfnkpimlh
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/pmztx7tk73bjttcb4b6ys6fixq_2025.1.3.1202/
Source: is-AKARE.tmp.4.dr	String found in binary or memory: http://git-media.io/v/2index
Source: chrome.exe, 0000000C.00000002.2535280225.0000421C0011C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-AKARE.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-V4EL8.tmp.4.dr, is-AKARE.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: is-V4EL8.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-AKARE.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: ZEemZXPukh.tmp, 00000001.00000003.1264021066.0000000002383000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: chrome.exe, 0000000C.00000002.2541070316.0000421C00F7B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS0
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/
Source: chrome.exe, 0000000C.00000002.2547469085.0000421C01F48000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64
Source: chrome.exe, 0000000C.00000002.2543863346.0000421C01498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.cr
Source: ZEemZXPukh.tmp, 00000001.00000003.1264021066.0000000002383000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000003.1381390895.0000000002384000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.1.dr	String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: ZEemZXPukh.tmp, 00000001.00000003.1264021066.0000000002383000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000003.1381390895.0000000002384000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.1.dr	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: is-V4EL8.tmp.4.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: is-V4EL8.tmp.4.dr	String found in binary or memory: http://s2.symcb.com0
Source: EuAccountCenter.exe, 0000000A.00000002.1518989296.0000000003381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampU
Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/suI
Source: ZEemZXPukh.tmp, 00000001.00000003.1264021066.0000000002383000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000003.1381390895.0000000002384000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.1.dr	String found in binary or memory: http://subca.ocsp-certum.com01
Source: is-V4EL8.tmp.4.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: is-V4EL8.tmp.4.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: is-V4EL8.tmp.4.dr	String found in binary or memory: http://sv.symcd.com0&
Source: chrome.exe, 0000000C.00000002.2540154357.0000421C00DB8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: ZEemZXPukh.tmp, 00000001.00000003.1264021066.0000000002383000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000003.1381390895.0000000002384000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.1.dr	String found in binary or memory: http://www.certum.pl/CPS0
Source: is-V4EL8.tmp.4.dr, is-AKARE.tmp.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537917960.0000421C00924000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00MGQ5LTgy
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/r
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/
Source: chrome.exe, 0000000C.00000002.2547469085.0000421C01F48000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64_win_thir
Source: chrome.exe, 0000000C.00000002.2543863346.0000421C01498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx3
Source: chrome.exe, 0000000C.00000002.2543863346.0000421C01498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx3tory
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/ac6ci5mwrvihfwmuttvglzv6q75a_2024.11.26.0/mcfjlbn
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmppe
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnn
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/acuigjey24xakmge43ocbxrkkfbq_490/lmelglejhemejgin
Source: chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/acwdvlndwbio5flgptu6licnn44q_2025.2.25.0/
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/acwdvlndwbio5flgptu6licnn44q_2025.2.25.0/gonpemdg
Source: chrome.exe, 0000000C.00000002.2537917960.0000421C00924000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/ad6bqrogtrdeb2aualzvp3izob2a_3/hajigopbbjhghbfimg
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/adachi2g2co7ajxpgopfjwjj5rta_3065/jflookgnkcckhob
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/adjgpjmra4jmuwfmqagvooxa7hua_1249/efniojlnjndmcbi
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/adnnf2xkczyschn5rjlarpymlqwq_2025.3.12.0/niikhdga
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/adp7lmscefogeldj4te6xerqth3a_9.55.0/gcmjkmgdlgnkk
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eei
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1/
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1/kiabhabj
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocncan
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/fpm7b3lyymiazxgd7zkf5fvmra_2024.10.17.0/pmagihnln
Source: chrome.exe, 0000000C.00000002.2537606874.0000421C00804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/j2hxfei2occ5siitujtlwgp6xi_3/ojhpjlocmbogdgmfpkhl
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/l7xtcygg3vebugalfkm3b3dp3u_6.7431.9692/pkomkdjpmj
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/mkivtge3msks7oojy4pnek42py_2025.3.13.1/jflhchccmp
Source: chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/pbwyzbupba5reuzm6ecrvr5xzm_9616/
Source: chrome.exe, 0000000C.00000002.2537917960.0000421C00924000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/pbwyzbupba5reuzm6ecrvr5xzm_9616/hfnkpimlhhgieaddg
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/pmztx7tk73bjttcb4b6ys6fixq_2025.1.3.1202/ggkkehgb
Source: chrome.exe, 0000000C.00000002.2540258796.0000421C00DD8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: is-V4EL8.tmp.4.dr, is-RGB48.tmp.4.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: is-V4EL8.tmp.4.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: chrome.exe, 0000000C.00000002.2523970013.00000245807F6000.00000002.00000001.00040000.00000015.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: is-V4EL8.tmp.4.dr	String found in binary or memory: http://www.winzip.com/authenticode.htm0
Source: chrome.exe, 0000000C.00000002.2540068432.0000421C00DA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 0000000C.00000002.2534917007.0000421C00038000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: EuAccountCenter.exe, 0000000A.00000002.1517005428.00000000007ED000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://accounts.easeus.com/account-api/api/auth/logoutinternal
Source: EuAccountCenter.exe, 0000000A.00000002.1517005428.00000000007ED000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://accounts.easeus.com/account-api/api/auth/refresh-tokenlimiterEvent.stop:
Source: EuAccountCenter.exe, 0000000A.00000002.1517005428.00000000007ED000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://accounts.easeus.com/account-api/api/auth/token-accessnet/http:
Source: EuAccountCenter.exe, 0000000A.00000002.1517005428.00000000007ED000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://accounts.easeus.com/login?clientCode=invalid
Source: chrome.exe, 0000000C.00000002.2541834001.0000421C01180000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537412480.0000421C0076C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2545403600.0000421C018B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AccountChooser
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 0000000C.00000002.2534976402.0000421C00064000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/samlredirect
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 0000000C.00000002.2537291369.0000421C00720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://adsmeasurement.com
Source: chrome.exe, 0000000C.00000002.2535280225.0000421C00121000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2544491266.0000421C015E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2546095228.0000421C01A7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1604650929.0000421C005C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1606218394.0000421C01AFC000.00000004.00001000.00020000.00000000.sdmp, chromecache_77.13.dr	String found in binary or memory: https://apis.google.com
Source: chrome.exe, 0000000C.00000002.2544102469.0000421C01510000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2529280423.0000024587DA7000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes
Source: chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://appsflyer.com
Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/JnsHY
Source: chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://azubiyo.de
Source: chrome.exe, 0000000C.00000002.2537987993.0000421C00960000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
Source: chrome.exe, 0000000C.00000003.1579144315.0000421C01688000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1579031161.0000421C01668000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1604464456.0000421C00574000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1578768005.0000421C015D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com
Source: chrome.exe, 0000000C.00000002.2539673487.0000421C00CAC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2544308334.0000421C0156C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2538916372.0000421C00B2C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 0000000C.00000002.2540068432.0000421C00DA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 0000000C.00000002.2540068432.0000421C00DA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 0000000C.00000002.2540068432.0000421C00DA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 0000000C.00000003.1578398138.0000421C01520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: chrome.exe, 0000000C.00000002.2541658528.0000421C01140000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2545744356.0000421C01950000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2540258796.0000421C00DD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2540031437.0000421C00D74000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: chrome.exe, 0000000C.00000003.1603424688.0000421C014D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1577964574.0000421C0122C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1578398138.0000421C01520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: chrome.exe, 0000000C.00000003.1563528290.000042180048C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 0000000C.00000003.1606681146.0000421C01B54000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1605676917.0000421800604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 0000000C.00000003.1563528290.000042180048C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 0000000C.00000003.1606681146.0000421C01B54000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1605676917.0000421800604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000000C.00000003.1563528290.000042180048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1563217323.0000421800458000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1563480568.0000421800468000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000000C.00000003.1606681146.0000421C01B54000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1605676917.0000421800604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000000C.00000003.1563528290.000042180048C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000C.00000002.2537606874.0000421C00804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 0000000C.00000002.2534888739.0000421C00028000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: chrome.exe, 0000000C.00000002.2535598322.0000421C001C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 0000000C.00000002.2537987993.0000421C00960000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/category/extensions
Source: chrome.exe, 0000000C.00000002.2537987993.0000421C00960000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/category/themes
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 0000000C.00000002.2526621926.00000245837A7000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://clients1.google.com/tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I
Source: chrome.exe, 0000000C.00000003.1561193486.00002B68000DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 0000000C.00000002.2537950981.0000421C00938000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2535598322.0000421C001C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537684148.0000421C00860000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 0000000C.00000002.2537473735.0000421C0079C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 0000000C.00000002.2537640082.0000421C00821000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 0000000C.00000002.2537640082.0000421C00821000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 0000000C.00000002.2537684148.0000421C00860000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: chrome.exe, 0000000C.00000002.2535116871.0000421C000B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/uma/v2
Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflar
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2526621926.00000245837AD000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 0000000C.00000002.2534976402.0000421C00092000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2534976402.0000421C00064000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/download-dt/1
Source: chrome.exe, 0000000C.00000002.2542183270.0000421C01204000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2534976402.0000421C00092000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2534976402.0000421C00064000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/download-dt/1Content-Type:
Source: chrome.exe, 0000000C.00000002.2542183270.0000421C01204000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/download-dt/1d
Source: chrome.exe, 0000000C.00000002.2526621926.00000245837AD000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/cdt1
Source: chrome.exe, 0000000C.00000002.2536384349.0000421C0044C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: chrome.exe, 0000000C.00000002.2539947633.0000421C00D34000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/scaffolding/asuacrsguc:50:0
Source: chrome.exe, 0000000C.00000002.2537507814.0000421C007C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2544590631.0000421C01604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2539947633.0000421C00D34000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/asuacrsguc:50:0
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2526621926.00000245837AD000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 0000000C.00000002.2535412453.0000421C00160000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2539947633.0000421C00D34000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/asuacrsguc:50:0Cross-Origin-Opener-Policy-Report-Only:
Source: is-V4EL8.tmp.4.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: is-V4EL8.tmp.4.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dailymail.co.uk
Source: chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537917960.0000421C00924000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00MGQ5LTgyNjA
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/
Source: chrome.exe, 0000000C.00000002.2547469085.0000421C01F48000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64_win_third_p
Source: chrome.exe, 0000000C.00000002.2543863346.0000421C01498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx3
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/ac6ci5mwrvihfwmuttvglzv6q75a_2024.11.26.0/mcfjlbnico
Source: chrome.exe, 0000000C.00000002.2537606874.0000421C00804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmppeemj
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkih
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/acuigjey24xakmge43ocbxrkkfbq_490/lmelglejhemejginpbo
Source: chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/acwdvlndwbio5flgptu6licnn44q_2025.2.25.0/
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/acwdvlndwbio5flgptu6licnn44q_2025.2.25.0/gonpemdgkjc
Source: chrome.exe, 0000000C.00000002.2537606874.0000421C00804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/ad6bqrogtrdeb2aualzvp3izob2a_3/hajigopbbjhghbfimgkfm
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/adachi2g2co7ajxpgopfjwjj5rta_3065/jflookgnkcckhobagl
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/adjgpjmra4jmuwfmqagvooxa7hua_1249/
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/adjgpjmra4jmuwfmqagvooxa7hua_1249/efniojlnjndmcbiiee
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/adnnf2xkczyschn5rjlarpymlqwq_2025.3.12.0/niikhdgajlp
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/adp7lmscefogeldj4te6xerqth3a_9.55.0/gcmjkmgdlgnkkcoc
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eeigpn
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1/
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1/kiabhabjdbk
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocncanlea
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/fpm7b3lyymiazxgd7zkf5fvmra_2024.10.17.0/pmagihnlncbc
Source: chrome.exe, 0000000C.00000002.2537606874.0000421C00804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/j2hxfei2occ5siitujtlwgp6xi_3/ojhpjlocmbogdgmfpkhlaae
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/l7xtcygg3vebugalfkm3b3dp3u_6.7431.9692/pkomkdjpmjfbk
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/mkivtge3msks7oojy4pnek42py_2025.3.13.1/jflhchccmppkf
Source: chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/pbwyzbupba5reuzm6ecrvr5xzm_9616/
Source: chrome.exe, 0000000C.00000002.2537917960.0000421C00924000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/pbwyzbupba5reuzm6ecrvr5xzm_9616/hfnkpimlhhgieaddgfem
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/pmztx7tk73bjttcb4b6ys6fixq_2025.1.3.1202/ggkkehgbnfj
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 0000000C.00000003.1606681146.0000421C01B54000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1605676917.0000421800604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537257024.0000421C006B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000C.00000002.2539673487.0000421C00CAC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2544308334.0000421C0156C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2538916372.0000421C00B2C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000C.00000002.2539673487.0000421C00CAC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2544308334.0000421C0156C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2538916372.0000421C00B2C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537257024.0000421C006B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000C.00000002.2539673487.0000421C00CAC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2544308334.0000421C0156C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2538916372.0000421C00B2C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537257024.0000421C006B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000C.00000002.2539673487.0000421C00CAC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2544308334.0000421C0156C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2538916372.0000421C00B2C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537257024.0000421C006B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ebayadservices.c
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/
Source: chrome.exe, 0000000C.00000002.2547469085.0000421C01F48000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64
Source: chrome.exe, 0000000C.00000002.2543863346.0000421C01498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.cr
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac6ci5mwrvihfwmuttvglzv6q75a_2024.11.26.
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebn
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acuigjey24xakmge43ocbxrkkfbq_490/lmelgle
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwdvlndwbio5flgptu6licnn44q_2025.2.25.0
Source: chrome.exe, 0000000C.00000002.2537917960.0000421C00924000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad6bqrogtrdeb2aualzvp3izob2a_3/hajigopbb
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adachi2g2co7ajxpgopfjwjj5rta_3065/jflook
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adjgpjmra4jmuwfmqagvooxa7hua_1249/
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adjgpjmra4jmuwfmqagvooxa7hua_1249/efnioj
Source: chrome.exe, 0000000C.00000002.2535250367.0000421C00100000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adnnf2xkczyschn5rjlarpymlqwq_2025.3.12.0
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adp7lmscefogeldj4te6xerqth3a_9.55.0/gcmj
Source: chrome.exe, 0000000C.00000002.2535250367.0000421C00100000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.2
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.130
Source: chrome.exe, 0000000C.00000002.2535250367.0000421C00100000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/fpm7b3lyymiazxgd7zkf5fvmra_2024.10.17.0/
Source: chrome.exe, 0000000C.00000002.2537917960.0000421C00924000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/j2hxfei2occ5siitujtlwgp6xi_3/ojhpjlocmbo
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/l7xtcygg3vebugalfkm3b3dp3u_6.7431.9692/p
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/mkivtge3msks7oojy4pnek42py_2025.3.13.1/j
Source: chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/pbwyzbupba5reuzm6ecrvr5xzm_9616/
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/pbwyzbupba5reuzm6ecrvr5xzm_9616/hfnkpiml
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/pmztx7tk73bjttcb4b6ys6fixq_2025.1.3.1202
Source: chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://elle.com
Source: chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://finn.no
Source: chrome.exe, 0000000C.00000003.1579895318.0000421C016D4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1604146885.0000421C01768000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1579391499.0000421C01718000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fonts.google.com/icons?selected=Material
Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusrryfables.today/aNWus
Source: chrome.exe, 0000000C.00000002.2540068432.0000421C00DA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: chrome.exe, 0000000C.00000003.1606681146.0000421C01B54000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1605676917.0000421800604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic/intro?20
Source: chrome.exe, 0000000C.00000003.1606681146.0000421C01B54000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1605676917.0000421800604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic2
Source: is-AKARE.tmp.4.dr	String found in binary or memory: https://git-lfs.github.com/spec/v1.
Source: is-AKARE.tmp.4.dr	String found in binary or memory: https://git-lfs.github.com/spec/v1i/o
Source: is-AKARE.tmp.4.dr	String found in binary or memory: https://git-scm.com/docs/git-config#git-config-httplturlgt.
Source: is-AKARE.tmp.4.dr	String found in binary or memory: https://git-scm.com/docs/gitattributes
Source: is-AKARE.tmp.4.dr	String found in binary or memory: https://git-scm.com/docs/gitignore
Source: is-AKARE.tmp.4.dr	String found in binary or memory: https://github.com/.locksverify
Source: is-AKARE.tmp.4.dr	String found in binary or memory: https://github.com/git-lfs/git-lfs/blob/main/docs/custom-transfers.md
Source: EuAccountCenter.exe, 0000000A.00000002.1534785594.00000000064D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: EuAccountCenter.exe, 0000000A.00000002.1533270031.00000000043C3000.00000004.00000800.00020000.00000000.sdmp, EuAccountCenter.exe, 0000000A.00000002.1534785594.00000000064D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: EuAccountCenter.exe, 0000000A.00000002.1534785594.00000000064D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: EuAccountCenter.exe, 0000000A.00000002.1517005428.00000000007ED000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.mdreceived
Source: is-AKARE.tmp.4.dr	String found in binary or memory: https://github.comidentifier
Source: chrome.exe, 0000000C.00000003.1563480568.0000421800468000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000C.00000003.1606681146.0000421C01B54000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1605676917.0000421800604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000000C.00000003.1563480568.0000421800468000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 0000000C.00000003.1606681146.0000421C01B54000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1605676917.0000421800604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 0000000C.00000003.1563528290.000042180048C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 0000000C.00000003.1563528290.000042180048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1563217323.0000421800458000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1563480568.0000421800468000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 0000000C.00000002.2534888739.0000421C00028000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 0000000C.00000002.2537883619.0000421C00904000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 0000000C.00000003.1606446703.0000421C01DE0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1606681146.0000421C01B54000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1605676917.0000421800604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: is-AKARE.tmp.4.dr	String found in binary or memory: https://hawser.github.com/spec/v1incompatible
Source: ZEemZXPukh.tmp, 00000001.00000003.1264021066.0000000002383000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000003.1381390895.0000000002384000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.1.dr	String found in binary or memory: https://jrsoftware.org/
Source: ZEemZXPukh.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: ZEemZXPukh.tmp, 00000001.00000003.1264021066.0000000002383000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.1.dr	String found in binary or memory: https://jrsoftware.org0
Source: chrome.exe, 0000000C.00000002.2544590631.0000421C01604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2539118074.0000421C00B9C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2539947633.0000421C00D34000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 0000000C.00000002.2536455583.0000421C0046C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1606218394.0000421C01AFC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 0000000C.00000003.1579144315.0000421C01688000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1604464456.0000421C00574000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/gen204
Source: chrome.exe, 0000000C.00000002.2536026784.0000421C00324000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542834951.0000421C01304000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1578008717.0000421C0110C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2540983789.0000421C00F38000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2167810519.0000421C01108000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1604873648.0000421C01108000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2541589100.0000421C0110C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537412480.0000421C0076C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1574865516.0000421C0110C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/:
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/J
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2545317988.0000421C01890000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2541795684.0000421C0115C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542761908.0000421C012F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 0000000C.00000002.2536455583.0000421C0046C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1606218394.0000421C01AFC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537257024.0000421C006B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://modelshiverd.icu/bJhnsj
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2545192225.0000421C01830000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2539947633.0000421C00D34000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 0000000C.00000002.2540983789.0000421C00F38000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2539782188.0000421C00CD0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2538660986.0000421C00A74000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 0000000C.00000002.2539782188.0000421C00CD0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537640082.0000421C00821000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2538660986.0000421C00A74000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 0000000C.00000002.2537640082.0000421C00821000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhoneau
Source: chrome.exe, 0000000C.00000003.1563647401.0000421800498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome
Source: chrome.exe, 0000000C.00000003.1606681146.0000421C01B54000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1605676917.0000421800604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 0000000C.00000002.2540983789.0000421C00F38000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2539782188.0000421C00CD0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2538660986.0000421C00A74000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp, chrome.exe, 0000000C.00000002.2539420873.0000421C00C24000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1578647865.0000421C0123C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 0000000C.00000002.2546095228.0000421C01A7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2546224829.0000421C01AB8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1604650929.0000421C005C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1606218394.0000421C01AFC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 0000000C.00000002.2539947633.0000421C00D34000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 0000000C.00000002.2544491266.0000421C015E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2546095228.0000421C01A7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2546224829.0000421C01AB8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1604650929.0000421C005C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1606218394.0000421C01AFC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 0000000C.00000002.2544491266.0000421C015E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2546095228.0000421C01A7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2546224829.0000421C01AB8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1604650929.0000421C005C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1606218394.0000421C01AFC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 0000000C.00000002.2543543756.0000421C01404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2541196267.0000421C00FC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2167835859.0000421C02030000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542986582.0000421C0133C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542880138.0000421C01324000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2543030777.0000421C01348000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 0000000C.00000002.2541196267.0000421C00FC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542948001.0000421C01330000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 0000000C.00000002.2543543756.0000421C01404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2541196267.0000421C00FC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542986582.0000421C0133C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542880138.0000421C01324000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2543030777.0000421C01348000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542948001.0000421C01330000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542880138.0000421C01324000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 0000000C.00000002.2539473353.0000421C00C34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542880138.0000421C01324000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 0000000C.00000002.2542948001.0000421C01330000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542880138.0000421C01324000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 0000000C.00000002.2543543756.0000421C01404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2543068672.0000421C01354000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542986582.0000421C0133C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2543030777.0000421C01348000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1696267841&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 0000000C.00000002.2541196267.0000421C00FC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2167835859.0000421C02030000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542986582.0000421C0133C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2543030777.0000421C01348000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1728324084&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2543543756.0000421C01404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542986582.0000421C0133C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2543030777.0000421C01348000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739808228&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 0000000C.00000002.2541196267.0000421C00FC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2167835859.0000421C02030000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542986582.0000421C0133C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739808249&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 0000000C.00000002.2541196267.0000421C00FC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2167835859.0000421C02030000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2543068672.0000421C01354000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542986582.0000421C0133C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2543030777.0000421C01348000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739894676&target=OPTIMIZATION_TARGET_CLI
Source: chrome.exe, 0000000C.00000002.2541196267.0000421C00FC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542948001.0000421C01330000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 0000000C.00000002.2541196267.0000421C00FC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2167835859.0000421C02030000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2543068672.0000421C01354000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542986582.0000421C0133C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2543030777.0000421C01348000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=240731042075&target=OPTIMIZATION_TARGET_S
Source: chrome.exe, 0000000C.00000002.2541196267.0000421C00FC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542948001.0000421C01330000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542880138.0000421C01324000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=4&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 0000000C.00000002.2548039896.0000421C0202C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542986582.0000421C0133C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2543030777.0000421C01348000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=5&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 0000000C.00000002.2540449105.0000421C00E48000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetModels?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
Source: chrome.exe, 0000000C.00000003.1579144315.0000421C01688000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1579031161.0000421C01668000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1604464456.0000421C00574000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/calendar/
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp	String found in binary or memory: https://passwords.google.comSaved
Source: chrome.exe, 0000000C.00000002.2537950981.0000421C00938000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google/
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://people.googleapis.com/
Source: chrome.exe, 0000000C.00000002.2544590631.0000421C01604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2545403600.0000421C018B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542104164.0000421C011EC000.00000004.00001000.00020000.00000000.sdmp, chromecache_77.13.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp, chrome.exe, 0000000C.00000002.2539420873.0000421C00C24000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1578647865.0000421C0123C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2539636412.0000421C00C80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 0000000C.00000002.2537291369.0000421C00720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 0000000C.00000002.2537291369.0000421C00720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://redirector.gvt1.com/edgedl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/
Source: chrome.exe, 0000000C.00000002.2547469085.0000421C01F48000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://redirector.gvt1.com/edgedl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win6
Source: chrome.exe, 0000000C.00000002.2543863346.0000421C01498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://redirector.gvt1.com/edgedl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.c
Source: chrome.exe, 0000000C.00000002.2536294056.0000421C003D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 0000000C.00000002.2535387249.0000421C00154000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2535357738.0000421C00134000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
Source: ZEemZXPukh.tmp, 00000004.00000003.1380967597.000000000359D000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000002.1383214456.000000000018D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: ZEemZXPukh.tmp, 00000001.00000003.1264021066.0000000002383000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.1.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: chrome.exe, 0000000C.00000002.2535800903.0000421C0022C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2540258796.0000421C00DD8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://seedtag.com
Source: chrome.exe, 0000000C.00000003.1606681146.0000421C01B54000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1605676917.0000421800604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 0000000C.00000002.2544590631.0000421C01604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2539118074.0000421C00B9C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2539947633.0000421C00D34000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sitescout.com
Source: chrome.exe, 0000000C.00000002.2535280225.0000421C00121000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 0000000C.00000002.2536455583.0000421C0046C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1606218394.0000421C01AFC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: EuAccountCenter.exe, 0000000A.00000002.1534785594.00000000064D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: EuAccountCenter.exe, 0000000A.00000002.1518989296.0000000003381000.00000004.00000800.00020000.00000000.sdmp, EuAccountCenter.exe, 0000000A.00000002.1534785594.00000000064D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: EuAccountCenter.exe, 0000000A.00000002.1534785594.00000000064D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfiltez
Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sterpickced.digital/plSOz
Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.sG
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp	String found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/96817
Source: chrome.exe, 0000000C.00000002.2536990759.0000421C005DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome?p=desktop_tab_groups
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: chrome.exe, 0000000C.00000002.2543068672.0000421C01354000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: chrome.exe, 0000000C.00000002.2543068672.0000421C01354000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20161
Source: chrome.exe, 0000000C.00000002.2543068672.0000421C01354000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: chrome.exe, 0000000C.00000002.2543068672.0000421C01354000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e175
Source: AppLaunch.exe, 0000000B.00000002.2518259431.00000000046FB000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2520066064.0000000004AE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/bhgnf453
Source: chrome.exe, 0000000C.00000002.2540258796.0000421C00DD8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tailtarget.com
Source: chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tamedia.com.tw
Source: chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tangooserver.com
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://trkkn.com
Source: chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tya-dev.com
Source: chrome.exe, 0000000C.00000003.2208459541.0000421C005C5000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2208910807.0000421C004B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.2208459541.0000421C005C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://update.googleapis.com/service/update2/json?cup2key=14:PElfUwxkbyHHJTv8TP0A30ybkhIjnoIFkOEGmH
Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: chrome.exe, 0000000C.00000002.2540343308.0000421C00E04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://worldhistory.org
Source: ZEemZXPukh.tmp, 00000001.00000003.1264021066.0000000002383000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000004.00000003.1381390895.0000000002384000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr, _isdecmp.dll.1.dr	String found in binary or memory: https://www.certum.pl/CPS0
Source: is-V4EL8.tmp.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: chrome.exe, 0000000C.00000002.2540068432.0000421C00DA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: chrome.exe, 0000000C.00000002.2535280225.0000421C00121000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 0000000C.00000002.2535280225.0000421C00121000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 0000000C.00000002.2526621926.00000245837A7000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 0000000C.00000002.2540374810.0000421C00E20000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 0000000C.00000002.2544590631.0000421C01604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 0000000C.00000002.2545744356.0000421C01950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 0000000C.00000002.2537950981.0000421C00938000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/#safe
Source: chrome.exe, 0000000C.00000002.2537987993.0000421C00960000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/browser-features/
Source: chrome.exe, 0000000C.00000002.2537987993.0000421C00960000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/browser-tools/
Source: chrome.exe, 0000000C.00000003.1605676917.0000421800604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 0000000C.00000002.2525695129.0000024582690000.00000002.00000001.00040000.00000018.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: chrome.exe, 0000000C.00000002.2540983789.0000421C00F38000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2539063015.0000421C00B78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2539636412.0000421C00C80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537917960.0000421C00924000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00MGQ5LTg
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/
Source: chrome.exe, 0000000C.00000002.2547469085.0000421C01F48000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/AMpg5-cnrANo_2018.8.8.0/2018.8.8.0_win64_win_thi
Source: chrome.exe, 0000000C.00000002.2543863346.0000421C01498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx3
Source: chrome.exe, 0000000C.00000002.2543863346.0000421C01498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/V3P1l2hLvLw_7/7_all_sslErrorAssistant.crx3tory
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/ac6ci5mwrvihfwmuttvglzv6q75a_2024.11.26.0/mcfjlb
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebndkojlmpp
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcn
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/acuigjey24xakmge43ocbxrkkfbq_490/lmelglejhemejgi
Source: chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/acwdvlndwbio5flgptu6licnn44q_2025.2.25.0/
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/acwdvlndwbio5flgptu6licnn44q_2025.2.25.0/gonpemd
Source: chrome.exe, 0000000C.00000002.2537917960.0000421C00924000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/ad6bqrogtrdeb2aualzvp3izob2a_3/hajigopbbjhghbfim
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/adachi2g2co7ajxpgopfjwjj5rta_3065/jflookgnkcckho
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/adjgpjmra4jmuwfmqagvooxa7hua_1249/efniojlnjndmcb
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/adnnf2xkczyschn5rjlarpymlqwq_2025.3.12.0/niikhdg
Source: chrome.exe, 0000000C.00000002.2535567250.0000421C001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/adp7lmscefogeldj4te6xerqth3a_9.55.0/gcmjkmgdlgnk
Source: chrome.exe, 0000000C.00000002.2535250367.0000421C00100000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/ee
Source: chrome.exe, 0000000C.00000002.2536717260.0000421C004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1/
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1/kiabhab
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocnca
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/fpm7b3lyymiazxgd7zkf5fvmra_2024.10.17.0/pmagihnl
Source: chrome.exe, 0000000C.00000002.2537606874.0000421C00804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/j2hxfei2occ5siitujtlwgp6xi_3/ojhpjlocmbogdgmfpkh
Source: chrome.exe, 0000000C.00000002.2538774935.0000421C00A98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/l7xtcygg3vebugalfkm3b3dp3u_6.7431.9692/pkomkdjpm
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/mkivtge3msks7oojy4pnek42py_2025.3.13.1/jflhchccm
Source: chrome.exe, 0000000C.00000003.2208991663.0000421C02104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/pbwyzbupba5reuzm6ecrvr5xzm_9616/
Source: chrome.exe, 0000000C.00000002.2537917960.0000421C00924000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/pbwyzbupba5reuzm6ecrvr5xzm_9616/hfnkpimlhhgieadd
Source: chrome.exe, 0000000C.00000002.2541153215.0000421C00F88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/pmztx7tk73bjttcb4b6ys6fixq_2025.1.3.1202/ggkkehg
Source: chrome.exe, 0000000C.00000002.2540068432.0000421C00DA0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2536990759.0000421C005DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537114567.0000421C00674000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537640082.0000421C00821000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: chrome.exe, 0000000C.00000002.2536455583.0000421C0046C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1606218394.0000421C01AFC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 0000000C.00000003.1606218394.0000421C01AFC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 0000000C.00000003.1605676917.0000421800604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 0000000C.00000002.2536424654.0000421C0045C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 0000000C.00000002.2536424654.0000421C0045C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit7E
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 0000000C.00000003.1563695133.00004218004AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1563808110.00004218004B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1563528290.000042180048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1563939577.00004218004C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1563647401.0000421800498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 0000000C.00000003.1606681146.0000421C01B54000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1605676917.0000421800604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 0000000C.00000003.1563695133.00004218004AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1563808110.00004218004B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1563528290.000042180048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1563939577.00004218004C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1563647401.0000421800498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.managerForcedOn_PlusAddressAndroidOpenGmsCoreManagementP
Source: chrome.exe, 0000000C.00000003.1563695133.00004218004AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1563808110.00004218004B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1563528290.000042180048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1563939577.00004218004C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1563647401.0000421800498000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.managerPlusAddressOfferCreationIfPasswordFieldIsNotVisib
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 0000000C.00000002.2535739279.0000421C00207000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 0000000C.00000002.2535280225.0000421C00121000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 0000000C.00000002.2535280225.0000421C00121000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 0000000C.00000002.2544590631.0000421C01604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 0000000C.00000003.1606218394.0000421C01AFC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 0000000C.00000002.2546137487.0000421C01A88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1603838327.0000421C01700000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1606218394.0000421C01AFC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 0000000C.00000002.2544491266.0000421C015E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2546095228.0000421C01A7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2546224829.0000421C01AB8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1604650929.0000421C005C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1606218394.0000421C01AFC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.eebVy_fNKiM.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 0000000C.00000002.2544491266.0000421C015E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2546095228.0000421C01A7C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2546224829.0000421C01AB8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1604650929.0000421C005C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1606218394.0000421C01AFC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.sDa5bc0wD58.L.W.O/m=qmd
Source: ZEemZXPukh.exe, 00000000.00000003.1257958413.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000001.00000000.1259136384.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: ZEemZXPukh.exe, 00000000.00000003.1257958413.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, ZEemZXPukh.tmp, 00000001.00000000.1259136384.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 0000000C.00000002.2538022099.0000421C00984000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537257024.0000421C006B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2537291369.0000421C00766000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65443 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65447 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65456 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65454 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65461 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65463 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65446
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65447
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65469
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65481
Source: unknown	Network traffic detected: HTTP traffic on port 65469 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65462
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65463
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65460
Source: unknown	Network traffic detected: HTTP traffic on port 65446 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65461
Source: unknown	Network traffic detected: HTTP traffic on port 65460 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65462 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65481 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65457 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65455 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65455
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65456
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65454
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65457

Source: unknown	HTTPS traffic detected: 131.253.33.254:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:65443 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.4:65446 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:65447 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 11_2_0473EF10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

11_2_0473EF10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 11_2_0473EF10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

11_2_0473EF10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 11_2_0473F0B0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

11_2_0473F0B0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 11_2_04721EB0 CreateDesktopW,

11_2_04721EB0

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.EuAccountCenter.exe.f524b8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 10.2.EuAccountCenter.exe.f524b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000A.00000002.1517644912.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_06526E5B	10_2_06526E5B
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_00F5043B	10_2_00F5043B
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_01083DC0	10_2_01083DC0
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_010841F8	10_2_010841F8
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_00F50000	10_2_00F50000
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_010839F0	10_2_010839F0
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_01084C98	10_2_01084C98
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_01082AFC	10_2_01082AFC
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_010874F0	10_2_010874F0
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_030FAB48	10_2_030FAB48
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_030FECB0	10_2_030FECB0
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_030FAB39	10_2_030FAB39
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_030FB4D8	10_2_030FB4D8
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_06210040	10_2_06210040
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062119A3	10_2_062119A3
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_06215EA0	10_2_06215EA0
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_06215EB0	10_2_06215EB0
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_06216FC1	10_2_06216FC1
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_06216FD0	10_2_06216FD0
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_06210007	10_2_06210007
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_0621D0A1	10_2_0621D0A1
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_0621D0B0	10_2_0621D0B0
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_06214108	10_2_06214108
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062C7C58	10_2_062C7C58
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062C0206	10_2_062C0206
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062C9A00	10_2_062C9A00
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062CDBC0	10_2_062CDBC0
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062CA0F9	10_2_062CA0F9
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062C10FA	10_2_062C10FA
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062C0621	10_2_062C0621
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062C4E32	10_2_062C4E32
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062CDEE7	10_2_062CDEE7
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062CA72B	10_2_062CA72B
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062CA738	10_2_062CA738
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062C0FE8	10_2_062C0FE8
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062C0FD8	10_2_062C0FD8
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062C7C48	10_2_062C7C48
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062CEDB8	10_2_062CEDB8
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062C68E9	10_2_062C68E9
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062C99FB	10_2_062C99FB
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062DD038	10_2_062DD038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0471A430	11_2_0471A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04743C30	11_2_04743C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047155F6	11_2_047155F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0470E660	11_2_0470E660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04723E50	11_2_04723E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0471EEFE	11_2_0471EEFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047476C0	11_2_047476C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04749775	11_2_04749775
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0470D780	11_2_0470D780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04724860	11_2_04724860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04711822	11_2_04711822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0474D0C0	11_2_0474D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0471B1D8	11_2_0471B1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0470DA3A	11_2_0470DA3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04723A80	11_2_04723A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0470C470	11_2_0470C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0471B1D8	11_2_0471B1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04735440	11_2_04735440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04735CF0	11_2_04735CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0474BCE0	11_2_0474BCE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04741CC2	11_2_04741CC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0470DC9E	11_2_0470DC9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0474CC80	11_2_0474CC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0473357B	11_2_0473357B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04747D50	11_2_04747D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0471B55A	11_2_0471B55A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04732540	11_2_04732540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0471CD45	11_2_0471CD45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0473C530	11_2_0473C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047095B0	11_2_047095B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047245B0	11_2_047245B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0473E5A0	11_2_0473E5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0470B590	11_2_0470B590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04703580	11_2_04703580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04720589	11_2_04720589
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04730670	11_2_04730670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0474266C	11_2_0474266C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04730650	11_2_04730650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04707E30	11_2_04707E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04739E08	11_2_04739E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0474BE90	11_2_0474BE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0474B680	11_2_0474B680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0472F760	11_2_0472F760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04744750	11_2_04744750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04745747	11_2_04745747
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04703F20	11_2_04703F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04742FF0	11_2_04742FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0473BFA3	11_2_0473BFA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04702790	11_2_04702790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04716F90	11_2_04716F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0474B790	11_2_0474B790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0472D850	11_2_0472D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04701040	11_2_04701040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04709030	11_2_04709030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04704802	11_2_04704802
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04707006	11_2_04707006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047490EF	11_2_047490EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047438C0	11_2_047438C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0474C8C0	11_2_0474C8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047300B0	11_2_047300B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047318B6	11_2_047318B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0474C0A0	11_2_0474C0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0471E0AC	11_2_0471E0AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0474A88E	11_2_0474A88E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0473617E	11_2_0473617E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04730962	11_2_04730962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04745160	11_2_04745160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04732120	11_2_04732120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04729910	11_2_04729910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04728900	11_2_04728900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0474B900	11_2_0474B900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047311DA	11_2_047311DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047361D8	11_2_047361D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0474B9B0	11_2_0474B9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047269B4	11_2_047269B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047379A0	11_2_047379A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047379AF	11_2_047379AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047139AF	11_2_047139AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0471D99F	11_2_0471D99F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04720180	11_2_04720180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04743250	11_2_04743250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04748240	11_2_04748240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0474BA40	11_2_0474BA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0473B238	11_2_0473B238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0471FA3D	11_2_0471FA3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0470D2F0	11_2_0470D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047362F9	11_2_047362F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04736AE5	11_2_04736AE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04738AC0	11_2_04738AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0471E2C6	11_2_0471E2C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0472DAA2	11_2_0472DAA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047292A0	11_2_047292A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0472BA81	11_2_0472BA81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04731A8C	11_2_04731A8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04744B60	11_2_04744B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0473DB6D	11_2_0473DB6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04702B50	11_2_04702B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04720B40	11_2_04720B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0470FB20	11_2_0470FB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04708B20	11_2_04708B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0474C320	11_2_0474C320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0472D32F	11_2_0472D32F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04716312	11_2_04716312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0471D315	11_2_0471D315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0470CBD0	11_2_0470CBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_047373CB	11_2_047373CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0472CBB0	11_2_0472CBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_0470A390	11_2_0470A390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 11_2_04745390	11_2_04745390

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: String function: 0471A420 appears 108 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: String function: 0470B380 appears 49 times

Source: ZEemZXPukh.exe

Static PE information: invalid certificate

Source: ZEemZXPukh.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: ZEemZXPukh.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: is-377O9.tmp.4.dr

Static PE information: Number of sections : 14 > 10

Source: ZEemZXPukh.exe, 00000000.00000003.1268560732.00000000021DB000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs ZEemZXPukh.exe
Source: ZEemZXPukh.exe, 00000000.00000003.1257958413.000000007FB50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs ZEemZXPukh.exe
Source: ZEemZXPukh.exe, 00000000.00000000.1257282648.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs ZEemZXPukh.exe
Source: ZEemZXPukh.exe, 00000000.00000003.1268560732.0000000002298000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs ZEemZXPukh.exe
Source: ZEemZXPukh.exe, 00000002.00000003.1384432919.0000000002208000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs ZEemZXPukh.exe
Source: ZEemZXPukh.exe, 00000002.00000003.1384432919.000000000214B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs ZEemZXPukh.exe
Source: ZEemZXPukh.exe	Binary or memory string: OriginalFileName vs ZEemZXPukh.exe

Source: ZEemZXPukh.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 10.2.EuAccountCenter.exe.f524b8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 10.2.EuAccountCenter.exe.f524b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000A.00000002.1517644912.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@30/74@31/6

Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe

Code function: 10_2_00F50B4B CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,

10_2_00F50B4B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 11_2_04743C30 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

11_2_04743C30

Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: chrome.exe, 0000000C.00000002.2543823825.0000421C01478000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 45;
Source: chrome.exe, 0000000C.00000002.2541834001.0000421C01180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '756F6A466879157E';
Source: chrome.exe, 0000000C.00000002.2542238012.0000421C0121C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542238012.0000421C0121F000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2543863346.0000421C01498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2535892975.0000421C002F4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'AD411B741D0DA012' AND metrics.metric_value > 0;
Source: chrome.exe, 0000000C.00000002.2538081298.0000421C00990000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: chrome.exe, 0000000C.00000002.2541834001.0000421C01180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 120;
Source: chrome.exe, 0000000C.00000002.2542238012.0000421C0121C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2542238012.0000421C0121F000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2543863346.0000421C01498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.2535892975.0000421C002F4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'B4CFE8741404B691' AND metrics.metric_value > 0;
Source: chrome.exe, 0000000C.00000002.2541834001.0000421C01180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '19E16122849E343B';
Source: chrome.exe, 0000000C.00000002.2542552613.0000421C01274000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(id) FROM metrics WHERE metrics.metric_hash = '64BD7CCE5A95BF00';
Source: chrome.exe, 0000000C.00000002.2541834001.0000421C01180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '79964621D357AB88';
Source: chrome.exe, 0000000C.00000002.2543863346.0000421C01498000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '534661B278B11BD';

Source: unknown	Process created: C:\Users\user\Desktop\ZEemZXPukh.exe "C:\Users\user\Desktop\ZEemZXPukh.exe"
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp "C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp" /SL5="$20466,19707157,858112,C:\Users\user\Desktop\ZEemZXPukh.exe"
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Process created: C:\Users\user\Desktop\ZEemZXPukh.exe "C:\Users\user\Desktop\ZEemZXPukh.exe" /VERYSILENT
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Process created: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp "C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp" /SL5="$2046A,19707157,858112,C:\Users\user\Desktop\ZEemZXPukh.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Process created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe "C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe"
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2312,i,15222031722940320858,8343438720841088650,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2468 /prefetch:3
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp "C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp" /SL5="$20466,19707157,858112,C:\Users\user\Desktop\ZEemZXPukh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Process created: C:\Users\user\Desktop\ZEemZXPukh.exe "C:\Users\user\Desktop\ZEemZXPukh.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Process created: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp "C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp" /SL5="$2046A,19707157,858112,C:\Users\user\Desktop\ZEemZXPukh.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Process created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe "C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2312,i,15222031722940320858,8343438720841088650,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2468 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Yara match	File source: 10.2.EuAccountCenter.exe.62f0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.EuAccountCenter.exe.45311c4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.EuAccountCenter.exe.62f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.EuAccountCenter.exe.46309b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.EuAccountCenter.exe.45311c4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.EuAccountCenter.exe.46309b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1518989296.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1507895636.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1534561169.00000000062F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1507895636.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EuAccountCenter.exe PID: 5688, type: MEMORYSTR

Source: ZEemZXPukh.exe	Static PE information: section name: .didata
Source: ZEemZXPukh.tmp.0.dr	Static PE information: section name: .didata
Source: ZEemZXPukh.tmp.2.dr	Static PE information: section name: .didata
Source: is-377O9.tmp.4.dr	Static PE information: section name: .buildid
Source: is-377O9.tmp.4.dr	Static PE information: section name: .xdata
Source: is-377O9.tmp.4.dr	Static PE information: section name: /4
Source: is-ILSKH.tmp.4.dr	Static PE information: section name: .nep

Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_00F56FF5 push es; retf	10_2_00F56FFA
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_00F56FFB push es; retf	10_2_00F57000
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_0618604D pushfd ; ret	10_2_0618604E
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062C052C push es; ret	10_2_062C052D
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062CD330 push es; ret	10_2_062CD3E0
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062DA691 push es; ret	10_2_062DA6A0
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_062D7AD8 pushfd ; iretd	10_2_062D7AE5

Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\7zxa64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\Microsoft.VisualC.ProjectStore.Implementation.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\is-Q50V2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\libaribsub_plugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-JPL3E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-F9LK6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\AXEDOMCore.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\is-S1VQD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\xzcat.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\Microsoft.VisualStudio.Text.UI.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\git-lfs.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Local\Temp\is-U1FHJ.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\MSHY7EN.DLL (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-ILSKH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\Microsoft.WinForms.DesignTools.Protocol.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Local\Temp\is-DRACG.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\is-OIBKG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\is-SR8CV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\Microsoft.Identity.Client.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\is-NS59H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\unxz.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Local\Temp\is-U1FHJ.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-RI5B5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-RGB48.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\gettext.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Local\Temp\is-DRACG.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-96BRU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-EH6G6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\RarExt32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\boost_python-vc90-mt-1_47.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	File created: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-5E4VC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\sexp-conv.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-NUH8C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\mc_dec_dv.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-P3S8D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\msvcp140d.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\is-CCN0R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-EGV3K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-V4EL8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-63ALC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\PresentationFramework.Classic.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	File created: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-GAFOL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\Microsoft.VisualStudio.Workspace.Implementation.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-O8UA3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-377O9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\is-AKARE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\Microsoft.CodeAnalysis.VisualBasic.CodeStyle.Fixes.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Local\Temp\is-U1FHJ.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\MSSOAP30.DLL (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\create-shortcut.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-QU1TB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\is-9156Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\WhoUses.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Local\Temp\is-DRACG.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\GitLab.UI.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-9KG39.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	File created: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\msys-hx509-5.dll (copy)	Jump to dropped file

Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZEemZXPukh.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Memory allocated: 3380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Memory allocated: 3130000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\7zxa64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\Microsoft.VisualC.ProjectStore.Implementation.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\is-Q50V2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\libaribsub_plugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\AXEDOMCore.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-F9LK6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-JPL3E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\xzcat.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\is-S1VQD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\Microsoft.VisualStudio.Text.UI.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\git-lfs.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1FHJ.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\MSHY7EN.DLL (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\Microsoft.WinForms.DesignTools.Protocol.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-ILSKH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DRACG.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\is-OIBKG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\is-SR8CV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\Microsoft.Identity.Client.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\is-NS59H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\unxz.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1FHJ.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-RI5B5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-RGB48.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\gettext.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DRACG.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-96BRU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-EH6G6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\RarExt32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\boost_python-vc90-mt-1_47.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-5E4VC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\sexp-conv.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-NUH8C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\mc_dec_dv.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-P3S8D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\msvcp140d.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\is-CCN0R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-V4EL8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-63ALC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\PresentationFramework.Classic.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-GAFOL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\Microsoft.VisualStudio.Workspace.Implementation.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-O8UA3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-377O9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\Microsoft.CodeAnalysis.VisualBasic.CodeStyle.Fixes.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\is-AKARE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\MSSOAP30.DLL (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DK84I.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1FHJ.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\create-shortcut.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-QU1TB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\is-9156Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\WhoUses.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DRACG.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\bin\GitLab.UI.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\msys-hx509-5.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-10L0D.tmp\ZEemZXPukh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\is-9KG39.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_00F5043B mov edx, dword ptr fs:[00000030h]	10_2_00F5043B
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_00F509FB mov eax, dword ptr fs:[00000030h]	10_2_00F509FB
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_00F5104B mov eax, dword ptr fs:[00000030h]	10_2_00F5104B
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_00F5104A mov eax, dword ptr fs:[00000030h]	10_2_00F5104A
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Code function: 10_2_00F50DAB mov eax, dword ptr fs:[00000030h]	10_2_00F50DAB

Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4700000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4701000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 474F000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4752000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4760000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4419008	Jump to behavior

Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{31146196-0CDE-4651-837C-5DE423B3A916}\EuAccountCenter.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: Yara match	File source: 11.2.AppLaunch.exe.4700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1533270031.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: AppLaunch.exe, 0000000B.00000002.2520808657.0000000004B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: AppLaunch.exe, 0000000B.00000002.2520652396.0000000004B29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: EuAccountCenter.exe, 0000000A.00000002.1533768714.0000000005830000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Yara match	File source: 0000000B.00000002.2520808657.0000000004B88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 5852, type: MEMORYSTR

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Create Account	211 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	22 System Information Discovery	Remote Desktop Protocol	3 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	21 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	2 Virtualization/Sandbox Evasion	Distributed Component Object Model	2 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	2 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZEemZXPukh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
ZEemZXPukh.exe