Windows Analysis Report
Cm2GRjWK1C.exe

Overview

General Information

Sample name: Cm2GRjWK1C.exe
renamed because original name is a hash value
Original sample name: 9a6088f8f1880ab2d28748fed448b4bc.exe
Analysis ID: 1639254
MD5: 9a6088f8f1880ab2d28748fed448b4bc
SHA1: a5ced9f99e56c0d706bb974200c03db64e00db57
SHA256: 3078a82218b5bb136c0420d8415d3943f0bd10180efefe298869a5401ddb1f96
Tags: exeuser-abuse_ch
Infos:

Detection

Vidar
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Searches for specific processes (likely to inject)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Browser Started with Remote Debugging
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Credential Stealer

Classification

AV Detection
barindex
Found malware configuration
Source: 00000000.00000003.1676784292.0000000003022000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199829660832", "Botnet": "ir7am"}
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D46A10 StrStrA,lstrlen,LocalAlloc,CryptUnprotectData,LocalAlloc,LocalFree,lstrlen, 0_3_02D46A10
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D50830 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree, 0_3_02D50830
Source: Cm2GRjWK1C.exe, 00000000.00000002.1677411766.000000000053A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_344ae7ad-b
Uses 32bit PE files
Source: Cm2GRjWK1C.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 95.217.30.53:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 95.217.30.53:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: Cm2GRjWK1C.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: f:\workspace\installer\online\setup\Release\R_Online.pdb source: Cm2GRjWK1C.exe
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D4B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose, 0_3_02D4B6B0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D55EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,_mbscpy,_splitpath,_mbscpy,strlen,isupper,wsprintfA,_mbscpy,strlen,SHFileOperation,FindClose, 0_3_02D55EB0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D54E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,CopyFileA,FindClose, 0_3_02D54E70
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D47210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,memset,CopyFileA,DeleteFileA,memset,FindClose, 0_3_02D47210
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D53FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,FindClose, 0_3_02D53FD0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D413F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose, 0_3_02D413F0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D53580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindClose, 0_3_02D53580
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D497B0 FindFirstFileA,FindNextFileA,strlen, 0_3_02D497B0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D48360 FindFirstFileA,CopyFileA,FindNextFileA,strlen,CopyFileA,FindClose, 0_3_02D48360
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D4ACD0 wsprintfA,FindFirstFileA,strlen,lstrlen,DeleteFileA,CopyFileA,FindClose, 0_3_02D4ACD0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D48C90 lstrcpy,lstrcat,FindFirstFileA,FindNextFileA,strlen,lstrcpy,memset,lstrcpy,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpy,lstrcpy,CopyFileA,FindClose,FindClose,DeleteFileA, 0_3_02D48C90
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D54950 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrlen,lstrlen, 0_3_02D54950
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D53AF0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrlen, 0_3_02D53AF0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: chrome.exe Memory has grown: Private usage: 15MB later: 39MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.4:49728 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.4:49729 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49765 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 95.217.30.53:443 -> 192.168.2.4:49732
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49735 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49734 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49737 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49737 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49738 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49738 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49768 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49768 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49770 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49770 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49769 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49769 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49736 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49736 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49767 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49767 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49771 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49771 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49766 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.217.30.53:443 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49772 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49772 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49775 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49776 -> 95.217.30.53:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199829660832
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 95.217.30.53Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----f3ohlfuk6f3e3ectri5fHost: 95.217.30.53Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----5phv37gl6xlf3ekf3e37Host: 95.217.30.53Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----tr9r1d26x4wtje3ohv3wHost: 95.217.30.53Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----iwtjmycbsr1vaa1ngvknHost: 95.217.30.53Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ba1dj58glx4ozm7q900hHost: 95.217.30.53Content-Length: 5517Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----f3ohlfuk6f3e3ectri5fHost: 95.217.30.53Content-Length: 489Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----srq9hlxlfcbaiek6ppphHost: 95.217.30.53Content-Length: 262605Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----9zmy5xtj5xbimyusrimoHost: 95.217.30.53Content-Length: 55081Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2vs26f3eua1v3790hvasHost: 95.217.30.53Content-Length: 186149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----mophlxlng4o8qiwt2nozHost: 95.217.30.53Content-Length: 505Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----4wbi5xt2689zmyc26pppHost: 95.217.30.53Content-Length: 493Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----8glx4o8qq1dje3ec2n7qHost: 95.217.30.53Content-Length: 169765Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ng4eusj5fk6f3e3ek6fkHost: 95.217.30.53Content-Length: 66001Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----8900hvkx4wtjm7g4e3w4Host: 95.217.30.53Content-Length: 153381Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ppp8q1ny58q1va16xln7Host: 95.217.30.53Content-Length: 393697Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2dba1dbsrqq9zuasriwlHost: 95.217.30.53Content-Length: 131557Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----37ycjmycbsr1nyu3wlxlHost: 95.217.30.53Content-Length: 6990993Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----7q16x4790zmgv3wbimozHost: 95.217.30.53Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----2vs26f3eua1v3790hvasHost: 95.217.30.53Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----47q16x47glfkfusjeuasHost: 95.217.30.53Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----kn7q1vs2ny5x47y5pzmgHost: 95.217.30.53Content-Length: 99109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----58glx4o8qq1dje3ec2n7Host: 95.217.30.53Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----h4o8gv3ozmozmymg4wtrHost: 95.217.30.53Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49732 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49725 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49729 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49734 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49736 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49730 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49737 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49728 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49735 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49766 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49738 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49767 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49768 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49772 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49769 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49770 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49765 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49771 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49773 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49774 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49775 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49777 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49776 -> 95.217.30.53:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49778 -> 95.217.30.53:443
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: unknown TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.30.53
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D42690 lstrlen,StrCmpCA,InternetOpenA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,GetProcessHeap,RtlAllocateHeap,memcpy,lstrlen,memcpy,lstrlen,memcpy,lstrlen,HttpSendRequestA,Sleep,HttpQueryInfoA,InternetReadFile,InternetReadFile,StrCmpCA,InternetCloseHandle,InternetCloseHandle, 0_3_02D42690
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 95.217.30.53Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJOhywEInP7MAQiFoM0BCL7VzgEIgNbOAQjI3M4BCIrgzgEIruTOAQiL5c4BSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJOhywEInP7MAQiFoM0BCL7VzgEIgNbOAQjI3M4BCIrgzgEIruTOAQiL5c4BSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8NP2y291iiPDmfAN0GV3dvCuqlYA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJOhywEInP7MAQiFoM0BSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000003.1394215546.00001ECC03798000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 00000008.00000003.1394215546.00001ECC03798000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.1473322628.00001ECC0261C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----f3ohlfuk6f3e3ectri5fHost: 95.217.30.53Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000008.00000002.1474315925.00001ECC02A15000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: Cm2GRjWK1C.exe String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Cm2GRjWK1C.exe String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Cm2GRjWK1C.exe String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Cm2GRjWK1C.exe String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Cm2GRjWK1C.exe String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Cm2GRjWK1C.exe String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: chrome.exe, 00000008.00000002.1472080608.00001ECC022E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
Source: chrome.exe, 00000008.00000003.1390000033.00001ECC032D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476891441.00001ECC032D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417772160.00001ECC032CC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: chrome.exe, 00000008.00000002.1471945399.00001ECC02296000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: Cm2GRjWK1C.exe String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Cm2GRjWK1C.exe String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: Cm2GRjWK1C.exe String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Cm2GRjWK1C.exe String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: Cm2GRjWK1C.exe String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: Cm2GRjWK1C.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: chrome.exe, 00000008.00000002.1476208153.00001ECC03068000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: Cm2GRjWK1C.exe String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Cm2GRjWK1C.exe String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Cm2GRjWK1C.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Cm2GRjWK1C.exe String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: chrome.exe, 00000008.00000002.1476022271.00001ECC02FD8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: chromecache_71.9.dr String found in binary or memory: http://www.broofa.com
Source: Cm2GRjWK1C.exe String found in binary or memory: http://www.dvdfab.cn/?s=playerfab&v=
Source: Cm2GRjWK1C.exe String found in binary or memory: http://www.dvdfab.cn/bad_package.htm?s=
Source: Cm2GRjWK1C.exe String found in binary or memory: http://www.dvdfab.cn/bad_package.htm?s=22DVDFab2622
Source: Cm2GRjWK1C.exe String found in binary or memory: http://www.dvdfab.cn/dvdfab-user-license-agreement.htm?s=playerfab&ad=playerfab_client&v=
Source: Cm2GRjWK1C.exe String found in binary or memory: http://www.dvdfab.cn/u-experience?s=playerfab&ad=playerfab_client&v=
Source: Cm2GRjWK1C.exe String found in binary or memory: http://www.dvdfab.cn/u-experience?s=playerfab&ad=playerfab_client&v=http://www.dvdfab.cn/dvdfab-user
Source: chrome.exe, 00000008.00000002.1477058236.00001ECC0334C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/update2/response
Source: chrome.exe, 00000008.00000002.1476110867.00001ECC03004000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.gstatic.com/generate_204
Source: Cm2GRjWK1C.exe String found in binary or memory: http://www.openssl.org/support/faq.html
Source: chrome.exe, 00000008.00000002.1464503636.00000241BDDD2000.00000002.00000001.00040000.00000010.sdmp String found in binary or memory: http://www.unicode.org/copyright.html
Source: Cm2GRjWK1C.exe, Cm2GRjWK1C.exe, 00000000.00000003.1676784292.0000000003022000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1271718749.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010A3000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1676587237.0000000003001000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1676539519.0000000002D62000.00000004.00001000.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1300089487.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1314253795.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1285961370.00000000010B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.30.53
Source: Cm2GRjWK1C.exe, 00000000.00000003.1271718749.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1300135134.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1257462513.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1300089487.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1314253795.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1285961370.00000000010B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.30.53/
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.0000000001085000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.30.53/$
Source: Cm2GRjWK1C.exe, 00000000.00000003.1300135134.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1300089487.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1314253795.00000000010B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.30.53/)CMA
Source: Cm2GRjWK1C.exe, 00000000.00000003.1300089487.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1314253795.00000000010B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.30.53/7
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.0000000001085000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.30.53/8
Source: Cm2GRjWK1C.exe, 00000000.00000003.1286006933.00000000010B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.30.53/?CSA%
Source: Cm2GRjWK1C.exe, 00000000.00000003.1314253795.00000000010B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.30.53/FCZA$
Source: Cm2GRjWK1C.exe, 00000000.00000003.1271718749.00000000010B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.30.53/G
Source: Cm2GRjWK1C.exe, 00000000.00000003.1314253795.00000000010B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.30.53/MC
Source: Cm2GRjWK1C.exe, 00000000.00000003.1271718749.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1286006933.00000000010B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.30.53/TC
Source: Cm2GRjWK1C.exe, 00000000.00000003.1271718749.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1286006933.00000000010B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.30.53/zD
Source: Cm2GRjWK1C.exe, 00000000.00000003.1314253795.00000000010B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.30.53;
Source: Cm2GRjWK1C.exe, 00000000.00000003.1271718749.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1286006933.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1300135134.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1300089487.00000000010B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.30.53MC
Source: Cm2GRjWK1C.exe, 00000000.00000003.1676784292.0000000003022000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1676587237.0000000003001000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1676539519.0000000002D62000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://95.217.30.53hello
Source: Cm2GRjWK1C.exe, 00000000.00000003.1676539519.0000000002D62000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://95.217.30.53hellohttps://t.me/l793oyir7amMozilla/5.0
Source: x4wbi5.0.dr String found in binary or memory: https://ac.ecosia.org?q=
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000008.00000002.1471856661.00001ECC02214000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000008.00000002.1473839638.00001ECC02920000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478434444.00001ECC03644000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1477058236.00001ECC0334C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1477058236.00001ECC0334C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AccountChooser
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000008.00000002.1472006930.00001ECC022BD000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chromecache_69.9.dr String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_69.9.dr String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/samlredirect
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000008.00000002.1473839638.00001ECC02920000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://adsmeasurement.com
Source: chrome.exe, 00000008.00000002.1479497325.00001ECC03BC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418621822.00001ECC03C58000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417857151.00001ECC02774000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418547462.00001ECC03C14000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418445222.00001ECC0385C000.00000004.00001000.00020000.00000000.sdmp, chromecache_69.9.dr, chromecache_71.9.dr String found in binary or memory: https://apis.google.com
Source: chrome.exe, 00000008.00000002.1477458302.00001ECC034B4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes
Source: Cm2GRjWK1C.exe String found in binary or memory: https://app-api-c1.dvdfab.cn/api/
Source: Cm2GRjWK1C.exe String found in binary or memory: https://app-api-c2.DVDFabdvdfab.cnwww.dvdfab.cnDVDFab
Source: Cm2GRjWK1C.exe String found in binary or memory: https://app-api-d1.dvdfab.cn/api/
Source: Cm2GRjWK1C.exe String found in binary or memory: https://app-api-d1.dvdfab.cn/api/common_json_post/
Source: Cm2GRjWK1C.exe String found in binary or memory: https://app-api-j1.dvdfab.cn/api/
Source: Cm2GRjWK1C.exe String found in binary or memory: https://app-api-j1.dvdfab.cn/api/JPNhttps://app-api-c1.dvdfab.cn/api/ENUhttps://app-api-d1.dvdfab.cn
Source: Cm2GRjWK1C.exe String found in binary or memory: https://app-api-j1.dvdfab.cn/api/common_json_post/
Source: Cm2GRjWK1C.exe String found in binary or memory: https://app-api-j1.dvdfab.cn/api/common_json_post/https://app-api-d1.dvdfab.cn/api/common_json_post/
Source: chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://appsflyer.com
Source: chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://azubiyo.de
Source: chrome.exe, 00000008.00000002.1474929281.00001ECC02B58000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp, vaim7g.0.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp, vaim7g.0.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: chrome.exe, 00000008.00000003.1394242037.00001ECC03814000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417797321.00001ECC02728000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1394147374.00001ECC037CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1394191951.00001ECC037DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com
Source: chrome.exe, 00000008.00000002.1475427035.00001ECC02D38000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475797064.00001ECC02EB0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478576439.00001ECC036D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: x4wbi5.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Cm2GRjWK1C.exe, 00000000.00000002.1679863206.00000000043BA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475999818.00001ECC02FC0000.00000004.00001000.00020000.00000000.sdmp, x4wbi5.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Cm2GRjWK1C.exe, 00000000.00000002.1679863206.00000000043BA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475999818.00001ECC02FC0000.00000004.00001000.00020000.00000000.sdmp, x4wbi5.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000008.00000003.1417523038.00001ECC036EC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1474315925.00001ECC02A15000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1472304064.00001ECC02378000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1474605622.00001ECC02AF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: chrome.exe, 00000008.00000002.1468330959.00000241C4EB7000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1479380514.00001ECC03AEC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476142946.00001ECC03044000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476110867.00001ECC03004000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: chrome.exe, 00000008.00000003.1417500053.00001ECC03698000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1390410228.00001ECC036EC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417523038.00001ECC036EC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: chrome.exe, 00000008.00000003.1381861908.00001EC80048C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000008.00000003.1418774683.00001ECC03D08000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381619552.00001EC800184000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000008.00000003.1381861908.00001EC80048C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000008.00000003.1418774683.00001ECC03D08000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381619552.00001EC800184000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000008.00000003.1418774683.00001ECC03D60000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381776359.00001EC800458000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381861908.00001EC80048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381842607.00001EC800468000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000008.00000003.1418774683.00001ECC03D08000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381619552.00001EC800184000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000008.00000003.1381861908.00001EC80048C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000008.00000002.1474184732.00001ECC029B4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 00000008.00000002.1474184732.00001ECC029B4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: chrome.exe, 00000008.00000002.1472304064.00001ECC02378000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000008.00000002.1474964004.00001ECC02B8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/category/extensions
Source: chrome.exe, 00000008.00000002.1474964004.00001ECC02B8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/category/themes
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000008.00000003.1380157625.00001D40000DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000008.00000002.1475267325.00001ECC02C80000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1472304064.00001ECC02378000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476986237.00001ECC03310000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1474870355.00001ECC02B44000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475351535.00001ECC02CBB000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000008.00000002.1474115187.00001ECC0298C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000008.00000002.1474315925.00001ECC02A15000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000008.00000002.1474315925.00001ECC02A15000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chromecache_69.9.dr String found in binary or memory: https://clients6.google.com
Source: chrome.exe, 00000008.00000002.1474315925.00001ECC02A15000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: chromecache_69.9.dr String found in binary or memory: https://content.googleapis.com
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp, vaim7g.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp, vaim7g.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: chrome.exe, 00000008.00000002.1472950525.00001ECC025D2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: Cm2GRjWK1C.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d115.dvdfab.cn/download/12_7051_c2751989/playerfab_x64_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d115.dvdfab.cn/download/31_7051_c2b57a7c/playerfab_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d145.dvdfab.cn/download/12_7051_c2751989/playerfab_x64_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d145.dvdfab.cn/download/31_7051_c2b57a7c/playerfab_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d17.dvdfab.cn/download/12_7051_c2751989/playerfab_x64_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d17.dvdfab.cn/download/31_7051_c2b57a7c/playerfab_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d171.dvdf
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d171.dvdfab.cn/download/12_7051_c2751989/playerfab_x64_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d171.dvdfab.cn/download/31_7051_c2b57a7c/playerfab_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d18.dvdfab.cn/download/12_7051_c2751989/playerfab_x64_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d18.dvdfab.cn/download/31_7051_c2b57a7c/playerfab_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d207.dv
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d207.dvdfab.cn/download/12_7051_c2751989/playerfab_x64_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d207.dvdfab.cn/download/31_7051_c2b57a7c/playerfab_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d217.dvdfab.cn/download/12_7051_c2751989/playerfab_x64_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d217.dvdfab.cn/download/31_7051_c2b57a7c/playerfab_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d223.dvdfab.cn/download/12_7051_c2751989/playerfab_x64_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d223.dvdfab.cn/download/31_7051_c2b57a7c/playerfab_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d74.dvdfab.cn/download/12_7051_c2751989/playerfab_x64_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://d74.dvdfab.cn/download/31_7051_c2b57a7c/playerfab_7051.exe
Source: chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://dailymail.co.uk
Source: Cm2GRjWK1C.exe String found in binary or memory: https://dl.dvdfab.cn/download/12_7051_c2751989/playerfab_x64_
Source: Cm2GRjWK1C.exe String found in binary or memory: https://dl.dvdfab.cn/download/12_7051_c2751989/playerfab_x64_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://dl.dvdfab.cn/download/31_7051_c2b57a7c/playerfab_7051.exe
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000008.00000003.1418774683.00001ECC03D08000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381619552.00001EC800184000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1473322628.00001ECC0261C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.1475427035.00001ECC02D38000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475797064.00001ECC02EB0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478576439.00001ECC036D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.1475427035.00001ECC02D38000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475797064.00001ECC02EB0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478576439.00001ECC036D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1473322628.00001ECC0261C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.1475427035.00001ECC02D38000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475797064.00001ECC02EB0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478576439.00001ECC036D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.1478576439.00001ECC036D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions7
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1473322628.00001ECC0261C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.1475427035.00001ECC02D38000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475797064.00001ECC02EB0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478576439.00001ECC036D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chromecache_69.9.dr String found in binary or memory: https://domains.google.com/suggest/flow
Source: Cm2GRjWK1C.exe String found in binary or memory: https://dr.dvdfab.cn/download/12_7051_c2751989/playerfab_x64_7051.exe
Source: Cm2GRjWK1C.exe String found in binary or memory: https://dr.dvdfab.cn/download/31_7051_c2b57a7c/playerfab_7051.exe
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1473322628.00001ECC0261C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: x4wbi5.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Cm2GRjWK1C.exe, 00000000.00000002.1679863206.00000000043BA000.00000004.00000020.00020000.00000000.sdmp, x4wbi5.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: x4wbi5.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ebayadservices.c
Source: chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://elle.com
Source: chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://finn.no
Source: chrome.exe, 00000008.00000003.1394442372.00001ECC038F4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1394490638.00001ECC0388C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417628655.00001ECC03928000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://fonts.google.com/icons?selected=Material
Source: chromecache_71.9.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_71.9.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_71.9.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_71.9.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: x4wbi5.0.dr String found in binary or memory: https://gemini.google.com/app?q=
Source: chrome.exe, 00000008.00000003.1418774683.00001ECC03D60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/glic
Source: chrome.exe, 00000008.00000003.1418774683.00001ECC03D60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/glic/intro?
Source: chrome.exe, 00000008.00000003.1418774683.00001ECC03D08000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381619552.00001EC800184000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/glic/intro?20
Source: chrome.exe, 00000008.00000003.1418774683.00001ECC03D08000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381619552.00001EC800184000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/glic2
Source: chrome.exe, 00000008.00000003.1381842607.00001EC800468000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000008.00000003.1418774683.00001ECC03D08000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381619552.00001EC800184000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000008.00000003.1418774683.00001ECC03D60000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381776359.00001EC800458000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381861908.00001EC80048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381842607.00001EC800468000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000008.00000003.1418774683.00001ECC03D08000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381619552.00001EC800184000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000008.00000003.1381861908.00001EC80048C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000008.00000003.1381861908.00001EC80048C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381842607.00001EC800468000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1471835996.00001ECC02204000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: chrome.exe, 00000008.00000002.1474605622.00001ECC02AF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000008.00000003.1418774683.00001ECC03D08000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381619552.00001EC800184000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418662063.00001ECC03F64000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: vaim7g.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 00000008.00000002.1475589689.00001ECC02DC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1479007037.00001ECC039D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475944559.00001ECC02F60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000008.00000002.1473241743.00001ECC025E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418445222.00001ECC0385C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000008.00000003.1394242037.00001ECC03814000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417797321.00001ECC02728000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/gen204
Source: chrome.exe, 00000008.00000002.1472800160.00001ECC02524000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000008.00000002.1475051363.00001ECC02BB4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478092354.00001ECC03534000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1477058236.00001ECC0334C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/:
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/J
Source: chrome.exe, 00000008.00000002.1476986237.00001ECC03310000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1479307186.00001ECC03AD0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1477433388.00001ECC034A4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default
Source: chrome.exe, 00000008.00000002.1479307186.00001ECC03AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_defaultfault
Source: chrome.exe, 00000008.00000002.1476986237.00001ECC03310000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_defaultle
Source: chrome.exe, 00000008.00000002.1475051363.00001ECC02BB4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/chat/es
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000008.00000002.1473241743.00001ECC025E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418445222.00001ECC0385C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?tab=rm&amp;ogbl
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1473322628.00001ECC0261C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.1479087431.00001ECC03A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475944559.00001ECC02F60000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475351535.00001ECC02CBB000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000008.00000002.1476576882.00001ECC0315C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475840951.00001ECC02ED8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000008.00000002.1475287933.00001ECC02C90000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476576882.00001ECC0315C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475840951.00001ECC02ED8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000008.00000003.1381861908.00001EC80048C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome
Source: chrome.exe, 00000008.00000003.1418774683.00001ECC03D08000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381619552.00001EC800184000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 00000008.00000002.1477095136.00001ECC03394000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475840951.00001ECC02ED8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp, chrome.exe, 00000008.00000002.1475718665.00001ECC02E50000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1394098825.00001ECC033F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 00000008.00000002.1479497325.00001ECC03BC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418621822.00001ECC03C58000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417857151.00001ECC02774000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418547462.00001ECC03C14000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418445222.00001ECC0385C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000008.00000002.1477192434.00001ECC033E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000008.00000002.1479497325.00001ECC03BC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418621822.00001ECC03C58000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417857151.00001ECC02774000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418547462.00001ECC03C14000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418445222.00001ECC0385C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000008.00000002.1479497325.00001ECC03BC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418621822.00001ECC03C58000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417857151.00001ECC02774000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418547462.00001ECC03C14000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418445222.00001ECC0385C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000008.00000002.1478534851.00001ECC036B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478025452.00001ECC03510000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1481418958.00001ECC041C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1477818569.00001ECC034EC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476733673.00001ECC031E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1477977869.00001ECC034F8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478002075.00001ECC03504000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000008.00000002.1477818569.00001ECC034EC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476733673.00001ECC031E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1477977869.00001ECC034F8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478002075.00001ECC03504000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000008.00000002.1478534851.00001ECC036B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478025452.00001ECC03510000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1477818569.00001ECC034EC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476733673.00001ECC031E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478002075.00001ECC03504000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000008.00000002.1477818569.00001ECC034EC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1477977869.00001ECC034F8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476691696.00001ECC03198000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000008.00000002.1477818569.00001ECC034EC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475743528.00001ECC02E6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000008.00000002.1477818569.00001ECC034EC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1477977869.00001ECC034F8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000008.00000002.1478534851.00001ECC036B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478002075.00001ECC03504000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478048628.00001ECC0351C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1696267841&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000008.00000002.1478534851.00001ECC036B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478025452.00001ECC03510000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1481418958.00001ECC041C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476733673.00001ECC031E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478002075.00001ECC03504000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478048628.00001ECC0351C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1728324084&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000008.00000002.1478534851.00001ECC036B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478025452.00001ECC03510000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476691696.00001ECC03198000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478002075.00001ECC03504000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478048628.00001ECC0351C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739808228&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000008.00000002.1478534851.00001ECC036B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478025452.00001ECC03510000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1481418958.00001ECC041C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476733673.00001ECC031E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478002075.00001ECC03504000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739808249&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000008.00000002.1478534851.00001ECC036B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478025452.00001ECC03510000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1481418958.00001ECC041C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476733673.00001ECC031E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478002075.00001ECC03504000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478048628.00001ECC0351C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739894676&target=OPTIMIZATION_TARGET_CLI
Source: chrome.exe, 00000008.00000002.1477818569.00001ECC034EC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476733673.00001ECC031E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1477977869.00001ECC034F8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000008.00000002.1478534851.00001ECC036B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1481418958.00001ECC041C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476733673.00001ECC031E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478002075.00001ECC03504000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478048628.00001ECC0351C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=240731042075&target=OPTIMIZATION_TARGET_S
Source: chrome.exe, 00000008.00000002.1477818569.00001ECC034EC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476733673.00001ECC031E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1477977869.00001ECC034F8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=4&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000008.00000002.1478025452.00001ECC03510000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1481418958.00001ECC041C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478002075.00001ECC03504000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478048628.00001ECC0351C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=5&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000008.00000003.1394242037.00001ECC03814000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417797321.00001ECC02728000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1394191951.00001ECC037DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://outlook.office.com/calendar/
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp String found in binary or memory: https://passwords.google.comSaved
Source: chrome.exe, 00000008.00000002.1474929281.00001ECC02B58000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://passwords.google/
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://people.googleapis.com/
Source: chromecache_71.9.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chrome.exe, 00000008.00000002.1467250234.00000241C2FC7000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/log?format=json&hasfast=true(
Source: chromecache_69.9.dr String found in binary or memory: https://plus.google.com
Source: chromecache_69.9.dr String found in binary or memory: https://plus.googleapis.com
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp, chrome.exe, 00000008.00000002.1475718665.00001ECC02E50000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1394098825.00001ECC033F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000008.00000002.1473411751.00001ECC02658000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000008.00000002.1473411751.00001ECC02658000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000008.00000002.1472451164.00001ECC023DF000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000008.00000002.1472158324.00001ECC02310000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
Source: chrome.exe, 00000008.00000002.1472570377.00001ECC02418000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1476110867.00001ECC03004000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://seedtag.com
Source: chrome.exe, 00000008.00000003.1418774683.00001ECC03D08000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381619552.00001EC800184000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 00000008.00000002.1475589689.00001ECC02DC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1479007037.00001ECC039D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475944559.00001ECC02F60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sitescout.com
Source: chrome.exe, 00000008.00000002.1473241743.00001ECC025E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418445222.00001ECC0385C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: Cm2GRjWK1C.exe, 00000000.00000003.1676784292.0000000003022000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1676587237.0000000003001000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1676539519.0000000002D62000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199829660832
Source: Cm2GRjWK1C.exe, 00000000.00000003.1676539519.0000000002D62000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199829660832ir7amMozilla/5.0
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp String found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp String found in binary or memory: https://support.google.com/chrome/answer/96817
Source: chrome.exe, 00000008.00000002.1473665659.00001ECC027D8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome?p=desktop_tab_groups
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: Cm2GRjWK1C.exe, 00000000.00000002.1681344018.00000000049F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Cm2GRjWK1C.exe, 00000000.00000002.1681344018.00000000049F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: chrome.exe, 00000008.00000002.1478048628.00001ECC0351C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: chrome.exe, 00000008.00000002.1478048628.00001ECC0351C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20161
Source: chrome.exe, 00000008.00000002.1478048628.00001ECC0351C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: chrome.exe, 00000008.00000002.1478048628.00001ECC0351C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e175
Source: Cm2GRjWK1C.exe, 00000000.00000003.1676784292.0000000003022000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1676587237.0000000003001000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000003.1676539519.0000000002D62000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://t.me/l793oy
Source: chrome.exe, 00000008.00000002.1476110867.00001ECC03004000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://tailtarget.com
Source: chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://tamedia.com.tw
Source: chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://tangooserver.com
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/
Source: Cm2GRjWK1C.exe String found in binary or memory: https://test-app-api.dvdfab.cn/api/
Source: Cm2GRjWK1C.exe String found in binary or memory: https://test-user-profile.dvdfab.cn/api/user/info
Source: chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://trkkn.com
Source: chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://tya-dev.com
Source: Cm2GRjWK1C.exe String found in binary or memory: https://user-profile.dvdfab.cn/api/user/info
Source: Cm2GRjWK1C.exe String found in binary or memory: https://user-profile.dvdfab.cn/api/user/infohttps://test-user-profile.dvdfab.cn/api/user/infoGet
Source: chromecache_69.9.dr String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: chrome.exe, 00000008.00000002.1476142946.00001ECC0304A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://worldhistory.org
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp, vaim7g.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/all-in-one.htmStreamFabhttps://www.dvdfab.cn/streamfab-product.htm?page=downlo
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/player7.htm?soft=playerfab&ad=playerfab_client_update&downloadmode=1&v=
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/player7.htm?soft=playerfab&ad=playerfab_client_update&v=
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/player7.htm?soft=playerfab&ad=playerfab_client_update_old&platform=x64&v=
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/player7.htm?soft=playerfab&ad=playerfab_client_update_old&v=
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=playerfab&ad=playerfab_client_thankyou&downloadmode=1&v=
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=playerfab&ad=playerfab_client_thankyou&v=
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_%1%&downloadmode=1&pid=%
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_abematv&downloadmode=1&p
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_amazon&downloadmode=1&pi
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_apple-tv-plus&downloadmo
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_crunchyroll&downloadmode
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_discovery-plus&downloadm
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_disney-plus&downloadmode
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_espn-plus&downloadmode=1
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_fod&downloadmode=1&pid=f
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_funimation&downloadmode=
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_hbo&downloadmode=1&pid=h
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_hulu&downloadmode=1&pid=
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_joyn&downloadmode=1&pid=
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_netflix&downloadmode=1&p
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_olympic-games&downloadmo
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_paramount-plus&downloadm
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_paravi&downloadmode=1&pi
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_peacock&downloadmode=1&p
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_r18&downloadmode=1&pid=r
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_rakuten-tv&downloadmode=
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_shahid&downloadmode=1&pi
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_tvnow&downloadmode=1&pid
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_u-next&downloadmode=1&pi
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_video&downloadmode=1&pid
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/thankyou.htm?s=streamfab&ad=streamfab_client_thankyou_youtube-movies&downloadm
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/uninstall-software.htm
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cn/video-enhancer-ai.htm
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.dvdfab.cnDVDFab
Source: Cm2GRjWK1C.exe, 00000000.00000002.1679863206.00000000043BA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475999818.00001ECC02FC0000.00000004.00001000.00020000.00000000.sdmp, x4wbi5.0.dr String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp, vaim7g.0.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Cm2GRjWK1C.exe String found in binary or memory: https://www.globalsign.com/repository/0
Source: chrome.exe, 00000008.00000002.1467250234.00000241C2FC7000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000008.00000002.1479007037.00001ECC039D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000008.00000002.1479380514.00001ECC03AEC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 00000008.00000002.1474929281.00001ECC02B58000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/#safe
Source: chrome.exe, 00000008.00000002.1474964004.00001ECC02B8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/browser-features/
Source: chrome.exe, 00000008.00000002.1474964004.00001ECC02B8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/browser-tools/
Source: chrome.exe, 00000008.00000003.1381619552.00001EC800184000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000008.00000002.1464391432.00000241BD430000.00000002.00000001.00040000.0000000F.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: chrome.exe, 00000008.00000002.1476937486.00001ECC032E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475974465.00001ECC02F94000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475565347.00001ECC02DA4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: Cm2GRjWK1C.exe, 00000000.00000002.1679863206.00000000043BA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1474315925.00001ECC02A15000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1472882586.00001ECC02584000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1473665659.00001ECC027D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1475999818.00001ECC02FC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1473729232.00001ECC02874000.00000004.00001000.00020000.00000000.sdmp, x4wbi5.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: chrome.exe, 00000008.00000002.1473241743.00001ECC025E4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418445222.00001ECC0385C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/imghp?hl=en&amp;tab=ri&amp;ogbl
Source: chrome.exe, 00000008.00000003.1418445222.00001ECC0385C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000008.00000003.1381619552.00001EC800184000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000008.00000002.1473322628.00001ECC0261C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: chromecache_69.9.dr String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_69.9.dr String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chrome.exe, 00000008.00000003.1381943622.00001EC8004AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1382033511.00001EC8004C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381914026.00001EC800498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381994816.00001EC8004B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381861908.00001EC80048C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 00000008.00000003.1418774683.00001ECC03D08000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381619552.00001EC800184000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000008.00000003.1381943622.00001EC8004AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1382033511.00001EC8004C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381914026.00001EC800498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381994816.00001EC8004B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381861908.00001EC80048C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/shieldedids.managerForcedOn_PlusAddressAndroidOpenGmsCoreManagementP
Source: chrome.exe, 00000008.00000003.1381943622.00001EC8004AC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1382033511.00001EC8004C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381914026.00001EC800498000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381994816.00001EC8004B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1381861908.00001EC80048C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/shieldedids.managerPlusAddressOfferCreationIfPasswordFieldIsNotVisib
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000008.00000002.1472490493.00001ECC023E8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000008.00000002.1474315925.00001ECC02A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1478719610.00001ECC03738000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chromecache_71.9.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_71.9.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_71.9.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: chrome.exe, 00000008.00000002.1479519475.00001ECC03BD4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000008.00000003.1417706720.00001ECC03998000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418621822.00001ECC03C58000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1479519475.00001ECC03BD4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000008.00000002.1476937486.00001ECC032E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418547462.00001ECC03C14000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418445222.00001ECC0385C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.eebVy_fNKiM.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000008.00000002.1479497325.00001ECC03BC8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418621822.00001ECC03C58000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417857151.00001ECC02774000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418547462.00001ECC03C14000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418445222.00001ECC0385C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.sDa5bc0wD58.L.W.O/m=qmd
Source: Cm2GRjWK1C.exe, 00000000.00000002.1681344018.00000000049F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Cm2GRjWK1C.exe, 00000000.00000002.1681344018.00000000049F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Cm2GRjWK1C.exe, 00000000.00000002.1681344018.00000000049F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Cm2GRjWK1C.exe, 00000000.00000002.1681344018.00000000049F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Cm2GRjWK1C.exe, 00000000.00000002.1681344018.00000000049F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000008.00000002.1474848712.00001ECC02B34000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1473322628.00001ECC0261C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown HTTPS traffic detected: 95.217.30.53:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 95.217.30.53:443 -> 192.168.2.4:49734 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D50A90 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,malloc,StrCmpCW,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,ReleaseDC,CloseWindow, 0_3_02D50A90
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D46480 memcpy,OpenDesktopA,CreateDesktopA,lstrcpy,CreateProcessA,Sleep,CloseDesktop, 0_3_02D46480
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_01010B72 NtGetContextThread,NtSetContextThread,NtResumeThread, 0_3_01010B72
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_0101066E NtProtectVirtualMemory, 0_3_0101066E
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_01010CD8 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_3_01010CD8
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_010110E8 NtTerminateThread, 0_3_010110E8
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_2_02C11E78 NtProtectVirtualMemory, 0_2_02C11E78
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_2_02C11E3A NtFreeVirtualMemory, 0_2_02C11E3A
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_2_02C11DE7 NtAllocateVirtualMemory, 0_2_02C11DE7
Detected potential crypto function
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D44A20 0_3_02D44A20
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D58630 0_3_02D58630
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D593D0 0_3_02D593D0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D5A7D0 0_3_02D5A7D0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D5B770 0_3_02D5B770
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D5B300 0_3_02D5B300
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D5C100 0_3_02D5C100
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_2_02C103DD 0_2_02C103DD
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_2_02C10000 0_2_02C10000
PE / OLE file has an invalid certificate
Source: Cm2GRjWK1C.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Cm2GRjWK1C.exe Binary or memory string: OriginalFilename vs Cm2GRjWK1C.exe
Source: Cm2GRjWK1C.exe, 00000000.00000002.1677584417.0000000000965000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesetup.exeJ vs Cm2GRjWK1C.exe
Source: Cm2GRjWK1C.exe, 00000000.00000002.1679863206.00000000044C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs Cm2GRjWK1C.exe
Source: Cm2GRjWK1C.exe Binary or memory string: OriginalFilenamesetup.exeJ vs Cm2GRjWK1C.exe
Uses 32bit PE files
Source: Cm2GRjWK1C.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@22/24@6/6
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D51250 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_3_02D51250
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\38E3REAV.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:120:WilError_03
Source: Cm2GRjWK1C.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: chrome.exe, 00000008.00000002.1479678271.00001ECC03C90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 45;
Source: chrome.exe, 00000008.00000002.1479678271.00001ECC03C90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '756F6A466879157E';
Source: chrome.exe, 00000008.00000002.1477123076.00001ECC033B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1472330345.00001ECC02398000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1472710930.00001ECC024F8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'AD411B741D0DA012' AND metrics.metric_value > 0;
Source: chrome.exe, 00000008.00000002.1474740820.00001ECC02B2F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: chrome.exe, 00000008.00000002.1472330345.00001ECC02398000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'AD411B741D0DA012' AND metrics.metric_value > 0;s
Source: chrome.exe, 00000008.00000002.1472330345.00001ECC02398000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'B4CFE8741404B691' AND metrics.metric_value > 0;s
Source: chrome.exe, 00000008.00000002.1479678271.00001ECC03C90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 120;
Source: chrome.exe, 00000008.00000002.1477123076.00001ECC033B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1472330345.00001ECC02398000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1472710930.00001ECC024F8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'B4CFE8741404B691' AND metrics.metric_value > 0;
Source: chrome.exe, 00000008.00000002.1479678271.00001ECC03C90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '19E16122849E343B';
Source: chrome.exe, 00000008.00000002.1479849234.00001ECC03CE0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(id) FROM metrics WHERE metrics.metric_hash = '64BD7CCE5A95BF00';
Source: w4wb168q1.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: chrome.exe, 00000008.00000002.1479678271.00001ECC03C90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '79964621D357AB88';
Source: chrome.exe, 00000008.00000002.1479799636.00001ECC03CB4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '534661B278B11BD';
Source: Cm2GRjWK1C.exe String found in binary or memory: -help
Source: Cm2GRjWK1C.exe String found in binary or memory: ?h-helpbabdbtbbbsoCannot find listfileIncorrect item in listfile.
Source: Cm2GRjWK1C.exe String found in binary or memory: Download fehlgeschlagen, bitte versuchen Sie es erneut oder downloaden Sie den Offline-Installer aus www.dvdfab.cn.D
Source: Cm2GRjWK1C.exe String found in binary or memory: es do download...Das Online-Installationsprogramm ist zu alt, bitte downloaden Sie die neuste Version unter de.dvdfab.cn.
Source: Cm2GRjWK1C.exe String found in binary or memory: ./..//.//./..//....No errorUnsupported protocolFailed initializationURL using bad/illegal format or missing URLA requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.Couldn't resolve proxy nameCouldn't resolve host nameCouldn't connect to serverWeird server replyAccess denied to remote resourceFTP: The server failed to connect to data portFTP: Accepting server connect has timed outFTP: The server did not accept the PRET command.FTP: unknown PASS replyFTP: unknown PASV replyFTP: unknown 227 response formatFTP: can't figure out the host in the PASV responseError in the HTTP2 framing layerFTP: couldn't set file typeTransferred a partial fileFTP: couldn't retrieve (RETR failed) the specified fileQuote command returned errorHTTP response code said errorFailed writing received data to disk/applicationUpload failed (at start/before it took off)Failed to open/read local data from file/applicationOut of memoryTimeout was reachedFTP: command PORT failedFTP: command REST failedRequested range was not delivered by the serverInternal problem setting up the POSTSSL connect errorCouldn't resume downloadCouldn't read a file:// fileLDAP: cannot bindLDAP: search failedA required function in the library was not foundOperation was aborted by an application callbackA libcurl function was given a bad argumentFailed binding local connection endNumber of redirects hit maximum amountAn unknown option was passed in to libcurlMalformed telnet optionSSL peer certificate or SSH remote key was not OKServer returned nothing (no headers, no data)SSL crypto engine not foundCan not set SSL crypto engine as defaultFailed to initialise SSL crypto engineFailed sending data to the peerFailure when receiving data from the peerProblem with the local SSL certificateCouldn't use specified SSL cipherPeer certificate cannot be authenticated with given CA certificatesProblem with the SSL CA cert (path? access rights?)Unrecognized or bad HTTP Content or Transfer-EncodingInvalid LDAP URLRequested SSL level failedFailed to shut down the SSL connectionFailed to load CRL file (path? access rights?, format?)Issuer check against peer certificate failedSend failed since rewinding of the data stream failedLogin deniedTFTP: File Not FoundTFTP: Access ViolationDisk full or allocation exceededTFTP: Illegal operationTFTP: Unknown transfer IDRemote file already existsTFTP: No such userConversion failedCaller must register CURLOPT_CONV_ callback optionsRemote file not foundError in the SSH layerSocket not ready for send/recvRTSP CSeq mismatch or invalid CSeqRTSP session errorUnable to parse FTP file listChunk callback failedThe max connection limit is reachedSSL public key does not match pinned public keySSL server certificate status verification FAILEDStream error in the HTTP/2 framing layerAPI function called from within callbackUnknown errorCall interruptedBad fileBad accessBad argumentInvalid argumentsOut of file descriptorsCall would blockBlocking
Source: Cm2GRjWK1C.exe String found in binary or memory: set-addPolicy
Source: Cm2GRjWK1C.exe String found in binary or memory: LOGINPLAINCRAM-MD5DIGEST-MD5GSSAPIEXTERNALXOAUTH2OAUTHBEARERAQ==Unsupported SASL authentication mechanism -> total rwx-tTsS0123456789-APM0123456789:<DIR>KGS!@#$%%c%c%c%c%c%c%c%c%s/%s@%s%s@%ssetct-CredReqTBSXsetct-CredResDatasetct-CredRevReqTBSsetct-CredRevReqTBSXsetct-CredRevResDatasetct-PCertReqDatasetct-PCertResTBSsetct-BatchAdminReqDatasetct-BatchAdminResDatasetct-CardCInitResTBSsetct-MeAqCInitResTBSsetct-RegFormResTBSsetct-CertReqDatasetct-CertReqTBSsetct-CertResDatasetct-CertInqReqTBSsetct-ErrorTBSsetct-PIDualSignedTBEsetct-PIUnsignedTBEsetct-AuthReqTBEsetct-AuthResTBEsetct-AuthResTBEXsetct-AuthTokenTBEsetct-CapTokenTBEsetct-CapTokenTBEXsetct-AcqCardCodeMsgTBEsetct-AuthRevReqTBEsetct-AuthRevResTBEsetct-AuthRevResTBEBsetct-CapReqTBEsetct-CapReqTBEXsetct-CapResTBEsetct-CapRevReqTBEsetct-CapRevReqTBEXsetct-CapRevResTBEsetct-CredReqTBEsetct-CredReqTBEXsetct-CredResTBEsetct-CredRevReqTBEsetct-CredRevReqTBEXsetct-CredRevResTBEsetct-BatchAdminReqTBEsetct-BatchAdminResTBEsetct-RegFormReqTBEsetct-CertReqTBEsetct-CertReqTBEXsetct-CertResTBEsetct-CRLNotificationTBSsetct-CRLNotificationResTBSsetct-BCIDistributionTBSsetext-genCryptgeneric cryptogramsetext-miAuthmerchant initiated authsetext-pinSecuresetext-pinAnysetext-track2setext-cvadditional verificationset-policy-rootsetCext-hashedRootsetCext-certTypesetCext-merchDatasetCext-cCertRequiredsetCext-tunnelingsetCext-setExtsetCext-setQualfsetCext-PGWYcapabilitiessetCext-TokenIdentifiersetCext-Track2DatasetCext-TokenTypesetCext-IssuerCapabilitiessetAttr-CertsetAttr-PGWYcappayment gateway capabilitiessetAttr-TokenTypesetAttr-IssCapissuer capabilitiesset-rootKeyThumbset-addPolicysetAttr-Token-EMVsetAttr-Token-B0PrimesetAttr-IssCap-CVMsetAttr-IssCap-T2setAttr-IssCap-SigsetAttr-GenCryptgrmgenerate cryptogramsetAttr-T2Encencrypted track 2setAttr-T2cleartxtcleartext track 2setAttr-TokICCsigICC or token signaturesetAttr-SecDevSigsecure device signatureset-brand-IATA-ATAset-brand-Dinersset-brand-AmericanExpressset-brand-JCBset-brand-Visaset-brand-MasterCardset-brand-NovusDES-CDMFdes-cdmfrsaOAEPEncryptionSETITU-Titu-tJOINT-ISO-ITU-Tjoint-iso-itu-tinternational-organizationsInternational OrganizationsmsSmartcardLoginMicrosoft SmartcardloginmsUPNMicrosoft Universal Principal NameAES-128-CFB1aes-128-cfb1AES-192-CFB1aes-192-cfb1AES-256-CFB1aes-256-cfb1AES-128-CFB8aes-128-cfb8AES-192-CFB8aes-192-cfb8AES-256-CFB8aes-256-cfb8DES-CFB1des-cfb1DES-CFB8des-cfb8DES-EDE3-CFB1des-ede3-cfb1DES-EDE3-CFB8des-ede3-cfb8streetstreetAddresspostalCodeid-pplproxyCertInfoProxy Certificate Informationid-ppl-anyLanguageAny languageid-ppl-inheritAllInherit allnameConstraintsX509v3 Name Constraintsid-ppl-independentIndependentRSA-SHA256sha256WithRSAEncryptionRSA-SHA384sha384WithRSAEncryptionRSA-SHA512sha512WithRSAEncryptionRSA-SHA224sha224WithRSAEncryptionsha256sha384SHA512sha512SHA224sha224identified-organizationcerticom-arcwapwap-wsgid-characteristic-two-basisonBasistpBasisppBasisc2pnb163v1c2pnb163v2c2pnb163v3c2pnb176v1c2tnb191v1c2tnb191v2c
Source: Cm2GRjWK1C.exe String found in binary or memory: id-cmc-addExtensions
Source: Cm2GRjWK1C.exe String found in binary or memory: Run MainExe.exe /install
Source: Cm2GRjWK1C.exe String found in binary or memory: /install /very_silent / add_plan /output_progress:Install Params %s
Source: Cm2GRjWK1C.exe String found in binary or memory: (x64) (x64)uninstall.exe/very_silentuninstall.exe Mini (x64)DVDfabMini64.ico MiniDVDfabMini.ico --minimode --minimode --minimodeMini (x64)(x64) Mini.lnkDVDFab 12FabRepair.exeRun FabRepair.exerunasFabRepair.exefabtech_all_in_one_setupFabTechFabTech64.exeFabTech 1FabTechVideoConverterSetup.exeFabTech Photo Enhancer AIFabTech Photo Enhancer AI.exeFabTech Photo Enhancer AIFabTechPhotoEnhancerAISetup.exeFabTech Video UpscalerFabTech Video Upscaler.exeFabTech Video UpscalerFabTechVideoUpscalerSetup.exe/install /very_silent /desktop /output_progress: /install_path""Install File %s
Source: Cm2GRjWK1C.exe String found in binary or memory: Finish and Close Setup!FabDebugConfig.inishow_info_viewrootLog\Loginstall.log (x64)Start Kill and Remove DVDFabPasskey.exeDVDFabPasskey.exeKill DVDFabPasskey.exe successRemove DVDFabPasskey.exe successDVDFab Passkey 9DVDFabPasskey.exePasskeyDVDFabPasskey.exeRun MainExe.exe /installRun MainExe.exe /installrunas/XIRun MainExe.exe finishRun exe failed. main exe con't found
Source: Cm2GRjWK1C.exe String found in binary or memory: official ().exewww.dvdfab.cn%s/s%%.0f%s%d%%open%dXXX:%dXXX&v=open&v=open --option /uimodule= --module= --ui-module= --installsource /source= --source= --app_from=" "Run Fab!!! %s - %s
Source: Cm2GRjWK1C.exe String found in binary or memory: UpdateCtrlStatus(AfterInstall)Finish(AfterInstall) --installmode --runappsilent --installmode --runappauto_run_app /desktop/start_mode_online /very_silent /output_progress: /install_path""Option: %s.
Source: Cm2GRjWK1C.exe String found in binary or memory: UpdateCtrlStatus(AfterInstall)Finish(AfterInstall) --installmode --runappsilent --installmode --runappauto_run_app /desktop/start_mode_online /very_silent /output_progress: /install_path""Option: %s.
Source: Cm2GRjWK1C.exe String found in binary or memory: --installmode --runappOnBtnInstall(MySkinMessagxBox)OnBtnInstall(MySkinMessagxBox)OnBtnInstall(MySkinMessagxBox)C:\FreeSpace Info : %lld MB in %s .
Source: Cm2GRjWK1C.exe String found in binary or memory: --installmodesilentOnBtnInstall(OnInstall)OnBtnInstall(what ???)&v=openbotton
Source: Cm2GRjWK1C.exe String found in binary or memory: uninstall.exeCreate DESKTOP Icons Finish.Create START_MENU Icons Finish.Create COMMON_MENU Icons Finish..lnkEnd delete Icon.Run MainExe.exe /installrunas/install/install /add_plan /ID:/install /add_plan /new --app-from --app-from official /option: /uimodule= --module= --ui-module= /source: /source= --source= /time:%d Run Install Params: %s.
Source: Cm2GRjWK1C.exe String found in binary or memory: uninstall.exeCreate DESKTOP Icons Finish.Create START_MENU Icons Finish.Create COMMON_MENU Icons Finish..lnkEnd delete Icon.Run MainExe.exe /installrunas/install/install /add_plan /ID:/install /add_plan /new --app-from --app-from official /option: /uimodule= --module= --ui-module= /source: /source= --source= /time:%d Run Install Params: %s.
Source: Cm2GRjWK1C.exe String found in binary or memory: runaswinstore /install/uninstall/silent/very_silent/app_from:/desktop/no_desktop/no_add_plan/thank_you/output_progress:/option:/source:/runapp/start_mode_online/file/install_pathCmd Line : %sCmd Num : %d\Log\install.log\install.dmp
Source: Cm2GRjWK1C.exe String found in binary or memory: x64x86vdrive.sysvdrive.sysSleep 1000Run MainExe.exe /installrunas/install /XI:Run Install Params: %s.
Source: unknown Process created: C:\Users\user\Desktop\Cm2GRjWK1C.exe "C:\Users\user\Desktop\Cm2GRjWK1C.exe"
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2348,i,6494542625534998801,13089621614096395101,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2452 /prefetch:3
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\dba1d" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\dba1d" & exit Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2348,i,6494542625534998801,13089621614096395101,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2452 /prefetch:3 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11 Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Cm2GRjWK1C.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Cm2GRjWK1C.exe Static file information: File size 8282848 > 1048576
Source: Cm2GRjWK1C.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2b8a00
Source: Cm2GRjWK1C.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x41a000
Source: Cm2GRjWK1C.exe Static PE information: More than 200 imports for KERNEL32.dll
Source: Cm2GRjWK1C.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Cm2GRjWK1C.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Cm2GRjWK1C.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Cm2GRjWK1C.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Cm2GRjWK1C.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Cm2GRjWK1C.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Cm2GRjWK1C.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Cm2GRjWK1C.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: f:\workspace\installer\online\setup\Release\R_Online.pdb source: Cm2GRjWK1C.exe
Source: Cm2GRjWK1C.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Cm2GRjWK1C.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Cm2GRjWK1C.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Cm2GRjWK1C.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Cm2GRjWK1C.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\timeout.exe TID: 3888 Thread sleep count: 99 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D4B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose, 0_3_02D4B6B0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D55EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,_mbscpy,_splitpath,_mbscpy,strlen,isupper,wsprintfA,_mbscpy,strlen,SHFileOperation,FindClose, 0_3_02D55EB0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D54E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,CopyFileA,FindClose, 0_3_02D54E70
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D47210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,memset,CopyFileA,DeleteFileA,memset,FindClose, 0_3_02D47210
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D53FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,FindClose, 0_3_02D53FD0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D413F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose, 0_3_02D413F0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D53580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindClose, 0_3_02D53580
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D497B0 FindFirstFileA,FindNextFileA,strlen, 0_3_02D497B0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D48360 FindFirstFileA,CopyFileA,FindNextFileA,strlen,CopyFileA,FindClose, 0_3_02D48360
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D4ACD0 wsprintfA,FindFirstFileA,strlen,lstrlen,DeleteFileA,CopyFileA,FindClose, 0_3_02D4ACD0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D48C90 lstrcpy,lstrcat,FindFirstFileA,FindNextFileA,strlen,lstrcpy,memset,lstrcpy,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpy,lstrcpy,CopyFileA,FindClose,FindClose,DeleteFileA, 0_3_02D48C90
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D54950 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrlen,lstrlen, 0_3_02D54950
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D53AF0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrlen, 0_3_02D53AF0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D4FDD0 GetSystemInfo,wsprintfA, 0_3_02D4FDD0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: chrome.exe, 00000008.00000002.1466824910.00000241C0E7D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor8
Source: chrome.exe, 00000008.00000002.1475944559.00001ECC02F60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMware
Source: chrome.exe, 00000008.00000003.1415866773.00000241C3394000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417238734.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416826257.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1466824910.00000241C0E66000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1466824910.00000241C0EAD000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416272678.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417565247.00000241C3396000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416038141.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1467433951.00000241C3372000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417045580.00000241C3395000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: chrome.exe, 00000008.00000003.1415866773.00000241C3394000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417238734.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416826257.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416272678.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417565247.00000241C3396000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416038141.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1467433951.00000241C3372000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417045580.00000241C3395000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processorllysq
Source: chrome.exe, 00000008.00000002.1467433951.00000241C3341000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitione
Source: chrome.exe, 00000008.00000003.1415866773.00000241C3394000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417238734.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416826257.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416272678.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417565247.00000241C3396000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416038141.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1467433951.00000241C3372000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417045580.00000241C3395000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisorr
Source: chrome.exe, 00000008.00000003.1415866773.00000241C3394000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417238734.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416826257.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416272678.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417565247.00000241C3396000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416038141.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1467433951.00000241C3372000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417045580.00000241C3395000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service+
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010A3000.00000004.00000020.00020000.00000000.sdmp, Cm2GRjWK1C.exe, 00000000.00000002.1678369352.000000000103E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: chrome.exe, 00000008.00000002.1466824910.00000241C0E28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: chrome.exe, 00000008.00000003.1420648301.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1420014745.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1419760405.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1419951551.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1420402118.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418618943.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1419390513.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1420768520.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1420460629.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1419552033.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1420168318.00000241C3465000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: n Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical ProcessM+
Source: chrome.exe, 00000008.00000003.1415866773.00000241C3394000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417238734.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416826257.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416272678.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417565247.00000241C3396000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416038141.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1467433951.00000241C3372000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417045580.00000241C3395000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V VM Vid Partition2
Source: chrome.exe, 00000008.00000002.1467433951.00000241C3372000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ns4806Hyper-V Hypeoa
Source: chrome.exe, 00000008.00000002.1467433951.00000241C3341000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partition
Source: chrome.exe, 00000008.00000002.1467433951.00000241C3341000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition
Source: chrome.exe, 00000008.00000002.1467433951.00000241C3341000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipess$
Source: chrome.exe, 00000008.00000002.1467433951.00000241C3372000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: chrome.exe, 00000008.00000002.1467433951.00000241C3341000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: chrome.exe, 00000008.00000003.1418462618.00000241C33D0000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417238734.00000241C33D6000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416018590.00000241C33CE000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418526897.00000241C33D5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417045580.00000241C33D6000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416826257.00000241C33D6000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1467433951.00000241C3372000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417565247.00000241C33D6000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1415846006.00000241C33CE000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1419290033.00000241C33D4000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418866939.00000241C33D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1min9716Runtime Count Infinite3094Hyper-V Virtual Machine Bus Pipes3096Reads/sec3098Writes/sec3100Bytes Read/sec3102Bytes Written/sec9616SMB Direct Connection9618Stalls (Send Credit)/sec
Source: chrome.exe, 00000008.00000002.1466824910.00000241C0E28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: chrome.exe, 00000008.00000003.1415866773.00000241C3394000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416826257.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416272678.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416038141.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417045580.00000241C3395000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976HyperT
Source: chrome.exe, 00000008.00000003.1420648301.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1420014745.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1419760405.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1467433951.00000241C3463000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1419951551.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1420402118.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418618943.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1419390513.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1420768520.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1420460629.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1419552033.00000241C3465000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4
Source: chrome.exe, 00000008.00000003.1416018590.00000241C33CE000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1415846006.00000241C33CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822
Source: chrome.exe, 00000008.00000002.1466824910.00000241C0E7D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ::$DATAeHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: chrome.exe, 00000008.00000002.1479243117.00001ECC03A74000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMware Virtual USB Mouse
Source: chrome.exe, 00000008.00000003.1415866773.00000241C3394000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417238734.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416826257.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416272678.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417565247.00000241C3396000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416038141.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1467433951.00000241C3372000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417045580.00000241C3395000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: chrome.exe, 00000008.00000003.1415866773.00000241C3394000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417238734.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416826257.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416272678.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417565247.00000241C3396000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416038141.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1467433951.00000241C3372000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417045580.00000241C3395000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partition
Source: chrome.exe, 00000008.00000002.1477281374.00001ECC03424000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: gle\Chrome\User Data\Default\Download Service\Files\21abf2e3-eeca-436a-8e7b-0eb003e8c149USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=16ad8e3b-ae9e-445f-8351-e2bfa7d65741
Source: chrome.exe, 00000008.00000003.1415866773.00000241C3394000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417238734.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416826257.00000241C3395000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416272678.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417565247.00000241C3396000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1416038141.00000241C338D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1467433951.00000241C3372000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1417045580.00000241C3395000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: chrome.exe, 00000008.00000002.1466824910.00000241C0E28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root Partition
Source: chrome.exe, 00000008.00000002.1467433951.00000241C3341000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partitionlv
Source: chrome.exe, 00000008.00000003.1384486138.00001ECC0257C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMware20,1(
Source: chrome.exe, 00000008.00000002.1466824910.00000241C0E7D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisor
Source: chrome.exe, 00000008.00000002.1477281374.00001ECC03424000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=16ad8e3b-ae9e-445f-8351-e2bfa7d65741
Source: chrome.exe, 00000008.00000002.1464059582.00000241BD18D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: chrome.exe, 00000008.00000003.1420648301.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1420014745.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1419760405.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.1467433951.00000241C3463000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1419951551.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1420402118.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1418618943.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1419390513.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1420768520.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1420460629.00000241C3465000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1419552033.00000241C3465000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816**
Source: chrome.exe, 00000008.00000002.1466824910.00000241C0E66000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V fhthymoloioumux Bus`
Source: chrome.exe, 00000008.00000002.1466824910.00000241C0EAD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processorc.sysp
Source: chrome.exe, 00000008.00000003.1418435381.00000241C3485000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Interc
Source: chrome.exe, 00000008.00000002.1466824910.00000241C0E28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root Partitione
Source: chrome.exe, 00000008.00000003.1419231556.00000241C34C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: chrome.exe, 00000008.00000002.1466824910.00000241C0E28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus PipesuiG
Source: chrome.exe, 00000008.00000003.1416102848.00000241C33C5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 0
Source: chrome.exe, 00000008.00000002.1466824910.00000241C0E28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processorc
Source: chrome.exe, 00000008.00000002.1466824910.00000241C0EAD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor
Source: chrome.exe, 00000008.00000002.1467433951.00000241C3372000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processorc
Source: chrome.exe, 00000008.00000002.1466824910.00000241C0EAD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor&
Source: chrome.exe, 00000008.00000002.1467433951.00000241C3341000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V fhthymoloioumux Bus Pipes
Source: chrome.exe, 00000008.00000003.1416367159.00000241C3383000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: arking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: chrome.exe, 00000008.00000003.1418462618.00000241C33D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions CostDL p
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_010101A3 LdrLoadDll, 0_3_010101A3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_2_02C103DD mov edx, dword ptr fs:[00000030h] 0_2_02C103DD
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_2_02C1099D mov eax, dword ptr fs:[00000030h] 0_2_02C1099D
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_2_02C119DB mov eax, dword ptr fs:[00000030h] 0_2_02C119DB
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_2_02C10FED mov eax, dword ptr fs:[00000030h] 0_2_02C10FED
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_2_02C10FEC mov eax, dword ptr fs:[00000030h] 0_2_02C10FEC
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_2_02C10D4D mov eax, dword ptr fs:[00000030h] 0_2_02C10D4D
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D42690 lstrlen,StrCmpCA,InternetOpenA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,GetProcessHeap,RtlAllocateHeap,memcpy,lstrlen,memcpy,lstrlen,memcpy,lstrlen,HttpSendRequestA,Sleep,HttpQueryInfoA,InternetReadFile,InternetReadFile,StrCmpCA,InternetCloseHandle,InternetCloseHandle, 0_3_02D42690

HIPS / PFW / Operating System Protection Evasion
barindex
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D51310 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle, 0_3_02D51310
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\dba1d" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11 Jump to behavior
Source: Cm2GRjWK1C.exe Binary or memory string: SeShutdownPrivilegeDo Restart ...Get privilege fail !?*.*//?&??%02x-%02x-%02x-%02x-%02x-%02x00-05-6900-0C-2900-50-5600-1c-1400-1C-4200-03-FF00-0F-4Bopen00-16-3E08-00-27ADVAPI32.dllCreateProcessWithTokenW -AdminrunasGetNativeSystemInfokernel32Shell_TrayWndProgramW6432\*.*...\\*Error:.It looks like the setup file has been corrupted, please download again...%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02Xhttp://www.dvdfab.cn/bad_package.htm?s=22DVDFab2622\DVDFab Player 527Passkey0Random : max(%d), index(%d).
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: LocalAlloc,GetLocaleInfoA,GetLocaleInfoA,LocalFree, 0_3_02D4FC20
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D5BAA0 GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_3_02D5BAA0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D56F80 memset,GetModuleFileNameA,ShellExecuteEx,memset,lstrlenW,GetWindowsDirectoryW,GetComputerNameW,GetFullPathNameA,GetUserNameW,GetFileType,GetModuleFileNameA,GetTempPathW, 0_3_02D56F80
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Code function: 0_3_02D4FBC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA, 0_3_02D4FBC0
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Vidar stealer
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 00000000.00000003.1286006933.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1300135134.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1300089487.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1285961370.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1314253795.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Cm2GRjWK1C.exe PID: 7628, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \ElectronCash\wallets\
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: exodus.conf.json
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: info.seco
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Ethereum\
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Exodus Web3 Wallet
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MultiDoge
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: seed.seco
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: Cm2GRjWK1C.exe, 00000000.00000002.1678369352.00000000010F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default\key4.db Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Exodus\backups\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.1678369352.00000000010A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Cm2GRjWK1C.exe PID: 7628, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\Cm2GRjWK1C.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Yara detected Vidar stealer
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 00000000.00000003.1286006933.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1300135134.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1300089487.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1285961370.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1314253795.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Cm2GRjWK1C.exe PID: 7628, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1639254 Sample: Cm2GRjWK1C.exe Startdate: 15/03/2025 Architecture: WINDOWS Score: 100 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Yara detected Vidar stealer 2->39 41 2 other signatures 2->41 7 Cm2GRjWK1C.exe 28 2->7         started        process3 dnsIp4 29 95.217.30.53, 443, 49725, 49728 HETZNER-ASDE Germany 7->29 31 127.0.0.1 unknown unknown 7->31 43 Attempt to bypass Chrome Application-Bound Encryption 7->43 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 7->45 47 Found many strings related to Crypto-Wallets (likely being stolen) 7->47 49 5 other signatures 7->49 11 chrome.exe 7->11         started        14 cmd.exe 1 7->14         started        signatures5 process6 dnsIp7 33 192.168.2.4, 138, 443, 49708 unknown unknown 11->33 16 chrome.exe 11->16         started        19 conhost.exe 14->19         started        21 timeout.exe 1 14->21         started        process8 dnsIp9 23 plus.l.google.com 142.250.185.142, 443, 49759 GOOGLEUS United States 16->23 25 play.google.com 142.250.185.206, 443, 49761 GOOGLEUS United States 16->25 27 2 other IPs or domains 16->27
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.186.68
 www.google.com United States
15169 GOOGLEUS false
142.250.185.206
 play.google.com United States
15169 GOOGLEUS false
95.217.30.53
 unknown Germany
24940 HETZNER-ASDE true
142.250.185.142
 plus.l.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.4
127.0.0.1

Contacted Domains

Name IP Active
plus.l.google.com 142.250.185.142 true
play.google.com 142.250.185.206 true
www.google.com 142.250.186.68 true
apis.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://95.217.30.53/ true
  • Avira URL Cloud: safe
 unknown
https://steamcommunity.com/profiles/76561199829660832 false
    		high
    https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE false
      		high