Windows Analysis Report
GqjUrFW.dll

Overview

General Information

Sample name: GqjUrFW.dll
Analysis ID: 1502263
MD5: 06ea49951dde098f018a213ee7a8a38d
SHA1: e8e31ed1db5f018664abf85154112ee1f478e9e2
SHA256: 9b0892598b3725a436c414e9dddb9ef43b85d9bb08c2007dd8735a14374d132e
Tags: dll
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found suspicious ZIP file
Machine Learning detection for sample
Overwrites Mozilla Firefox settings
Tries to harvest and steal browser information (history, passwords, etc)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Installs a Chrome extension
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: GqjUrFW.dll Avira: detected
Antivirus detection for URL or domain
Source: https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/List_of_Google_domains.html Avira URL Cloud: Label: phishing
Multi AV Scanner detection for submitted file
Source: GqjUrFW.dll Virustotal: Detection: 39% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: GqjUrFW.dll Joe Sandbox ML: detected
Uses 32bit PE files
Source: GqjUrFW.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: C:\Windows\SysWOW64\rundll32.exe Directory created: C:\Program Files\Mozilla Firefox\browser\features\{EA8CA8DA-5FF9-493B-AC9C-93682EE7EB16}.xpi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Directory created: C:\Program Files\Mozilla Firefox\browser\omni.ja.bak Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Directory created: C:\Program Files\Mozilla Firefox\browser\features\{EA8CA8DA-5FF9-493B-AC9C-93682EE7EB16}.xpi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: rundll32.exe, 00000003.00000003.1666646738.0000000005043000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662092513.0000000002CA6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662204025.0000000002CAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "*://www.facebook.com/platform/impression.php*", equals www.facebook.com (Facebook)
Source: omni.ja.bak.3.dr String found in binary or memory: "url": "https://www.yahoo.com/?fr=hp-avast&type=752" equals www.yahoo.com (Yahoo)
Source: omni.ja.bak.3.dr String found in binary or memory: "www.facebook.com" equals www.facebook.com (Facebook)
Source: omni.ja.bak.3.dr String found in binary or memory: "www.youtube.com.", equals www.youtube.com (Youtube)
Source: rundll32.exe, 00000003.00000003.1668735841.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1667800987.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662092513.0000000002CA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000004.00000003.1662092513.0000000002CA6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662288717.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662183688.0000000002CAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php** equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000004.00000003.1662092513.0000000002CA6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662288717.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662183688.0000000002CAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php*8OcN equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000005.00000003.1691361420.000000000337D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1691390596.0000000003394000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747461262.000000000339B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php*: equals www.facebook.com (Facebook)
Source: omni.ja.bak.3.dr String found in binary or memory: http://certificates.godaddy.com/repository
Source: omni.ja.bak.3.dr String found in binary or memory: http://certificates.starfieldtech.com/repository
Source: omni.ja.bak.3.dr String found in binary or memory: http://certs.godaddy.com/repository/
Source: omni.ja.bak.3.dr String found in binary or memory: http://certs.starfieldtech.com/repository/
Source: omni.ja.bak.3.dr String found in binary or memory: http://foo.com
Source: omni.ja.bak.3.dr String found in binary or memory: http://foo.com/
Source: omni.ja.bak.3.dr String found in binary or memory: http://mozilla.org/MPL/2.0/
Source: omni.ja.bak.3.dr String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: omni.ja.bak.3.dr String found in binary or memory: http://mozilla.org/f
Source: omni.ja.bak.3.dr String found in binary or memory: http://mozilla.org/foo/b
Source: omni.ja.bak.3.dr String found in binary or memory: http://mozilla.org/foo/bar/b
Source: omni.ja.bak.3.dr String found in binary or memory: http://mozilla.org/foo/bar/baz
Source: omni.ja.bak.3.dr String found in binary or memory: http://nazwa.pl
Source: omni.ja.bak.3.dr String found in binary or memory: http://schema.org
Source: omni.ja.bak.3.dr String found in binary or memory: http://schema.org/
Source: omni.ja.bak.3.dr String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: omni.ja.bak.3.dr String found in binary or memory: https://accounts.firefox.com/
Source: omni.ja.bak.3.dr String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: omni.ja.bak.3.dr String found in binary or memory: https://addons.mozilla.org
Source: omni.ja.bak.3.dr String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: omni.ja.bak.3.dr String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: omni.ja.bak.3.dr String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: omni.ja.bak.3.dr String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: omni.ja.bak.3.dr String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: rundll32.exe, 00000005.00000003.1691361420.000000000337D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1691390596.0000000003394000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747461262.000000000339B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1691435396.000000000339A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1691413102.00000000033A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: rundll32.exe, 00000005.00000003.1691361420.000000000337D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1691390596.0000000003394000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1691413102.00000000033A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etpA
Source: rundll32.exe, 00000003.00000003.1666746155.0000000002ABD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1666780653.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1666684582.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etpe6
Source: rundll32.exe, 00000004.00000003.1662092513.0000000002CA6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662204025.0000000002CAE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662183688.0000000002CAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etplK
Source: omni.ja.bak.3.dr String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: omni.ja.bak.3.dr String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: omni.ja.bak.3.dr String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: omni.ja.bak.3.dr String found in binary or memory: https://autosug.ebay.com/autosug
Source: prefs.js_tempHROxPC.3.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: prefs.js_tempHROxPC.3.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1142137
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1145157
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1149603
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1150585
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1155114
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1155119
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1155145
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1181126
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1197885
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1205651
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1250907
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1252142
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1263733
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1267648
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1286752
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1288354
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1289808
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1300977
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1309305
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1312150
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1314673
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1315199
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1329981
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1334069
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1343305
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1365660
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1372336
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1372586
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1373288
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1374809
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1375006
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1378427
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1379974
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1381863
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1385914
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1391095
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1392378
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1393281
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1394595
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1397312
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1400600
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1402128
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1402158
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1407558
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1407559
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1414039
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1420411
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1423239
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1423400
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1425166
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1425376
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1427034
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1429055
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1429636
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1430172
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1430498
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1432467
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1433118
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1436524
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1437038
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1447252
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1458321
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1465399
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1480853
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1484351
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1484798
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1487485
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1504300
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1512640
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1513609
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1521150
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539007
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1569803
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1572287
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1664854
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1674587
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1678378
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1679183
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1688277
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1691227
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1691771
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1694699#c21
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1694779
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1703616
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1709666
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1713980
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1716034
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1717548
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1719704
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1724254
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1740553
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1761053
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1762994
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1780845
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1797566
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1798526
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1834089
Source: omni.ja.bak.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1839689
Source: omni.ja.bak.3.dr String found in binary or memory: https://certs.godaddy.com/repository/
Source: omni.ja.bak.3.dr String found in binary or memory: https://certs.starfieldtech.com/repository/
Source: rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748182382.0000000003396000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747771408.0000000003393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748277196.0000000003398000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: rundll32.exe, 00000005.00000003.1748202041.00000000033A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748317016.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748182382.0000000003396000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747771408.0000000003393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748277196.0000000003398000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreC
Source: omni.ja.bak.3.dr String found in binary or memory: https://chromium.googlesource.com/chromium/src/
Source: rundll32.exe, 00000005.00000003.1748317016.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748277196.0000000003398000.00000004.00000020.00020000.00000000.sdmp, manifest.json0.3.dr, Secure Preferences.3.dr String found in binary or memory: https://clients11.google.com/service/update2/crx
Source: rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients13.google.com/service/update2/crx
Source: rundll32.exe, 00000004.00000003.1725973200.0000000002CFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1728672568.000000000475E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: manifest.json.3.dr String found in binary or memory: https://clients85.google.com/service/update2/crx
Source: omni.ja.bak.3.dr String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: omni.ja.bak.3.dr String found in binary or memory: https://content.cdn.mozilla.net
Source: prefs.js_tempHROxPC.3.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: prefs.js_tempHROxPC.3.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: omni.ja.bak.3.dr String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: omni.ja.bak.3.dr String found in binary or memory: https://coverage.mozilla.org
Source: omni.ja.bak.3.dr String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: omni.ja.bak.3.dr String found in binary or memory: https://deploy-preview-1234--perf-html.netlify.com
Source: omni.ja.bak.3.dr String found in binary or memory: https://deploy-preview-1234--perf-html.netlify.com/
Source: omni.ja.bak.3.dr String found in binary or memory: https://deploy-preview-1234567--perf-html.netlify.app
Source: omni.ja.bak.3.dr String found in binary or memory: https://developer.chrome.com/apps/i18n
Source: omni.ja.bak.3.dr String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Navigator/requestMIDIAccess
Source: omni.ja.bak.3.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIEffectiveTLDServi
Source: omni.ja.bak.3.dr String found in binary or memory: https://developer.twitter.com/en/docs/twitter-for-websites/)
Source: rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: omni.ja.bak.3.dr String found in binary or memory: https://docs.telemetry.mozilla.org/concepts/pipeline/http_edge_spec.html?highlight=docId#postput-req
Source: omni.ja.bak.3.dr String found in binary or memory: https://docs.telemetry.mozilla.org/cookbooks/new_ping.html#sending-a-custom-ping)
Source: omni.ja.bak.3.dr String found in binary or memory: https://domain.com/file.js:1:10
Source: rundll32.exe, 00000004.00000003.1725973200.0000000002CFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1728672568.000000000475E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: rundll32.exe, 00000004.00000003.1726664804.0000000004751000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1728672568.000000000475E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748202041.00000000033A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748317016.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748182382.0000000003396000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747771408.0000000003393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748277196.0000000003398000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: rundll32.exe, 00000004.00000003.1726664804.0000000004751000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1728672568.000000000475E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748202041.00000000033A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748317016.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748182382.0000000003396000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747771408.0000000003393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748277196.0000000003398000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: rundll32.exe, 00000005.00000003.1747771408.0000000003393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748277196.0000000003398000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: rundll32.exe, 00000004.00000003.1726664804.0000000004751000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1728672568.000000000475E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748202041.00000000033A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748317016.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748182382.0000000003396000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747771408.0000000003393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748277196.0000000003398000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: rundll32.exe, 00000004.00000003.1725918469.0000000004751000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1726664804.0000000004751000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1728672568.000000000475E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748182382.0000000003396000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747771408.0000000003393000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: rundll32.exe, 00000005.00000003.1747771408.0000000003393000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: rundll32.exe, 00000004.00000003.1726664804.0000000004751000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1728672568.000000000475E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748182382.0000000003396000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747771408.0000000003393000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: rundll32.exe, 00000005.00000003.1747771408.0000000003393000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: rundll32.exe, 00000004.00000003.1725918469.0000000004751000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1726664804.0000000004751000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1728672568.000000000475E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748182382.0000000003396000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747771408.0000000003393000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: rundll32.exe, 00000003.00000003.1666646738.0000000005043000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662092513.0000000002CA6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662204025.0000000002CAE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662183688.0000000002CAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662076222.0000000002CC5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662227982.0000000002CB5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1691361420.000000000337D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: omni.ja.bak.3.dr String found in binary or memory: https://duckduckgo.com/?q=
Source: omni.ja.bak.3.dr String found in binary or memory: https://firefox-source-docs.mozilla.org/browser/components/newtab/docs/v2-system-addon/about_home_st
Source: omni.ja.bak.3.dr String found in binary or memory: https://firefox-source-docs.mozilla.org/browser/urlbar/telemetry.html
Source: omni.ja.bak.3.dr String found in binary or memory: https://firefox-source-docs.mozilla.org/dom/ipc/jsactors.html
Source: omni.ja.bak.3.dr String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/bestpractices.html#detecting-and-avoiding-synchr
Source: omni.ja.bak.3.dr String found in binary or memory: https://firefox.dns.nextdns.io/
Source: omni.ja.bak.3.dr String found in binary or memory: https://fpn.firefox.com
Source: omni.ja.bak.3.dr String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: omni.ja.bak.3.dr String found in binary or memory: https://github.com/firefox-devtools/debugger/blob/master/assets/panel/prefs.js
Source: omni.ja.bak.3.dr String found in binary or memory: https://github.com/mozilla-services/mozilla-pipeline-schemas
Source: omni.ja.bak.3.dr String found in binary or memory: https://github.com/mozilla/gcp-ingestion/blob/master/docs/edge.md#postput-request
Source: omni.ja.bak.3.dr String found in binary or memory: https://github.com/web-platform-tests/wpt
Source: omni.ja.bak.3.dr String found in binary or memory: https://groups.google.com/forum/#
Source: omni.ja.bak.3.dr String found in binary or memory: https://html.spec.whatwg.org/multipage/microdata.html#values
Source: omni.ja.bak.3.dr String found in binary or memory: https://ideas.mozilla.org/
Source: prefs.js_tempHROxPC.3.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: omni.ja.bak.3.dr String found in binary or memory: https://install.mozilla.org
Source: omni.ja.bak.3.dr String found in binary or memory: https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/List_of_Google_domains.html
Source: omni.ja.bak.3.dr String found in binary or memory: https://main--perf-html.netlify.app
Source: omni.ja.bak.3.dr String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: omni.ja.bak.3.dr String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: rundll32.exe, 00000004.00000003.1665124584.0000000002CE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mnthor.xyz
Source: rundll32.exe, 00000004.00000003.1665124584.0000000002CE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1665124584.0000000002CE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mnthor.xyzdesktop-notification
Source: rundll32.exe, 00000004.00000003.1665124584.0000000002CE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mnthor.xyzxyzad.xyz
Source: omni.ja.bak.3.dr String found in binary or memory: https://monitor.firefox.com
Source: omni.ja.bak.3.dr String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: omni.ja.bak.3.dr String found in binary or memory: https://monitor.firefox.com/about
Source: omni.ja.bak.3.dr String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: omni.ja.bak.3.dr String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: omni.ja.bak.3.dr String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: omni.ja.bak.3.dr String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: omni.ja.bak.3.dr String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: omni.ja.bak.3.dr String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: omni.ja.bak.3.dr String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: omni.ja.bak.3.dr String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: omni.ja.bak.3.dr String found in binary or memory: https://opengraphprotocol.org/)
Source: rundll32.exe, 00000004.00000003.1725973200.0000000002CFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.googl
Source: rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/
Source: rundll32.exe, 00000004.00000003.1725973200.0000000002CFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: rundll32.exe, 00000004.00000003.1725973200.0000000002CFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jsy
Source: omni.ja.bak.3.dr String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: omni.ja.bak.3.dr String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: omni.ja.bak.3.dr String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: omni.ja.bak.3.dr String found in binary or memory: https://profiler.firefox.com
Source: rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/
Source: rundll32.exe, 00000004.00000003.1725973200.0000000002CFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: rundll32.exe, 00000004.00000003.1725973200.0000000002CFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js8
Source: rundll32.exe, 00000004.00000003.1725973200.0000000002CFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsx
Source: omni.ja.bak.3.dr String found in binary or memory: https://schema.org
Source: omni.ja.bak.3.dr String found in binary or memory: https://schema.org/
Source: omni.ja.bak.3.dr String found in binary or memory: https://screenshots.firefox.com
Source: omni.ja.bak.3.dr String found in binary or memory: https://search.avast.com/AV752/
Source: omni.ja.bak.3.dr String found in binary or memory: https://searchfox.org/mozilla-central/rev/560b7b1b17/browser/themes/shared/tabs.css#624
Source: omni.ja.bak.3.dr String found in binary or memory: https://searchfox.org/mozilla-central/rev/f40d29a11f2eb4685256b59934e637012ea6fb78/gfx/cairo/cairo/s
Source: omni.ja.bak.3.dr String found in binary or memory: https://searchfox.org/mozilla-central/search?q=search-telemetry-schema.json
Source: omni.ja.bak.3.dr String found in binary or memory: https://searchfox.org/mozilla-central/source/browser/installer/windows/msix/AppxManifest.xml.in.
Source: omni.ja.bak.3.dr String found in binary or memory: https://searchfox.org/mozilla-central/source/browser/installer/windows/nsis/shared.nsh
Source: omni.ja.bak.3.dr String found in binary or memory: https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152
Source: omni.ja.bak.3.dr String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: omni.ja.bak.3.dr String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: omni.ja.bak.3.dr String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: omni.ja.bak.3.dr String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: rundll32.exe, 00000003.00000003.1666646738.0000000005043000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1668735841.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1667800987.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662092513.0000000002CA6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662204025.0000000002CAE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662183688.0000000002CAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662076222.0000000002CC5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662227982.0000000002CB5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1691361420.000000000337D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: rundll32.exe, 00000005.00000003.1691361420.000000000337D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1691390596.0000000003394000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1691435396.000000000339A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: rundll32.exe, 00000003.00000003.1666746155.0000000002ABD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1666780653.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1666684582.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg09W
Source: rundll32.exe, 00000005.00000003.1691361420.000000000337D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1691390596.0000000003394000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1691435396.000000000339A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svgp
Source: omni.ja.bak.3.dr String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: omni.ja.bak.3.dr String found in binary or memory: https://source.chromium.org/chromium/chromium/src/
Source: omni.ja.bak.3.dr String found in binary or memory: https://stackoverflow.com/a/32724723.
Source: rundll32.exe, 00000003.00000003.1666646738.0000000005043000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1668735841.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1667800987.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662092513.0000000002CA6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662204025.0000000002CAE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662183688.0000000002CAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662076222.0000000002CC5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662227982.0000000002CB5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1691361420.000000000337D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: rundll32.exe, 00000003.00000003.1667800987.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662092513.0000000002CA6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662204025.0000000002CAE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662183688.0000000002CAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662076222.0000000002CC5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662227982.0000000002CB5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1691361420.000000000337D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: omni.ja.bak.3.dr String found in binary or memory: https://support.mozilla.org
Source: omni.ja.bak.3.dr String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: omni.ja.bak.3.dr String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: omni.ja.bak.3.dr String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: omni.ja.bak.3.dr String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: omni.ja.bak.3.dr String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: omni.ja.bak.3.dr String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: omni.ja.bak.3.dr String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: omni.ja.bak.3.dr String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: omni.ja.bak.3.dr String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: omni.ja.bak.3.dr String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: omni.ja.bak.3.dr String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-help
Source: omni.ja.bak.3.dr String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: omni.ja.bak.3.dr String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: omni.ja.bak.3.dr String found in binary or memory: https://topsites.mozilla.com/cid/foo.
Source: omni.ja.bak.3.dr String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: omni.ja.bak.3.dr String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: omni.ja.bak.3.dr String found in binary or memory: https://truecolors.firefox.com
Source: omni.ja.bak.3.dr String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: omni.ja.bak.3.dr String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: omni.ja.bak.3.dr String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: omni.ja.bak.3.dr String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: prefs.js_tempHROxPC.3.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: rundll32.exe, 00000003.00000003.1666646738.0000000005043000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1668735841.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1667800987.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662092513.0000000002CA6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662204025.0000000002CAE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662183688.0000000002CAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662076222.0000000002CC5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662227982.0000000002CB5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1691361420.000000000337D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: prefs.js_tempHROxPC.3.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.foo.com
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.foo.com:1234
Source: rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748182382.0000000003396000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748100105.00000000033B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748125900.00000000033C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747771408.0000000003393000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: rundll32.exe, 00000005.00000003.1748182382.0000000003396000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747771408.0000000003393000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/:
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.google.com/?bcutc=sp-004-752
Source: rundll32.exe, 00000004.00000003.1742442383.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748301069.0000000003393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747771408.0000000003393000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/?h=6fiz7bk1dli28pjdzprzc2iifgzk4e22xjoo.ja7lk70wr
Source: rundll32.exe, 00000005.00000003.1748317016.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748431003.0000000003393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748391683.0000000003385000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748277196.0000000003398000.00000004.00000020.00020000.00000000.sdmp, Secure Preferences.3.dr String found in binary or memory: https://www.google.com/?h=bq2w5i6ru5np2fu3rd3eltwiyje2l6w8844g.mq7doifak
Source: rundll32.exe, 00000004.00000003.1742442383.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/?h=tyjjeh2ogi3qqdrbygpj96fo04sd8rncm8xt.gg4fdx0u7lease
Source: rundll32.exe, 00000004.00000003.1725949573.0000000002D14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/C=
Source: rundll32.exe, 00000003.00000003.1666646738.0000000005043000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662092513.0000000002CA6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662204025.0000000002CAE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662183688.0000000002CAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662076222.0000000002CC5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1662227982.0000000002CB5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1691361420.000000000337D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: rundll32.exe, 00000005.00000003.1748277196.0000000003398000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: rundll32.exe, 00000004.00000003.1725973200.0000000002CFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: rundll32.exe, 00000004.00000003.1725973200.0000000002CFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: rundll32.exe, 00000004.00000003.1725973200.0000000002CFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly8N
Source: rundll32.exe, 00000004.00000003.1725918469.0000000004751000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1726664804.0000000004751000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1748182382.0000000003396000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747771408.0000000003393000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: rundll32.exe, 00000005.00000003.1748182382.0000000003396000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747771408.0000000003393000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrao
Source: rundll32.exe, 00000004.00000003.1725973200.0000000002CFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1746658586.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1747936828.00000000033B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.maps.google.com/a/place
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.mozilla.org
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: omni.ja.bak.3.dr String found in binary or memory: https://www.yahoo.com/?fr=hp-avast&type=752

System Summary
barindex
Found suspicious ZIP file
Source: {EA8CA8DA-5FF9-493B-AC9C-93682EE7EB16}.xpi.3.dr Zip Entry: main.js
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\system32\GroupPolicy\Adm Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\system32\GroupPolicy\Machine Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\system32\GroupPolicy\User Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\system32\GroupPolicy\Machine\Registry.pol Jump to behavior
Uses 32bit PE files
Source: GqjUrFW.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal84.phis.spyw.winDLL@10/143@0/0
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Program Files\Mozilla Firefox\browser\features\{EA8CA8DA-5FF9-493B-AC9C-93682EE7EB16}.xpi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\SwReporter Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\1_H143457741
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\1_H114011913
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\2_PhpuzIakkdPWqpI
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6288:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\1_H5174114
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\1_H139200187
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\1_H94612912
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\1_H69925949
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\1_H52000344
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\1_H106351840
Source: GqjUrFW.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Program Files\Mozilla Firefox\application.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GqjUrFW.dll,#1
Source: rundll32.exe, 00000004.00000003.1663649708.0000000004841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, 00000004.00000003.1663649708.0000000004841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: GqjUrFW.dll Virustotal: Detection: 39%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\GqjUrFW.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GqjUrFW.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GqjUrFW.dll,#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GqjUrFW.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GqjUrFW.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GqjUrFW.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GqjUrFW.dll,#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GqjUrFW.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GqjUrFW.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Directory created: C:\Program Files\Mozilla Firefox\browser\features\{EA8CA8DA-5FF9-493B-AC9C-93682EE7EB16}.xpi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Directory created: C:\Program Files\Mozilla Firefox\browser\omni.ja.bak Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Directory created: C:\Program Files\Mozilla Firefox\browser\features\{EA8CA8DA-5FF9-493B-AC9C-93682EE7EB16}.xpi Jump to behavior
Source: GqjUrFW.dll Static file information: File size 6760960 > 1048576
Source: GqjUrFW.dll Static PE information: Raw size of .data is bigger than: 0x100000 < 0x5ec000
Installs a Chrome extension
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\icons Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\icons\ficon128.png Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\icons\icon128.png Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\icons\icon16.png Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\icons\icon48.png Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\manifest.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\am Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\am\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ar Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ar\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\be Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\be\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\bg Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\bg\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\bn Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\bn\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ca Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ca\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\cs Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\cs\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\da Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\da\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\de Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\de\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\el Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\el\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\en Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\en\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\en_GB Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\en_GB\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\en_TO Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\en_TO\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\en_US Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\en_US\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\es Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\es\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\es_419 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\es_419\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\et Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\et\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\fa Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\fa\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\fi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\fi\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\fil Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\fil\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\fr Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\fr\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\gu Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\gu\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\he Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\he\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\hi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\hi\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\hr Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\hr\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\hu Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\hu\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\id Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\id\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\it Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\it\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ja Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ja\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\kn Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\kn\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ko Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ko\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\lt Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\lt\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\lv Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\lv\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\mk Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\mk\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ml Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ml\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\mr Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\mr\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ms Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ms\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\nl Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\nl\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\no Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\no\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\pl Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\pl\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\pt Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\pt\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\pt_BR Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\pt_BR\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\pt_PT Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\pt_PT\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ro Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ro\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ru Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ru\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sk Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sk\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sl Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sl\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sq Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sq\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sr Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sr\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sv Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sv\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sw Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sw\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ta Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ta\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\te Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\te\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\th Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\th\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\tr Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\tr\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\uk Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\uk\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\vi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\vi\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\zh_CN Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\zh_CN\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\zh_TW Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\zh_TW\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\icons Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\icons\ficon128.png Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\icons\icon128.png Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\icons\icon16.png Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\icons\icon48.png Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\manifest.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\am Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\am\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ar Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ar\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\be Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\be\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\bg Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\bg\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\bn Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\bn\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ca Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ca\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\cs Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\cs\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\da Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\da\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\de Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\de\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\el Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\el\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\en Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\en\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\en_GB Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\en_GB\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\en_TO Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\en_TO\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\en_US Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\en_US\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\es Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\es\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\es_419 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\es_419\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\et Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\et\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\fa Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\fa\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\fi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\fi\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\fil Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\fil\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\fr Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\fr\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\gu Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\gu\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\he Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\he\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\hi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\hi\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\hr Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\hr\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\hu Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\hu\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\id Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\id\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\it Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\it\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ja Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ja\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\kn Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\kn\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ko Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ko\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\lt Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\lt\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\lv Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\lv\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\mk Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\mk\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ml Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ml\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\mr Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\mr\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ms Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ms\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\nl Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\nl\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\no Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\no\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\pl Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\pl\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\pt Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\pt\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\pt_BR Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\pt_BR\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\pt_PT Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\pt_PT\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ro Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ro\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ru Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ru\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sk Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sk\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sl Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sl\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sq Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sq\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sr Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sr\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sv Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sv\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sw Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\sw\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ta Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\ta\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\te Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\te\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\th Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\th\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\tr Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\tr\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\uk Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\uk\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\vi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\vi\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\zh_CN Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\zh_CN\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\zh_TW Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlhgjfmdjomnlhfacokoibjlcmcmgoec\1.0.0_0\_locales\zh_TW\messages.json Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: omni.ja.bak.3.dr Binary or memory string: "vmware.com",
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GqjUrFW.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Overwrites Mozilla Firefox settings
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js_tempHROxPC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js_tempHROxPC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js_tempbXaqbV Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js_tempbXaqbV Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior

Stealing of Sensitive Information
barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCachevXKGn\urlCache-current.bin Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCachevXKGn Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite-journal Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pingsBksRb Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js_tempHROxPC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCachevXKGn\urlCache.bin Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pingsBksRb\45e26519-596d-41a5-b290-e547b44111fd Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCachevXKGn\scriptCache-current.bin Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCachevXKGn\startupCache.8.little Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCachevXKGn\webext.sc.lz4 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCachevXKGn\scriptCache-child-current.bin Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pingsBksRb\7278f154-e8f4-4235-84c5-c5c1c6af0084 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pingsBksRb\6fc53411-ad83-4cf6-a5f6-905f0f3f52e8 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js_tempbXaqbV Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1502263 Sample: GqjUrFW.dll Startdate: 31/08/2024 Architecture: WINDOWS Score: 84 37 Antivirus detection for URL or domain 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 3 other signatures 2->43 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 8 287 7->11         started        15 rundll32.exe 7->15         started        17 conhost.exe 7->17         started        file5 19 rundll32.exe 159 9->19         started        31 C:\Users\user\AppData\...\prefs.js_tempHROxPC, ASCII 11->31 dropped 33 C:\Users\user\AppData\...\Secure Preferences, JSON 11->33 dropped 35 C:\Users\user\AppData\Local\...\Preferences, JSON 11->35 dropped 49 Overwrites Mozilla Firefox settings 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 signatures6 process7 file8 23 C:\Users\user\AppData\...\prefs.js_tempbXaqbV, ASCII 19->23 dropped 25 C:\Users\user\AppData\Roaming\...\prefs.js, ASCII 19->25 dropped 27 C:\Users\user\...\permissions.sqlite-journal, SQLite 19->27 dropped 29 2 other malicious files 19->29 dropped 45 Overwrites Mozilla Firefox settings 19->45 47 Tries to harvest and steal browser information (history, passwords, etc) 19->47 signatures9
No contacted IP infos