URL:

https://www.bigfishgames.com/online-games/7783/turtleodyssey2/index.html

Full analysis: https://app.any.run/tasks/80fde6df-74e2-4a93-b725-9e76f0740df4
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Analysis date: June 09, 2020, 22:38:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
adware
Indicators:
MD5:

650033D671B7292A3B36706D9422B9DE

SHA1:

0DA06638FEAEB53592DACD2E39A11940239281B3

SHA256:

BAA96846F7951992BFC5BD202AB05C209989A0D29AB98337954A0593631911DB

SSDEEP:

3:N8DSLs4NSsL5hAWJZjRCKML65G:2OLs4EsLDTtCKXG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Downloads executable files from the Internet

      • chrome.exe (PID: 4080)
      • turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe (PID: 2296)
      • bfgclient.exe (PID: 572)
    • Loads dropped or rewritten executable

      • turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe (PID: 1928)
      • turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe (PID: 2296)
      • turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe (PID: 3036)
      • bfgsetup_s1_l1.exe (PID: 3736)
      • bfgsetup_s1_l1.exe (PID: 1648)
      • bfgclient.exe (PID: 3204)
      • epoch.exe (PID: 2896)
      • bfgclient.exe (PID: 3868)
      • bfggameservices.exe (PID: 276)
      • WerFault.exe (PID: 2180)
      • WerFault.exe (PID: 1924)
      • bfgclient.exe (PID: 572)
      • bfgclient.exe (PID: 1456)
      • setup_gF1365T1L1_d3075873673_l1_s1.exe (PID: 3428)
    • Application was dropped or rewritten from another process

      • turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe (PID: 1928)
      • turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe (PID: 3036)
      • turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe (PID: 2296)
      • bfgclient.exe (PID: 3204)
      • bfgsetup_s1_l1.exe (PID: 1648)
      • epoch.exe (PID: 2896)
      • gmActivator.exe (PID: 4060)
      • bfgclient.exe (PID: 3868)
      • bfggameservices.exe (PID: 276)
      • gmActivator.exe (PID: 1868)
      • bfgclient.exe (PID: 572)
      • bfgclient.exe (PID: 1456)
      • gmActivator.exe (PID: 3664)
      • gmActivator.exe (PID: 2512)
      • setup_gF1365T1L1_d3075873673_l1_s1.exe (PID: 3428)
      • hlnmbgq.exe (PID: 2356)
      • hlnmbgq.exe (PID: 1680)
      • hlnmbgq.exe (PID: 1520)
      • hlnmbgq.exe (PID: 3584)
      • Turtle Odyssey 2.exe (PID: 2940)
      • Turtle Odyssey 2.exe (PID: 1168)
      • hlnmbgq.exe (PID: 2604)
      • hlnmbgq.exe (PID: 2840)
    • Actions looks like stealing of personal data

      • bfgclient.exe (PID: 3204)
      • epoch.exe (PID: 2896)
      • WerFault.exe (PID: 2180)
      • bfgclient.exe (PID: 572)
    • Changes settings of System certificates

      • bfgclient.exe (PID: 3204)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 760)
      • chrome.exe (PID: 4080)
      • turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe (PID: 3036)
      • turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe (PID: 2296)
      • turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe (PID: 1928)
      • bfgsetup_s1_l1.exe (PID: 1648)
      • bfgsetup_s1_l1.exe (PID: 3736)
      • epoch.exe (PID: 2896)
      • setup_gF1365T1L1_d3075873673_l1_s1.exe (PID: 3428)
      • bfgclient.exe (PID: 572)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 760)
    • Application launched itself

      • turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe (PID: 3036)
      • bfgclient.exe (PID: 572)
      • bfgclient.exe (PID: 3204)
    • Modifies the open verb of a shell class

      • bfgsetup_s1_l1.exe (PID: 1648)
    • Creates a software uninstall entry

      • bfgsetup_s1_l1.exe (PID: 1648)
      • setup_gF1365T1L1_d3075873673_l1_s1.exe (PID: 3428)
    • Creates files in the program directory

      • bfgclient.exe (PID: 3204)
      • bfgsetup_s1_l1.exe (PID: 1648)
      • WerFault.exe (PID: 2180)
      • WerFault.exe (PID: 1924)
      • bfgclient.exe (PID: 572)
      • gmActivator.exe (PID: 2512)
      • hlnmbgq.exe (PID: 3584)
      • setup_gF1365T1L1_d3075873673_l1_s1.exe (PID: 3428)
    • Creates COM task schedule object

      • gmActivator.exe (PID: 1868)
    • Executed via COM

      • iexplore.exe (PID: 4052)
    • Reads Internet Cache Settings

      • bfgclient.exe (PID: 572)
    • Adds / modifies Windows certificates

      • bfgclient.exe (PID: 3204)
  • INFO

    • Application launched itself

      • chrome.exe (PID: 760)
      • iexplore.exe (PID: 4052)
    • Reads the hosts file

      • chrome.exe (PID: 4080)
      • chrome.exe (PID: 760)
      • bfgclient.exe (PID: 3204)
      • bfgclient.exe (PID: 572)
    • Reads Internet Cache Settings

      • chrome.exe (PID: 760)
      • iexplore.exe (PID: 4052)
      • iexplore.exe (PID: 3600)
    • Reads settings of System Certificates

      • chrome.exe (PID: 760)
      • chrome.exe (PID: 4080)
      • bfgclient.exe (PID: 3204)
      • iexplore.exe (PID: 4052)
      • bfgclient.exe (PID: 572)
      • iexplore.exe (PID: 3600)
    • Dropped object may contain Bitcoin addresses

      • bfgsetup_s1_l1.exe (PID: 1648)
    • Manual execution by user

      • chrome.exe (PID: 2544)
      • bfgclient.exe (PID: 572)
    • Changes internet zones settings

      • iexplore.exe (PID: 4052)
    • Creates files in the user directory

      • iexplore.exe (PID: 3600)
      • iexplore.exe (PID: 4052)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3600)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 4052)
    • Changes settings of System certificates

      • iexplore.exe (PID: 4052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
113
Monitored processes
63
Malicious processes
19
Suspicious processes
8

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
276"C:\Program Files\bfgclient\bfggameservices.exe"C:\Program Files\bfgclient\bfggameservices.exe
bfgclient.exe
User:
admin
Integrity Level:
HIGH
Description:
Big Fish Games: Game Services Application
Exit code:
0
Version:
3.3.0.2
Modules
Images
c:\program files\bfgclient\bfggameservices.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
572"C:\Program Files\bfgclient\bfgclient.exe" -uC:\Program Files\bfgclient\bfgclient.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Big Fish: Game Manager Application
Exit code:
0
Version:
3.3.0.2
Modules
Images
c:\program files\bfgclient\bfgclient.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
760"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.bigfishgames.com/online-games/7783/turtleodyssey2/index.html"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
824"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,12524004998646490451,14273510568170639986,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=1978108086926911999 --mojo-platform-channel-handle=4604 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
852"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6f5ba9d0,0x6f5ba9e0,0x6f5ba9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
884"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,12524004998646490451,14273510568170639986,131072 --enable-features=PasswordImport --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=15938915019532329765 --mojo-platform-channel-handle=4824 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
916"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,12524004998646490451,14273510568170639986,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16573729800734085819 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1168"C:\Program Files\Turtle Odyssey 2\Turtle Odyssey 2.exe"C:\Program Files\Turtle Odyssey 2\Turtle Odyssey 2.exeTurtle Odyssey 2.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\turtle odyssey 2\turtle odyssey 2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
1220"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,12524004998646490451,14273510568170639986,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=18069888485076251508 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1456"C:\Program Files\bfgclient\bfgclient.exe" --type=renderer --no-sandbox --user-agent=BFGBrowser_Windows --lang --log-file="C:\BigFishCache/GameManager/log/cefLog.txt" --log-severity=disable --channel="572.0.962157814\518699400" /prefetch:3C:\Program Files\bfgclient\bfgclient.exebfgclient.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Big Fish: Game Manager Application
Exit code:
0
Version:
3.3.0.2
Modules
Images
c:\program files\bfgclient\bfgclient.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
6 461
Read events
4 121
Write events
2 315
Delete events
25

Modification events

(PID) Process:(760) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(760) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(760) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(760) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(760) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2204) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:760-13236215924442750
Value:
259
(PID) Process:(760) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(760) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(760) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:3120-13213713943555664
Value:
0
(PID) Process:(760) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
Executable files
59
Suspicious files
324
Text files
2 419
Unknown types
350

Dropped files

PID
Process
Filename
Type
760chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5EE00F75-2F8.pma
MD5:
SHA256:
760chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\9e2bd5e9-955a-4985-b760-cd9fd6e80192.tmp
MD5:
SHA256:
760chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000028.dbtmp
MD5:
SHA256:
760chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:DA692BE42E4EF2668AE7499A7D5DA720
SHA256:EB865CAF59002C092F5FDBE22D01935866BC1277108B29E897052CB2439630ED
760chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG.old
MD5:
SHA256:
760chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:FC9FFE77348619CC285333DFF5E1D5D1
SHA256:7CB9B3575330B3D776A21EB7A7407E34F013A0975B7418DA11B5C85DEC91D1F3
760chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old~RF15ce75.TMPtext
MD5:6F174C3088498A2CD266BCA5EE2F6624
SHA256:2EEEC1240EB66978ED12E9034F8D4284B0CA1DC82495954636D68140E2187FA4
760chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENTtext
MD5:6A98C47BE0F529C22E61263BCF4804C0
SHA256:444C150EE4BCFCED9404F47E0CFE6F49B0E753A8C7AB597107844F156CF104FE
760chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
MD5:
SHA256:
760chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old~RF15cf5f.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
79
TCP/UDP connections
206
DNS requests
84
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4080
chrome.exe
GET
302
172.217.21.238:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
520 b
whitelisted
4080
chrome.exe
GET
200
173.194.182.167:80
http://r2---sn-hpa7zns6.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=QJ&mip=185.128.27.133&mm=28&mn=sn-hpa7zns6&ms=nvh&mt=1591742235&mv=m&mvi=1&pl=24&shardbypass=yes
US
crx
293 Kb
whitelisted
4080
chrome.exe
GET
302
172.217.21.238:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvY2Y1QUFXUjZlVjI5UldyLVpDTFJFcEx6QQ/7719.805.0.2_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
525 b
whitelisted
4080
chrome.exe
GET
200
173.194.160.218:80
http://r4---sn-hpa7zn7d.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvY2Y1QUFXUjZlVjI5UldyLVpDTFJFcEx6QQ/7719.805.0.2_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mh=Nf&mip=185.128.27.133&mm=28&mn=sn-hpa7zn7d&ms=nvh&mt=1591742235&mv=m&mvi=3&pl=24&shardbypass=yes
US
crx
823 Kb
whitelisted
3036
turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe
GET
200
2.16.186.32:80
http://cdn-games.bigfishsites.com/gm_32/gm_content_32/installThrottle.json?t=C:\Users\admin\AppData\Local\Temp\nswA0EB.tmp
unknown
text
6 b
whitelisted
4080
chrome.exe
GET
200
208.77.152.139:80
http://downloads.bigfishgames.com/turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe?gameWID=F1365T1L1&downloadID=3075873673&siteID=1&langID=1&type=gminstaller
US
executable
232 Kb
malicious
2296
turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe
GET
200
2.16.186.32:80
http://cdn-games.bigfishsites.com/gm_32/gm_installers/currentInstallers/Windows/bfginstaller32.exe
unknown
executable
32.8 Mb
whitelisted
2296
turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe
GET
200
208.77.152.139:80
http://downloads.bigfishgames.com/tracking.php?track_msg=eyJJREVOVElGSUVSIjoiMzA3NTg3MzY3MyIsICJJREVOVElGSUVSX1RZUEUiOiJET1dOTE9BRElEIiwgIkNVUlJFTlRfU0lURUlEIjoiIiwgIkNVUlJFTlRfTEFOR1VBR0VJRCI6IiIsICJTVFVCX0xBTkdVQUdFSUQiOiIxIiwgIlNUVUJfU0lURUlEIjoiMSIsICJDT1VOVEVSIjoiMCIsIlVQR1JBREVTT1VSQ0UiOiJET1dOTE9BRCIsICJWRVJTSU9OX1RPIjoiMy4zLjAuMiIsICJWRVJTSU9OX0ZST00iOiIwLjAuMC4wIiwgIk9TTkFNRSI6IldJTl83IiwgIk9TVkVSU0lPTiI6IjYuMS43NjAxLjE3OTMyIiwgIklOU1RBTExBVElPTl9TVEFUVVMiOiJTVUNDRVNTIiwiRVJST1JfTEVWRUwiOiIwIn0=
US
text
2 b
malicious
3204
bfgclient.exe
GET
200
208.77.152.143:80
http://gtm-games.bigfishsites.com/gm_32/gm_content_32/plugins/pluginManifest.json
US
text
79 b
suspicious
3204
bfgclient.exe
GET
200
2.16.186.16:80
http://cdn-games.bigfishsites.com/gm_32/gm_content_32/LiveLoadScript/liveLoadScript.js?_=1591742423941
unknown
text
6.71 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4080
chrome.exe
172.217.16.173:443
accounts.google.com
Google Inc.
US
whitelisted
4080
chrome.exe
208.77.152.196:443
www.bigfishgames.com
Big Fish Games, Inc.
US
malicious
4080
chrome.exe
2.16.186.33:443
bigfishassets-a.akamaihd.net
Akamai International B.V.
whitelisted
4080
chrome.exe
172.217.22.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
4080
chrome.exe
216.58.212.174:443
www.google-analytics.com
Google Inc.
US
whitelisted
4080
chrome.exe
2.16.186.10:443
bigfishthemes-a.akamaihd.net
Akamai International B.V.
whitelisted
4080
chrome.exe
216.58.207.40:443
ssl.google-analytics.com
Google Inc.
US
whitelisted
4080
chrome.exe
2.16.186.35:443
bigfishgames-a.akamaihd.net
Akamai International B.V.
whitelisted
4080
chrome.exe
172.217.18.174:443
clients1.google.com
Google Inc.
US
whitelisted
4080
chrome.exe
173.194.76.154:443
stats.g.doubleclick.net
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.22.3
whitelisted
www.bigfishgames.com
  • 208.77.152.196
malicious
accounts.google.com
  • 172.217.16.173
shared
bigfishassets-a.akamaihd.net
  • 2.16.186.33
  • 2.16.186.9
whitelisted
bigfishthemes-a.akamaihd.net
  • 2.16.186.10
  • 2.16.186.9
whitelisted
www.google-analytics.com
  • 216.58.212.174
  • 172.217.23.110
whitelisted
ssl.google-analytics.com
  • 216.58.207.40
whitelisted
bigfishgames-a.akamaihd.net
  • 2.16.186.35
  • 2.16.186.42
whitelisted
clients1.google.com
  • 172.217.18.174
whitelisted
stats.g.doubleclick.net
  • 173.194.76.154
  • 173.194.76.156
  • 173.194.76.155
  • 173.194.76.157
whitelisted

Threats

PID
Process
Class
Message
4080
chrome.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4080
chrome.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2296
turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe
Misc activity
ADWARE [PTsecurity] PUA:Win32/Conduit
2296
turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
572
bfgclient.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
6 ETPRO signatures available at the full report
Process
Message
bfgclient.exe
================================================================================
bfgclient.exe
PERF::06/09/2020 23:40:19.945::CLIENT_INIT::3.3.0.2
bfgclient.exe
INFO::06/09/2020 23:40:23.739::INFO_MESSAGE::Stub message received.
bfgclient.exe
INFO::06/09/2020 23:40:23.744::INFO_MESSAGE::l=1::s=1::z=C:\Users\admin\Downloads\turtleodyssey2_s1_l1_gF1365T1L1_d3075873673.exe
bfgclient.exe
PERF::06/09/2020 23:40:24.102::STARTUP_FROM_UI
bfgclient.exe
PERF::06/09/2020 23:40:24.153::URLS_SENT
bfgclient.exe
PERF::06/09/2020 23:40:24.268::OPTIONS_SENT
bfgclient.exe
PERF::06/09/2020 23:40:24.323::USER_DATA_SENT
bfgclient.exe
PERF::06/09/2020 23:40:24.481::GAME_UPDATE_REQUEST_BEGIN
bfgclient.exe
INFO::06/09/2020 23:40:24.532::INFO_MESSAGE::Stub message received.