socelars | 33bca0b7c35d92fe1dec4638d803349ca76a0f4b2a647efa49697edb77d2ae95

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 13:36 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zSCD97F9B7/61cf42cf81412_Fri1748d73b51.exe
Size

1.4MB
MD5

0a058a7671659d7864802f509fee9478
SHA1

7eb76e6b0e58c2bfc685644b3bf93aafab3d1900
SHA256

0fbfd4aeeda37b64b59ed22d85e7253352b3ae930726f073cbd36998f98c8a8e
SHA512

31e59a18b2b75e72f8db422279f324a674d41ca554c46f683496196d5003856d59f74e5ceae0a667e7caf3b9875015264ee416b3ee51e16d4ddc8856f6c0aa88
SSDEEP

24576:Qvp1T0ZhIjR+IXbtCOEqmb3tUJoEYdG/9QDMbh7zXIqmjvLZL:+pCuZ4OuD4+AhzXIqmjjZL

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json	61cf42cf81412_Fri1748d73b51.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	iplogger.org
5	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61cf42cf81412_Fri1748d73b51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3932	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133796074081326292"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1504	chrome.exe
1504	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeAssignPrimaryTokenPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeLockMemoryPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeIncreaseQuotaPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeMachineAccountPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeTcbPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeSecurityPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeTakeOwnershipPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeLoadDriverPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeSystemProfilePrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeSystemtimePrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeProfSingleProcessPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeIncBasePriorityPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeCreatePagefilePrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeCreatePermanentPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeBackupPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeRestorePrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeShutdownPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeDebugPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeAuditPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeSystemEnvironmentPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeChangeNotifyPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeRemoteShutdownPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeUndockPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeSyncAgentPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeEnableDelegationPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeManageVolumePrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeImpersonatePrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeCreateGlobalPrivilege	3508	61cf42cf81412_Fri1748d73b51.exe
Token: 31	3508	61cf42cf81412_Fri1748d73b51.exe
Token: 32	3508	61cf42cf81412_Fri1748d73b51.exe
Token: 33	3508	61cf42cf81412_Fri1748d73b51.exe
Token: 34	3508	61cf42cf81412_Fri1748d73b51.exe
Token: 35	3508	61cf42cf81412_Fri1748d73b51.exe
Token: SeDebugPrivilege	3932	taskkill.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 5044	3508	61cf42cf81412_Fri1748d73b51.exe	83
PID 3508 wrote to memory of 5044	3508	61cf42cf81412_Fri1748d73b51.exe	83
PID 3508 wrote to memory of 5044	3508	61cf42cf81412_Fri1748d73b51.exe	83
PID 5044 wrote to memory of 3932	5044	cmd.exe	85
PID 5044 wrote to memory of 3932	5044	cmd.exe	85
PID 5044 wrote to memory of 3932	5044	cmd.exe	85
PID 3508 wrote to memory of 1504	3508	61cf42cf81412_Fri1748d73b51.exe	87
PID 3508 wrote to memory of 1504	3508	61cf42cf81412_Fri1748d73b51.exe	87
PID 1504 wrote to memory of 1312	1504	chrome.exe	88
PID 1504 wrote to memory of 1312	1504	chrome.exe	88
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 2780	1504	chrome.exe	89
PID 1504 wrote to memory of 4964	1504	chrome.exe	90
PID 1504 wrote to memory of 4964	1504	chrome.exe	90
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91
PID 1504 wrote to memory of 4476	1504	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\7zSCD97F9B7\61cf42cf81412_Fri1748d73b51.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCD97F9B7\61cf42cf81412_Fri1748d73b51.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa3a40cc40,0x7ffa3a40cc4c,0x7ffa3a40cc58
    3⤵
    PID:1312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1984,i,17674395398587079127,4776674025763846783,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1980 /prefetch:2
    3⤵
    PID:2780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,17674395398587079127,4776674025763846783,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    PID:4964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,17674395398587079127,4776674025763846783,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2240 /prefetch:8
    3⤵
    PID:4476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,17674395398587079127,4776674025763846783,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    PID:4068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,17674395398587079127,4776674025763846783,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
    3⤵
    PID:3424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3756,i,17674395398587079127,4776674025763846783,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:1
    3⤵
    PID:4216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4780,i,17674395398587079127,4776674025763846783,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:8
    3⤵
    PID:5072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,17674395398587079127,4776674025763846783,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:8
    3⤵
    PID:3124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,17674395398587079127,4776674025763846783,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5128 /prefetch:8
    3⤵
    PID:928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,17674395398587079127,4776674025763846783,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:8
    3⤵
    PID:1556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,17674395398587079127,4776674025763846783,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:8
    3⤵
    PID:2908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5184,i,17674395398587079127,4776674025763846783,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5276 /prefetch:8
    3⤵
    PID:4556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5504,i,17674395398587079127,4776674025763846783,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5512 /prefetch:2
    3⤵
    PID:1464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4940,i,17674395398587079127,4776674025763846783,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=832 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1416

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2024

Network

DNS

www.listincode.com

61cf42cf81412_Fri1748d73b51.exe

Remote address:

8.8.8.8:53

Request

www.listincode.com

IN A

Response
DNS

iplogger.org

61cf42cf81412_Fri1748d73b51.exe

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

172.67.74.161

iplogger.org

IN A

104.26.2.46

iplogger.org

IN A

104.26.3.46
GET

https://iplogger.org/143up7

61cf42cf81412_Fri1748d73b51.exe

Remote address:

172.67.74.161:443

Request

GET /143up7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Host: iplogger.org
Cache-Control: no-cache

Response

HTTP/1.1 403 Forbidden

Date: Wed, 25 Dec 2024 13:36:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: qXTAqbiZLDoRCY44jkGACXMbjEvRCkesslVAqZKdec+hTrK1CYwtGGSi7HQ6r6yrvnVIrLHgHI5+kTE3FFMrxbKj2MmFojFbAako1onp+9/jQrHCeN/GLwYQ0UE+hT+uNQWOFFOBl2E7qHOaBTqh5g==$cr2Fcrb92fmlu0DEdA+aOA==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E2INk6IRZPQDI8kXk0fPgLW5lJyqbfeYYQiZb2AeHAmF%2B71Outsu%2Fz3usX%2BFVbaSmY75EPElmUfD9xM7KOZb%2FbRA3U7H%2FUWHezV5XswsJ4tKEJ2rfhiSWIgGj%2BaGSKo%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f7938ad1f5bd1f7-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=26406&min_rtt=26225&rtt_var=4377&sent=5&recv=9&lost=0&retrans=0&sent_bytes=3286&recv_bytes=497&delivery_rate=152164&cwnd=253&unsent_bytes=0&cid=82ce07d22a5190e1&ts=435&x=0"
DNS

c.pki.goog

61cf42cf81412_Fri1748d73b51.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.179.67
GET

http://c.pki.goog/r/gsr1.crl

61cf42cf81412_Fri1748d73b51.exe

Remote address:

142.250.179.67:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 25 Dec 2024 12:48:34 GMT
Expires: Wed, 25 Dec 2024 13:38:34 GMT
Cache-Control: public, max-age=3000
Age: 2886
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

61cf42cf81412_Fri1748d73b51.exe

Remote address:

142.250.179.67:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 25 Dec 2024 13:30:22 GMT
Expires: Wed, 25 Dec 2024 14:20:22 GMT
Cache-Control: public, max-age=3000
Age: 378
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

161.74.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

161.74.67.172.in-addr.arpa

IN PTR

Response
DNS

180.129.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.129.81.91.in-addr.arpa

IN PTR

Response
DNS

67.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.179.250.142.in-addr.arpa

IN PTR

Response

67.179.250.142.in-addr.arpa

IN PTR

par21s19-in-f31e100net
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

172.217.20.164
GET

https://www.google.com/async/ddljson?async=ntp:2

chrome.exe

Remote address:

172.217.20.164:443

Request

GET /async/ddljson?async=ntp:2 HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 429

date: Wed, 25 Dec 2024 13:36:46 GMT
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
cache-control: no-store, no-cache, must-revalidate
content-type: text/html
server: HTTP server (unknown)
content-length: 3153
content-type: text/html
content-length: 3153
GET

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

chrome.exe

Remote address:

172.217.20.164:443

Request

GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/2.0
host: www.google.com
x-client-data: CPjuygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_promos

chrome.exe

Remote address:

172.217.20.164:443

Request

GET /async/newtab_promos HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGO6UsLsGIjAr2MH_fa696TapmH6cCNXSnCPjrxtThFBa6iZz7YFJ4fZkgbsoDX9EAzcAdGchMl4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

chrome.exe

Remote address:

172.217.20.164:443

Request

GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGO6UsLsGIjAr2MH_fa696TapmH6cCNXSnCPjrxtThFBa6iZz7YFJ4fZkgbsoDX9EAzcAdGchMl4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

164.20.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

164.20.217.172.in-addr.arpa

IN PTR

Response

164.20.217.172.in-addr.arpa

IN PTR

par10s49-in-f41e100net

164.20.217.172.in-addr.arpa

IN PTR

waw02s07-in-f164�H

164.20.217.172.in-addr.arpa

IN PTR

waw02s07-in-f4�H
DNS

74.214.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.214.58.216.in-addr.arpa

IN PTR

Response

74.214.58.216.in-addr.arpa

IN PTR

fra15s10-in-f101e100net

74.214.58.216.in-addr.arpa

IN PTR

fra15s10-in-f74�H

74.214.58.216.in-addr.arpa

IN PTR

par10s39-in-f10�H
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

clients2.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

172.217.20.206
GET

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D79%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D79%2526e%253D1

chrome.exe

Remote address:

172.217.20.206:443

Request

GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D79%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D79%2526e%253D1 HTTP/2.0
host: clients2.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
cookie: __Secure-ENID=22.SE=lcK5DP5zh20e5fp6dqJHR8lMf2Eaa7xWJsBIG3oQ6F6obzMoYd9sY1Ne6Fa-YWbLX4eN81ncUeDtcMzoZhcFtVCElOh4yB_XLX1KlwyncsWJJDMGr2HgHjY67OUPs9DRXHJ2PWgDP0HJd5T2jKUDs7I-dZWkCpsaRqF85_zwEkEnXFzu-m3L_MGYVluz3GYR5w
DNS

clients2.googleusercontent.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.googleusercontent.com

IN A

Response

clients2.googleusercontent.com

IN CNAME

googlehosted.l.googleusercontent.com

googlehosted.l.googleusercontent.com

IN A

142.250.179.65
GET

https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx

chrome.exe

Remote address:

142.250.179.65:443

Request

GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/2.0
host: clients2.googleusercontent.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

206.20.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.20.217.172.in-addr.arpa

IN PTR

Response

206.20.217.172.in-addr.arpa

IN PTR

par10s50-in-f141e100net

206.20.217.172.in-addr.arpa

IN PTR

waw02s08-in-f206�I

206.20.217.172.in-addr.arpa

IN PTR

waw02s08-in-f14�I
DNS

65.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

65.179.250.142.in-addr.arpa

IN PTR

Response

65.179.250.142.in-addr.arpa

IN PTR

par21s19-in-f11e100net
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

beacons.gcp.gvt2.com

chrome.exe

Remote address:

8.8.8.8:53

Request

beacons.gcp.gvt2.com

IN A

Response

beacons.gcp.gvt2.com

IN CNAME

beacons-handoff.gcp.gvt2.com

beacons-handoff.gcp.gvt2.com

IN A

142.250.187.195
POST

https://beacons.gcp.gvt2.com/domainreliability/upload

chrome.exe

Remote address:

142.250.187.195:443

Request

POST /domainreliability/upload HTTP/2.0
host: beacons.gcp.gvt2.com
content-length: 819
content-type: application/json; charset=utf-8
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

195.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.187.250.142.in-addr.arpa

IN PTR

Response

195.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f31e100net

172.67.74.161:443

https://iplogger.org/143up7

tls, http

61cf42cf81412_Fri1748d73b51.exe

1.5kB
15.0kB
23
20

HTTP Request

GET https://iplogger.org/143up7

HTTP Response

403
142.250.179.67:80

http://c.pki.goog/r/r4.crl

http

61cf42cf81412_Fri1748d73b51.exe

556 B
3.8kB
7
5

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
172.217.20.164:443

https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGO6UsLsGIjAr2MH_fa696TapmH6cCNXSnCPjrxtThFBa6iZz7YFJ4fZkgbsoDX9EAzcAdGchMl4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

tls, http2

chrome.exe

2.7kB
13.7kB
27
35

HTTP Request

GET https://www.google.com/async/ddljson?async=ntp:2

HTTP Request

GET https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

HTTP Request

GET https://www.google.com/async/newtab_promos

HTTP Request

GET https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGO6UsLsGIjAr2MH_fa696TapmH6cCNXSnCPjrxtThFBa6iZz7YFJ4fZkgbsoDX9EAzcAdGchMl4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

HTTP Response

429
172.217.20.206:443

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D79%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D79%2526e%253D1

tls, http2

chrome.exe

2.2kB
9.8kB
15
19

HTTP Request

GET https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D79%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D79%2526e%253D1
142.250.179.65:443

https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx

tls, http2

chrome.exe

4.9kB
173.3kB
82
133

HTTP Request

GET https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx
142.250.187.195:443

https://beacons.gcp.gvt2.com/domainreliability/upload

tls, http2

chrome.exe

2.5kB
6.6kB
14
15

HTTP Request

POST https://beacons.gcp.gvt2.com/domainreliability/upload

8.8.8.8:53

www.listincode.com

dns

61cf42cf81412_Fri1748d73b51.exe

64 B
137 B
1
1

DNS Request

www.listincode.com
8.8.8.8:53

iplogger.org

dns

61cf42cf81412_Fri1748d73b51.exe

58 B
106 B
1
1

DNS Request

iplogger.org

DNS Response

172.67.74.161

104.26.2.46

104.26.3.46
8.8.8.8:53

c.pki.goog

dns

61cf42cf81412_Fri1748d73b51.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.179.67
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

161.74.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

161.74.67.172.in-addr.arpa
8.8.8.8:53

180.129.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

180.129.81.91.in-addr.arpa
8.8.8.8:53

67.179.250.142.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

67.179.250.142.in-addr.arpa
8.8.8.8:53

4.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

4.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

www.google.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

172.217.20.164
8.8.8.8:53

164.20.217.172.in-addr.arpa

dns

73 B
171 B
1
1

DNS Request

164.20.217.172.in-addr.arpa
8.8.8.8:53

74.214.58.216.in-addr.arpa

dns

72 B
171 B
1
1

DNS Request

74.214.58.216.in-addr.arpa
172.217.20.164:443

www.google.com

https

chrome.exe

2.8kB
14.2kB
14
17
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

clients2.google.com

dns

chrome.exe

65 B
105 B
1
1

DNS Request

clients2.google.com

DNS Response

172.217.20.206
224.0.0.251:5353

chrome.exe

204 B
3
8.8.8.8:53

clients2.googleusercontent.com

dns

chrome.exe

76 B
121 B
1
1

DNS Request

clients2.googleusercontent.com

DNS Response

142.250.179.65
8.8.8.8:53

206.20.217.172.in-addr.arpa

dns

73 B
173 B
1
1

DNS Request

206.20.217.172.in-addr.arpa
8.8.8.8:53

65.179.250.142.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

65.179.250.142.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

beacons.gcp.gvt2.com

dns

chrome.exe

66 B
112 B
1
1

DNS Request

beacons.gcp.gvt2.com

DNS Response

142.250.187.195
8.8.8.8:53

195.187.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

195.187.250.142.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c5e451d0020915808b7aee0930aa4193

SHA1
61ea1aaf2fec2dd35c095f8513b051ab563d43eb

SHA256
a11d2e4ed57adccf055ab52ec1190282053d7b44b4e9ca460e5d89fdc5bc1db2

SHA512
2a3535ea402340e283a93fac72966366c31c5b410f0bb61be411071d2594fb636ec0a9ede449aab961616bdcb47b48764e00a1acff59b6c7a3922bc4d51cc39b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
75b77063270637c60a51ea0e0c2458f1

SHA1
21d6d647aad682172387c0112490b915faec828c

SHA256
e2af6ecdd94a9cb0c30bbffd4ba3d5b72afb31e5c1acc1ae278f1d3304a4be91

SHA512
51c7b1ef99dba6c10951afd6127f467fe41f43657813de86ee955423ec98f105148b58391c6be5321326d708d043c37bba2d25734d27d815f83a4edc107160bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
043604ed45ece3d3acb0e6f84a4a9c3b

SHA1
ea41e60c76687861dee907a76dfe428a2e377c22

SHA256
040d57ca4f489285f852323ae3643490509ea4d3eba7fbb125c31af7ab1d00ae

SHA512
f3c3e586a199295e5ba38c196e8aeceabbd916b035c7ebf58028e9b8ba8a6348e0d66ac1f0cb313a96017a84f0806ae5ff76cf8674020105d44463a217d27754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
33be27b681acd8847e39abca170c67c9

SHA1
6d68ec02bd34c884f7ceb82e62f2ba09fbd4b73a

SHA256
3f702e0186dc56629c5d6336b146f178905d6126398dd44aafb5a926aed7ce44

SHA512
d98b53b7b8195231484d38fd15c5b19374cb0becc86e3946bc499422fcc461d393cb693bc44300317d9366e545acb9d1b55670ae1abadf318a82c492655bf3d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0b9c97ea4b2d1cdca558321d1fe78caf

SHA1
b6d4808a227000dc839a4a7f0342e879a4bf54b1

SHA256
dc309cb6206681b252882b41bbd1e23d48f714cfb7647d79d3d848ec7c5188bf

SHA512
21e4c737ec977d7e29e73084db30e64b93189ee0edf591f4d88bef29c7a205a40e005971410a788e34c235ab9fe4827f4d996c6c9d9ae256103c292e63a2dd5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e4f861cbe4a98b6796f7b308c3f599bd

SHA1
6dfba0524eef1bdbb1095e20a963da2fc0193f0a

SHA256
2957429d2d08e2dae5bc1baec4257268c39dbc4ba1c7b5726376363a07ad11c1

SHA512
0e3ccc953fed5d84de0acf8493d9e5577311e0ea3a952860619d048bb6e3b8dbbd3d03369851139c4a5f258c5f22066077384b0d372dc696b9a7b36d58ccb87e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bd3f151730f1a5499b26105572b6f8db

SHA1
fc20ef238ea7158c4097f4b4d3fd344e843973d9

SHA256
295e197ec7ebba2f236350897ef31cf32b0899b031631f86f797add2340a91a4

SHA512
3adf572f8d5f885c37a5ad052c59dbc0cdf42cbeb3f8571971f56810e353283878ed326b76e4a7ff652b6775358a23cd3fb8ee4fd00f131a96d288d6dd18863c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fc795554b0538d658e4f8808101cbbda

SHA1
01fab09251a44c98d1e17e2e50f3ba4d820a9ae9

SHA256
5620b80ec395a275679a4c4e6895da30caaff8218d2d4950ed1744aa492868dd

SHA512
9485c2b87f892d06c2a0e3b2391f27d32e3cb7ad31e76f1d70355df66e99932ab1f4e8588ae5152a1676ccb06781cde53dd242b36bcb0e15c2c558d7560fdc57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
18e99c4dc9e7b5aaf6f92ee76d1e96da

SHA1
bca7c6d714bf96c78a3c0f44e6249811b9b8f0b5

SHA256
7a6b13cbcba25525bc855cb0b3406e2008d883732768a46c1be698168742c633

SHA512
4f1349579f2c4deea39b255c5165a13e6b4341b580cb4207fe92fdb0281e956f552d2ada12d8cdc1dd9f7a30fceeadc3a9624cc92f0e0ba13cea188ae9c7e146

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
f58419196c169c0e4de7a6018c870fe7

SHA1
e4802d79e9e044faf7e18774285f54fb060aec18

SHA256
82748bb633ac8d60021928b42de6f82670377e9bbfc9b8ed583e893724199db2

SHA512
d5d6034fe1cb9131b5c64bfebd4d62818e06f27a1aa55dc4a44f39b5318458b680f9004690e2557168c75ce9c0ed088d81f13cd69d9f2d895225ae706353ea1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f2cba5b3abcee1c3314408243543b7e9

SHA1
a7b890d5bbd6addc45b474041f440d05d88dbc63

SHA256
229b28f3f5cb9854365dfa7f23bc51638c3cd1feb160fb4082b8cd60cd1fd169

SHA512
2d33b1f349c9263976d85defebef2d62aa03c50353ab287020eb09e47f28878ca49851d790c08acdb40f808becad216e8f2aac6eb7ed3e18f22009dcf53ebc28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
bc0ea51a3f7ab5f264095ed87aa6f376

SHA1
e62be7e71c8365b884807684ef3d5337d09acaef

SHA256
fb0be279c85dab05f7bb75519d381698c05199e8287a76cb8e74516a842f9505

SHA512
4e3a2e01bbf32b3eb406fcc5c61fa25533dd90880d10fd7cd40166e70f81671b2a153ba04aeab434383a8e2049e0c1136e40df7e0b249577b912f270feae96df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
e8b23e08c3976c1ae1755eb8bacb8f1e

SHA1
12d9ae5eedf067fba7a99e91c8f3293decec7318

SHA256
5e29f6a6879a3439d8569ec493090685972dfc5c8aac31b876db4c73437ca1e2

SHA512
01ea52dff390596c68731a5fdde906da9f788745ea306ebf9afff653924dbbd8a7d88a1a041450ab46c3cb2453f3af693bb5ab7406412ea98c44b33b2af8cd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1504_836468225\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1504_836468225\cc86f492-1931-4349-aca7-7de72b383df6.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.