File name: | VsTelemetry.7z |
Full analysis: | https://app.any.run/tasks/cf64a3b8-fd72-40fd-883f-1d3e63d78cf0 |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 13:01:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-7z-compressed |
File info: | 7-zip archive data, version 0.4 |
MD5: | 0EFCEAECE847C3CBD141293AC42A11C9 |
SHA1: | 0DD818A2AC5F9FED7D12317BC57C0B91E664556F |
SHA256: | C4A4DC81ABC724D5A8C003746A095DB746CF3F83B64623144AAF2B20DAAF787F |
SSDEEP: | 6144:Xd5mlPjbXM3jxXIvtcBVMDbqpw8FtaYeu/wYX/+YfFlFZcyVdHEJ0eoHrBWHeW4V:tM4jx4vtcXaY/NlFZdVNEt26pzdo |
.7z | | | 7-Zip compressed archive (v0.4) (57.1) |
---|---|---|
.7z | | | 7-Zip compressed archive (gen) (42.8) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1580 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\VsTelemetry.7z" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
3972 | "C:\Users\admin\Desktop\VsTelemetry\safenotes.exe" | C:\Users\admin\Desktop\VsTelemetry\safenotes.exe | Explorer.EXE | |
User: admin Company: Siber Systems Integrity Level: HIGH Description: RoboForm Safenote Editor Exit code: 0 Version: 6-9-3 | ||||
1032 | esentutl.exe | C:\Windows\system32\esentutl.exe | safenotes.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Extensible Storage Engine Utilities for Microsoft(R) Windows(R) Version: 6.1.7600.16385 (win7_rtm.090713-1255) CobalStrike(PID) Process(1032) esentutl.exe ProcInject_AllocationMethodVirtualAllocEx ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81 ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... bProcInject_MinAllocSize0 bProcInject_UseRWXTrue bProcInject_StartRWXTrue KillDate0-0-0 smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Proxy_BehaviorUse IE settings bUsesCookies0000 HttpPost_Metadata Output (4)base64 prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc... append: "}}}}} print SessionId (2)base64url parameter: appid ConstHeaders (3)Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Connection: close HttpGet_Metadata SessionId (2)base64url parameter: apikey ConstHeaders (7)Content-Type: text/html;charset=UTF-8 Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Content-Encoding: gzip, deflate, br Access-Control-Allow-Credentials: true X-AS-SuppressSetCookie: 1 Connection: close Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode HttpPostUri/query/weather/location UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 bCFGCautionFalse bStageCleanupTrue Watermark426352781 HttpPostChunk0 HttpPost_VerbPOST HttpGet_VerbGET CryptoScheme0 Spawnto_x64%windir%\sysnative\chkdsk.exe Spawnto_x86%windir%\syswow64\chkdsk.exe SpawnTo00000000000000000000000000000000 DNS_strategy_fail_seconds-1 DNS_strategy_fail_x-1 DNS_strategy_rotate_seconds-1 DNS_strategyround-robin PublicKey-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj
wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw
8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T
YcM69oWvdzq7NcSWowIDAQAB
-----END PUBLIC KEY----- Jitter30 MaxGetSize1398439 SleepTime63000 Port443 BeaconTypeHTTPS C2 (1)weather.decsal.com/service/weather/overview (PID) Process(1032) esentutl.exe ProcInject_AllocationMethodVirtualAllocEx ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81 ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... bProcInject_MinAllocSize0 bProcInject_UseRWXTrue bProcInject_StartRWXTrue KillDate0-0-0 smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Proxy_BehaviorUse IE settings bUsesCookies0000 HttpPost_Metadata Output (4)base64 prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc... append: "}}}}} print SessionId (2)base64url parameter: appid ConstHeaders (3)Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Connection: close HttpGet_Metadata SessionId (2)base64url parameter: apikey ConstHeaders (7)Content-Type: text/html;charset=UTF-8 Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Content-Encoding: gzip, deflate, br Access-Control-Allow-Credentials: true X-AS-SuppressSetCookie: 1 Connection: close Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode HttpPostUri/query/weather/location UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 bCFGCautionFalse bStageCleanupTrue Watermark426352781 HttpPostChunk0 HttpPost_VerbPOST HttpGet_VerbGET CryptoScheme0 Spawnto_x64%windir%\sysnative\chkdsk.exe Spawnto_x86%windir%\syswow64\chkdsk.exe SpawnTo00000000000000000000000000000000 DNS_strategy_fail_seconds-1 DNS_strategy_fail_x-1 DNS_strategy_rotate_seconds-1 DNS_strategyround-robin PublicKey-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj
wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw
8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T
YcM69oWvdzq7NcSWowIDAQAB
-----END PUBLIC KEY----- Jitter30 MaxGetSize1398439 SleepTime63000 Port443 BeaconTypeHTTPS C2 (1)weather.decsal.com/service/weather/overview | ||||
4036 | "C:\Users\admin\Desktop\VsTelemetry\safenotes.exe" | C:\Users\admin\Desktop\VsTelemetry\safenotes.exe | — | Explorer.EXE |
User: admin Company: Siber Systems Integrity Level: MEDIUM Description: RoboForm Safenote Editor Exit code: 0 Version: 6-9-3 | ||||
876 | esentutl.exe | C:\Windows\system32\esentutl.exe | safenotes.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extensible Storage Engine Utilities for Microsoft(R) Windows(R) Version: 6.1.7600.16385 (win7_rtm.090713-1255) CobalStrike(PID) Process(876) esentutl.exe ProcInject_AllocationMethodVirtualAllocEx ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81 ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... bProcInject_MinAllocSize0 bProcInject_UseRWXTrue bProcInject_StartRWXTrue KillDate0-0-0 smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Proxy_BehaviorUse IE settings bUsesCookies0000 HttpPost_Metadata Output (4)base64 prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc... append: "}}}}} print SessionId (2)base64url parameter: appid ConstHeaders (3)Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Connection: close HttpGet_Metadata SessionId (2)base64url parameter: apikey ConstHeaders (7)Content-Type: text/html;charset=UTF-8 Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Content-Encoding: gzip, deflate, br Access-Control-Allow-Credentials: true X-AS-SuppressSetCookie: 1 Connection: close Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode HttpPostUri/query/weather/location UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 bCFGCautionFalse bStageCleanupTrue Watermark426352781 HttpPostChunk0 HttpPost_VerbPOST HttpGet_VerbGET CryptoScheme0 Spawnto_x64%windir%\sysnative\chkdsk.exe Spawnto_x86%windir%\syswow64\chkdsk.exe SpawnTo00000000000000000000000000000000 DNS_strategy_fail_seconds-1 DNS_strategy_fail_x-1 DNS_strategy_rotate_seconds-1 DNS_strategyround-robin PublicKey-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj
wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw
8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T
YcM69oWvdzq7NcSWowIDAQAB
-----END PUBLIC KEY----- Jitter30 MaxGetSize1398439 SleepTime63000 Port443 BeaconTypeHTTPS C2 (1)weather.decsal.com/service/weather/overview (PID) Process(876) esentutl.exe BeaconTypeHTTP (PID) Process(876) esentutl.exe ProcInject_AllocationMethodVirtualAllocEx ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81 ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... bProcInject_MinAllocSize0 bProcInject_UseRWXTrue bProcInject_StartRWXTrue KillDate0-0-0 smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Proxy_BehaviorUse IE settings bUsesCookies0000 HttpPost_Metadata Output (4)base64 prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc... append: "}}}}} print SessionId (2)base64url parameter: appid ConstHeaders (3)Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Connection: close HttpGet_Metadata SessionId (2)base64url parameter: apikey ConstHeaders (7)Content-Type: text/html;charset=UTF-8 Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Content-Encoding: gzip, deflate, br Access-Control-Allow-Credentials: true X-AS-SuppressSetCookie: 1 Connection: close Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode HttpPostUri/query/weather/location UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 bCFGCautionFalse bStageCleanupTrue Watermark426352781 HttpPostChunk0 HttpPost_VerbPOST HttpGet_VerbGET CryptoScheme0 Spawnto_x64%windir%\sysnative\chkdsk.exe Spawnto_x86%windir%\syswow64\chkdsk.exe SpawnTo00000000000000000000000000000000 DNS_strategy_fail_seconds-1 DNS_strategy_fail_x-1 DNS_strategy_rotate_seconds-1 DNS_strategyround-robin PublicKey-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj
wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw
8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T
YcM69oWvdzq7NcSWowIDAQAB
-----END PUBLIC KEY----- Jitter30 MaxGetSize1398439 SleepTime63000 Port443 BeaconTypeHTTPS C2 (1)weather.decsal.com/service/weather/overview | ||||
4076 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3692 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | Explorer.EXE | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 86.0.4240.198 | ||||
3772 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=86.0.4240.198 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6e75d988,0x6e75d998,0x6e75d9a4 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 86.0.4240.198 | ||||
2484 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1064,11591444428085578073,4960249371874873104,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1072 /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 | ||||
3548 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1064,11591444428085578073,4960249371874873104,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1348 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 86.0.4240.198 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3692 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-62B9AAAC-E6C.pma | — | |
MD5:— | SHA256:— | |||
1580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1580.3106\VsTelemetry\Default\Default.manifest.json | text | |
MD5:6B08BF9656F21A1B74B2237F3FBCBDB9 | SHA256:930D657EBB9B4D8D630C36F8FE29255F0EEF39669A1687B276BEFE060E3375F7 | |||
3692 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\9a5ff628-5f73-4927-a197-198dfc3cc425.tmp | text | |
MD5:FEC83FB7608B871D74E4E26B3C577476 | SHA256:C85902692F505DCBD6C685CC3D68B1B96EA8F166507AEEAC52E3B935EF392A37 | |||
1580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1580.3106\VsTelemetry\roboform.dll | executable | |
MD5:73990A2552C6A2B56E8AEC2FE78F2A66 | SHA256:616A6EC793242BE50B2CB0A21BB6FE5D40134B5098BDC6B2D113C1C9A3199EFA | |||
1580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1580.3106\VsTelemetry\safenotes.exe | executable | |
MD5:CF58DFD4F667C695E38440D88BAA6BDF | SHA256:F38F2AA81501CC8DA1C18EE8681CEEAF43883F56BB58C11CAB2F258B111214E6 | |||
1580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1580.3106\VsTelemetry\freshmp3 | binary | |
MD5:F74122C82023591A7DFAC4446F321988 | SHA256:B2C4B743CC4351F667638EE6024B29A04017BA42F90819861FAB541AFA8B98AE | |||
3692 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Version | text | |
MD5:00046F773EFDD3C8F8F6D0F87A2B93DC | SHA256:593EDE11D17AF7F016828068BCA2E93CF240417563FB06DC8A579110AEF81731 | |||
3772 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma | binary | |
MD5:03C4F648043A88675A920425D824E1B3 | SHA256:F91DBB7C64B4582F529C968C480D2DCE1C8727390482F31E4355A27BB3D9B450 | |||
3692 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old | text | |
MD5:8FF312A95D60ED89857FEB720D80D4E1 | SHA256:946A57FAFDD28C3164D5AB8AB4971B21BD5EC5BFFF7554DBF832CB58CC37700B | |||
3692 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF11e4cf.TMP | text | |
MD5:64AD8ED3E666540337BA541C549F72F7 | SHA256:BECBDB08B5B37D203A85F2E974407334053BB1D2270F0B3C9A4DB963896F2206 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3548 | chrome.exe | GET | — | 74.125.111.8:80 | http://r3---sn-5goeenez.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=e_&mip=196.196.52.6&mm=28&mn=sn-5goeenez&ms=nvh&mt=1656334583&mv=m&mvi=3&pl=24&rmhost=r1---sn-5goeenez.gvt1.com&shardbypass=sd&smhost=r1---sn-5goeen76.gvt1.com | US | — | — | suspicious |
— | — | HEAD | 302 | 142.251.37.110:80 | http://redirector.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3 | US | — | — | whitelisted |
— | — | GET | 302 | 142.251.37.110:80 | http://redirector.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3 | US | html | 610 b | whitelisted |
3548 | chrome.exe | GET | — | 138.201.229.154:80 | http://weather.decsal.com/ | DE | — | — | unknown |
— | — | HEAD | 200 | 173.194.150.220:80 | http://r6---sn-5goeen7r.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3?cms_redirect=yes&mh=VX&mip=196.196.52.6&mm=28&mn=sn-5goeen7r&ms=nvh&mt=1656334583&mv=m&mvi=6&pl=24&rmhost=r3---sn-5goeen7r.gvt1.com&shardbypass=sd&smhost=r1---sn-5goeenez.gvt1.com | US | — | — | whitelisted |
3548 | chrome.exe | GET | 302 | 142.251.37.110:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | html | 591 b | whitelisted |
— | — | GET | 302 | 142.251.37.110:80 | http://redirector.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3 | US | html | 610 b | whitelisted |
— | — | GET | — | 173.194.150.220:80 | http://r6---sn-5goeen7r.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3?cms_redirect=yes&mh=VX&mip=196.196.52.6&mm=28&mn=sn-5goeen7r&ms=nvh&mt=1656334583&mv=m&mvi=6&pl=24&rmhost=r3---sn-5goeen7r.gvt1.com&shardbypass=sd&smhost=r1---sn-5goeenez.gvt1.com | US | — | — | whitelisted |
— | — | GET | 206 | 173.194.150.220:80 | http://r6---sn-5goeen7r.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3?cms_redirect=yes&mh=VX&mip=196.196.52.6&mm=28&mn=sn-5goeen7r&ms=nvh&mt=1656334583&mv=m&mvi=6&pl=24&rmhost=r3---sn-5goeen7r.gvt1.com&shardbypass=sd&smhost=r1---sn-5goeenez.gvt1.com | US | binary | 5.64 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3548 | chrome.exe | 142.250.185.163:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
3548 | chrome.exe | 142.250.186.100:443 | www.google.com | Google Inc. | US | whitelisted |
3548 | chrome.exe | 142.251.36.67:443 | www.gstatic.com | Google Inc. | US | unknown |
876 | esentutl.exe | 138.201.229.154:443 | weather.decsal.com | Hetzner Online GmbH | DE | unknown |
1032 | esentutl.exe | 138.201.229.154:443 | weather.decsal.com | Hetzner Online GmbH | DE | unknown |
3548 | chrome.exe | 142.250.184.238:443 | clients2.google.com | Google Inc. | US | whitelisted |
3548 | chrome.exe | 142.251.37.109:443 | accounts.google.com | Google Inc. | US | unknown |
3548 | chrome.exe | 138.201.229.154:80 | weather.decsal.com | Hetzner Online GmbH | DE | unknown |
3548 | chrome.exe | 142.250.185.234:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
3548 | chrome.exe | 142.250.186.99:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
weather.decsal.com |
| unknown |
clientservices.googleapis.com |
| whitelisted |
clients2.google.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com |
| whitelisted |
clients2.googleusercontent.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |