Windows Analysis Report
OEFKKGFCAHBECCGCKJGBNFCLCMNJGIDG_1_5_9_0 (1).crx

Overview

General Information

Sample name:	OEFKKGFCAHBECCGCKJGBNFCLCMNJGIDG_1_5_9_0 (1).crx
Analysis ID:	1417471
MD5:	063c62c7c191f34e3adf27912b679c46
SHA1:	237cf820913d7320f5a379148d76da801fe96139
SHA256:	dc2b59a19680bd2e88c4a89d24b5695819808fff2acb41ce827ad6aad2e51987
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

IP address seen in connection with other malware

Installs a Chrome extension

JA3 SSL client fingerprint seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Chromium Browser Instance Executed With Custom Extension

Tries to load missing DLLs

Classification

Signatures

Source: unknown	HTTPS traffic detected: 23.56.8.114:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.56.8.114:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49758 version: TLS 1.2

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.8.114
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.0.0
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.0.0
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 72.21.81.240
Source: unknown	TCP traffic detected without corresponding DNS query: 72.21.81.240
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmpTArGNe3mrAGIjCxSZ32kqtf1wo2hYSgiWWMiLq2BR_jmSiISbxHrDb_-NdiagK04Su2Nr5B77ol5IgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk; 1P_JAR=2024-03-29-10
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmpTArGNe3mrAGIjDCQcX2g0chw2hR2lhqwQl7GKIAAERYj72DhBlTjaLxXCCV9uiNHZqyaKNCQKQb3CUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk; 1P_JAR=2024-03-29-10
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gfryM5gE1NH7xWc&MD=kPKxn24p HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gfryM5gE1NH7xWc&MD=kPKxn24p HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: unknown

DNS traffic detected: queries for: www.google.com

Source: foundation-icons.eot, foundation-icons.svg, foundation-icons.ttf	String found in binary or memory: http://fontforge.sf.net)
Source: foundation-icons.eot, foundation-icons.ttf	String found in binary or memory: http://fontforge.sf.net)Created
Source: foundation-icons.eot, foundation-icons.ttf	String found in binary or memory: http://fontforge.sf.net)fontcustomfontcustomMediumMediumFontForge
Source: background.js	String found in binary or memory: http://oauth.net/grant_type/device/1.0
Source: LICENSE, foundation-icons.css	String found in binary or memory: http://zurb.com/playground/foundation-icon-fonts-3
Source: background.js	String found in binary or memory: https://app.real-debrid.com/oauth/v2/device/code?client_id=
Source: background.js	String found in binary or memory: https://app.real-debrid.com/oauth/v2/device/credentials?client_id=
Source: background.js	String found in binary or memory: https://app.real-debrid.com/oauth/v2/token
Source: background.js	String found in binary or memory: https://app.real-debrid.com/rest/1.0/hosts/regex
Source: background.js	String found in binary or memory: https://app.real-debrid.com/rest/1.0/hosts/regexFolder
Source: background.js	String found in binary or memory: https://app.real-debrid.com/rest/1.0/unrestrict/folder
Source: background.js	String found in binary or memory: https://app.real-debrid.com/rest/1.0/unrestrict/link
Source: background.js	String found in binary or memory: https://app.real-debrid.com/rest/1.0/user
Source: manifest.json	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: settings.html	String found in binary or memory: https://real-debrid.com
Source: LICENSE, manifest.json, popup.html, settings.html	String found in binary or memory: https://real-debrid.com/
Source: background.js	String found in binary or memory: https://real-debrid.com/authorize?client_id=
Source: popup.js	String found in binary or memory: https://real-debrid.com/streaming-

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 23.56.8.114:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.56.8.114:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49758 version: TLS 1.2

Tries to load missing DLLs

Source: C:\Windows\System32\7za.exe

Section loaded: 7z.dll

Jump to behavior

Source: classification engine

Classification label: clean3.winCRX@27/30@2/3

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03

Source: C:\Windows\System32\7za.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\7za.exe 7za.exe x -oC:\chrome "C:\Users\user\Desktop\OEFKKGFCAHBECCGCKJGBNFCLCMNJGIDG_1_5_9_0 (1).crx"
Source: C:\Windows\System32\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=C:\chrome
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1664 --field-trial-handle=2016,i,859544963767796602,16029275681761701210,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1664 --field-trial-handle=2016,i,859544963767796602,16029275681761701210,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Installs a Chrome extension

Source: unknown

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=C:\chrome

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.251.111.99	www.google.com	United States		15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved		unknown	unknown	false

Private

IP
192.168.2.4

Contacted Domains

Name	IP	Active
www.google.com	142.251.111.99	true

Contacted URLs

Name	Malicious	Reputation
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmpTArGNe3mrAGIjCxSZ32kqtf1wo2hYSgiWWMiLq2BR_jmSiISbxHrDb_-NdiagK04Su2Nr5B77ol5IgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false	high
https://www.google.com/async/newtab_promos	false	high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false	high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmpTArGNe3mrAGIjDCQcX2g0chw2hR2lhqwQl7GKIAAERYj72DhBlTjaLxXCCV9uiNHZqyaKNCQKQb3CUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false	high

ID:	1417471
Product:	CloudBasic
Start time:	11:44:57
Start date:	29.03.2024
Sample:	OEFKKGFCAHBECCGCKJGBNFCLCMNJGIDG_1_5_9_0 (1).crx
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	063c62c7c191f34e3adf27912b679c46
SHA1:	237cf820913d7320f5a379148d76da801fe96139
SHA256:	dc2b59a19680bd2e88c4a89d24b5695819808fff2acb41ce827ad6aad2e51987
Filetype:	Google Chrome Extension (11504/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\chrome\LICENSE	ASCII text, with CRLF line terminators	1CC6F0824F4AAE9DE0661B18E8A4B900	0268B90F1854D4220ACFB2E8FFA1770F7DFD6613	4220E6C6ABB190816DDC126D7D17C0F7AD6135DCBCE2D30F2C45150FF9421C08
C:\chrome\_locales\en\messages.json	JSON data	29835F58A94BED25D93B3EEA44C51423	0E43B64F314455F8741CF535B1FDE7A93AEE3A65	CD53D1BE8F6D6BF846593BBB346FD2F2E33EC2075C0226A4F668303286BC87AF
C:\chrome\_locales\fr\messages.json	JSON data	93E705CEA4F7B917F059BFD291786084	A8E53D59F462F791EF53DA0C7555B58BF2874757	0B07C1FE23F60C3DA446C22FF2AAD6B87F06AF1CEBFA9F37EDBA78D2B6D764D5
C:\chrome\_metadata\verified_contents.json	JSON data	1B577A761D67F013A7BAD211CA9FF5C5	45B55F5FA0836E4ECC6D0AF57B4ABAFBA21BDCD7	58DDBB1FB93C94E1790E614050056381A90D2BFCA938DEF5E21AFF46F47407EA
C:\chrome\css\foundation-icons\foundation-icons.css	ASCII text, with CRLF line terminators	68844D2C98E2E1B3004CEDF00F2E51A1	426036F1D554B9DFFAE8B38ACC36CADE40D9521A	4268828E332479438339207E75862C8FF4B195DAB0AA5EB90EE5D10CEC4057C9
C:\chrome\css\foundation-icons\foundation-icons.eot	Embedded OpenType (EOT), fontcustom family	92827F088B9EDA87169BDC2B9888CE52	D584172686583FD510D8F04CF21E6E77FCE51435	9189CD8788A2D42F89ECB72F08D55CC366A3ABC441C3413D9CECA66EC3144E46
C:\chrome\css\foundation-icons\foundation-icons.svg	SVG Scalable Vector Graphics image	6F6EFE8DB841E64F6AF7C3E1FC2530C7	BDCA38F453F9935203FE8CD071E97D7F8576E0BE	FCBA8CA1313FF51D9DDEF102AD60DAD5128C430DC54E701CC31795928DCDEF02
C:\chrome\css\foundation-icons\foundation-icons.ttf	TrueType Font data, 15 tables, 1st "FFTM", 14 names, Macintosh	E20945D7C929279EF7A6F1DB184A4470	4B2BCE6C792493A4A5716B6FEC2DBEFE89492C3F	7E1DD03DD4CE90B658052554CD7459DF16716717389A552FA4C6D56A5F8933E6
C:\chrome\css\foundation-icons\foundation-icons.woff	Web Open Font Format, TrueType, length 32020, version 0.0	A188C2F768CE5033D3F5D47BE7280E25	112FB0E498037F2FEA036ADB8105E47638159EAA	8C44C3FEEDAE5331A281278EA3BA91D2255928A2F3010D316D6FBB9052E0C2EC
C:\chrome\css\foundation-icons\svgs\fi-clipboard-notes.svg	SVG Scalable Vector Graphics image	2832973B1CAA6FD5658EDDE2E7883F1D	0074A9228957A97049EADA4F286285FCE73F3DB4	1B0B25CBDA91384C829E82146184FAB7A14E24652679AF57A9587DE79D234EF7
C:\chrome\css\foundation-icons\svgs\fi-loop.svg	SVG Scalable Vector Graphics image	DA779E1EEEEE712ADC0AE67200A74784	C6CA3225B27C75F48B2C0B0B0C94FEFBA1A79AC2	66458C8667CE0A4A97711A5464F7BDE5F1593D8FB53AA15CDBFB07FE4C3A22F2
C:\chrome\css\foundation.min.css	ASCII text, with very long lines (65536), with no line terminators	23C827C78DF424896BF12E2AD99E783F	1C842E5F29D902383BD113C61BFBD80C58243FE4	BBD06ECA458430262007AB358890E2A172CD34F00D7F23D8E6AF438A225E0508
C:\chrome\css\style.css	ASCII text, with CRLF line terminators	5F1072A1BE821A90E50B7CA58D056C0D	DD99AF732F9DB6E68D9EE96E67BD6E79BA55CFD6	87ADD06AE27AD44B722AF8EFDE72AF5C8F46F79B3F1A1059767399CE10144A52
C:\chrome\img\icon128.png	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	B5BCEE45F4A092AB900C3F4D60CDE4FD	FAD9A1A64C8A19049CA387005F61C161313EC195	FA8468BED07A076CF131ACD3DE1D067A00C8ECAEE2A5C8DC222A510A9BC08DD7
C:\chrome\img\icon16.png	PNG image data, 16 x 16, 8-bit colormap, non-interlaced	A0C16EDC0E337D0F09078437D9AF28C0	F4E497223D3FA2BCC232FF0D7EEF19D130A2C9B6	A6F9BCA8225B280B6AE5F54F25823A0D397D888DCB37B4E13CE4DC615E894EAE
C:\chrome\img\icon32.png	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	2C2D74AE2084462E91FBD06127DAC9B2	E74C5C99876E663FE11AC0D59AA87EF92A0EA213	B7A293CE0D444AFF1E3FA48AEF5BF9D91ABB130E318CD4EA239C7406DF513878
C:\chrome\img\icon48.png	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	D782AD43A049EBEB1268891C16E75639	FAA337D558E4A3E70067E9FF2EB234E6BE73CD2A	4D23F5E99380810DCA6F5E35366F00EB2BC0C24964B1DD91FDA2F1B7BDA567A9
C:\chrome\img\loading.gif	GIF image data, version 89a, 80 x 80	798270E0096DC761F3A8CD3A6E48772A	FEF01F2496B4B4BD837C7C96CBC1EBB4D5EF2742	0C6F543685460875B3BD8C6D32F8725FB9487BBAB55AB6C82D78A44A2FE4CBE9
C:\chrome\img\logo.png	PNG image data, 426 x 136, 8-bit colormap, non-interlaced	7430943529E3F3E46B7FD529333A53A0	9CE6E73A40082E91D54991E116A05AEED5620EDE	280B00947159676D14F34D89C02E07EBF1DA5F2A2880CFEBF7139FE4E7D43C09
C:\chrome\img\offline.svg	SVG Scalable Vector Graphics image	556F9131CEB63CB4F54D6ADDEFF1F97D	6059E6AA2BBA5D185997FCF44A3BD2381331DBDB	34600A11920C178B6E90248A5358028DBC030DA26A3D1952398E976195F1DB5F
C:\chrome\js\background.js	ASCII text, with CRLF line terminators	E111562094B90471739ED189D83E4F19	41648E562149A13E2929F11BB1E5028CE636AA8D	B8CAAAF40CB3BC5884AD8DED3752499537E6C643CFD3C3BA88A913BF33BFA178
C:\chrome\js\parser.js	ASCII text, with CRLF line terminators	41EB5E87E455E4B5CAAB25A9BF7AB612	5A61997AF6DCF03174C8DF739A8876B2011654E8	D7FDFFD0B154DE730B16AE428D3775B6526A9F3E557E0FB83EDABE2E6557F57A
C:\chrome\js\popup.js	ASCII text, with CRLF line terminators	715869BB653A8FD8A05F6AF7ABDFF7BB	0FE5B36FDC747112D770CBEB8D0D9F5216D52C91	B0D62C7E95BF8E296BB716DD09B3D3F67DC9B029C22F440A919A67CD960C4CD8
C:\chrome\js\selection.js	ASCII text, with CRLF line terminators	CB648DC26DB09F140BBF3D704E779812	AFA69D130169AE178029AD29F99F0BC28011F736	EA897528D196288282360E1F1DEED2C9F4204BF38019A6922B3522D142674AC7
C:\chrome\js\settings.js	ASCII text, with CRLF line terminators	650CBFD499EE739A0D514278FA28608E	67AC29118FB92F52F9526496890BF6E27560F25A	91C41DF1DD10D6FEBC32921F188AA5F6FBF86DD66591A69B3B5C60739AED5C45
C:\chrome\manifest.json	JSON data	E13D0E21D3EAE8DD48A74401F4EB50A6	9FD48761FAFB164448ED36485FEDA8C75FB69A7E	435C594460340819CE18200C85EB933DFBC1891282974E63ECA91CE25DFDCFC6
C:\chrome\view\popup.html	HTML document, ASCII text, with CRLF line terminators	5BD3EAA86900DD8038A03DE0FE54F141	AB9715AC00E87BE914EE564CA2AE0593A8117772	4AF7A5434F0CE30DE9A54CFE4121CFC5216ADF53C257015F2E61E4AB62F51847
C:\chrome\view\settings.html	HTML document, ASCII text, with CRLF line terminators	E7D98E6FA95777600A70615A7E14704D	DAA52431DBB670BCAB2C78C83A59533A1063A544	ECD7ADF68B9C1DF7AEA15CAD6D5E75E8519A9EABC57DBF4C3317DF97DC99C2FA
Chrome Cache Entry: 79	ASCII text, with very long lines (2786)	2A315F1EF42A56BA97BCDDC8790D60BF	186037C57BBDD30997E944B9DC00C3FD11874D63	1026597612623718825255023B11DD5CFFE1A3D93E7525D22D9D0B70768145A7

Windows Analysis Report
OEFKKGFCAHBECCGCKJGBNFCLCMNJGIDG_1_5_9_0 (1).crx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report OEFKKGFCAHBECCGCKJGBNFCLCMNJGIDG_1_5_9_0 (1).crx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
OEFKKGFCAHBECCGCKJGBNFCLCMNJGIDG_1_5_9_0 (1).crx