Edit tour

Windows Analysis Report
http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe

Overview

General Information

Sample URL:http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe
Analysis ID:1671062
Infos:

Detection

Score:1
Range:0 - 100
Confidence:60%

Signatures

Sigma detected: Usage Of Web Request Commands And Cmdlets
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w11x64_office
  • cmd.exe (PID: 6548 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe" > cmdline.out 2>&1 MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)
    • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
    • wget.exe (PID: 6968 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4480, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe" > cmdline.out 2>&1, ProcessId: 6548, ProcessName: cmd.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /download/help/certificate/CertAppEnv_Setup.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: download.bjca.org.cnConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: download.bjca.org.cn
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineContent-Type: text/html; charset=iso-8859-1Content-Length: 244Connection: keep-aliveDate: Tue, 22 Apr 2025 13:16:38 GMTVia: cache23.l2cn3130[123,122,404-1280,M], cache25.l2cn3130[124,0], cache25.l2cn3130[124,0], ens-cache13.cn6011[175,174,404-1280,M], ens-cache21.cn6011[179,0]Ali-Swift-Global-Savetime: 1745327798X-Cache: MISS TCP_MISS dirn:-2:-2X-Swift-Error: orig response 4XX errorX-Swift-SaveTime: Tue, 22 Apr 2025 13:16:38 GMTX-Swift-CacheTime: 1Timing-Allow-Origin: *EagleId: 3daa4f2917453277985257295eData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 6f 77 6e 6c 6f 61 64 2f 68 65 6c 70 2f 63 65 72 74 69 66 69 63 61 74 65 2f 43 65 72 74 41 70 70 45 6e 76 5f 53 65 74 75 70 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /download/help/certificate/CertAppEnv_Setup.exe was not found on this server.</p></body></html>
Source: wget.exe, 00000003.00000002.2818310876.0000000001120000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.drString found in binary or memory: http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe
Source: wget.exe, 00000003.00000002.2818310876.0000000001120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe8
Source: wget.exe, 00000003.00000002.2818310876.0000000001120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exeOF_P
Source: wget.exe, 00000003.00000002.2818310876.0000000001120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exenuine-
Source: classification engineClassification label: clean1.win@4/1@1/1
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: fwpuclnt.dllJump to behavior
Source: wget.exe, 00000003.00000002.2818201642.0000000000B14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "http://download.bjca.org.cn/download/help/certificate/certappenv_setup.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "http://download.bjca.org.cn/download/help/certificate/certappenv_setup.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "http://download.bjca.org.cn/download/help/certificate/certappenv_setup.exe" Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter
1
DLL Side-Loading
1
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System3
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable Media3
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer
Automated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1671062 URL: http://download.bjca.org.cn... Startdate: 22/04/2025 Architecture: WINDOWS Score: 1 13 download.bjca.org.cn.w.kunlunca.com 2->13 15 download.bjca.org.cn 2->15 6 cmd.exe 2 2->6         started        process3 process4 8 wget.exe 1 6->8         started        11 conhost.exe 6->11         started        dnsIp5 17 download.bjca.org.cn.w.kunlunca.com 61.170.79.113, 60825, 80 CHINANET-SH-APChinaTelecomGroupCN China 8->17

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe0%Avira URL Cloudsafe
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exenuine-0%Avira URL Cloudsafe
http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe80%Avira URL Cloudsafe
http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exeOF_P0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
download.bjca.org.cn.w.kunlunca.com
61.170.79.113
truefalse
    unknown
    download.bjca.org.cn
    unknown
    unknownfalse
      unknown
      NameMaliciousAntivirus DetectionReputation
      http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exefalse
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exenuine-wget.exe, 00000003.00000002.2818310876.0000000001120000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exeOF_Pwget.exe, 00000003.00000002.2818310876.0000000001120000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe8wget.exe, 00000003.00000002.2818310876.0000000001120000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        61.170.79.113
        download.bjca.org.cn.w.kunlunca.comChina
        4812CHINANET-SH-APChinaTelecomGroupCNfalse
        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1671062
        Start date and time:2025-04-22 15:15:42 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 1m 30s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:urldownload.jbs
        Sample URL:http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe
        Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
        Number of analysed new started processes analysed:4
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:CLEAN
        Classification:clean1.win@4/1@1/1
        Cookbook Comments:
        • Unable to download file
        • Exclude process from analysis (whitelisted): dllhost.exe
        • Excluded IPs from analysis (whitelisted): 184.29.183.29
        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
        • Not all processes where analyzed, report is missing behavior information
        • VT rate limit hit for: http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe
        No simulations
        No context
        No context
        No context
        No context
        No context
        Process:C:\Windows\SysWOW64\cmd.exe
        File Type:ASCII text, with CRLF line terminators
        Category:modified
        Size (bytes):399
        Entropy (8bit):5.139812615666659
        Encrypted:false
        SSDEEP:12:H0kwYkplktmLuoF3kplk6t1De5Rhh8ooB3v:roFMxePP8Zf
        MD5:3FAD9D182FEBF087A772191CF185726E
        SHA1:163BE3B283D926460F9C150B4FFC9F9EB1DE051E
        SHA-256:EA6E54E62D763E26621A757ED6DAB1E46F616F640689627A169BEF8D37715E45
        SHA-512:9CBE8798BC1FE3ACB49A77BF480FCD3527E0935647E086E3B5A69AFBC34960662DFF9F75BB974879F96B94551C2CD2626B6B4DF9478B1213AA39A1A72D9AACB7
        Malicious:false
        Reputation:low
        Preview:--2025-04-22 09:16:35-- http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe..Resolving download.bjca.org.cn (download.bjca.org.cn)... 61.170.79.113, 61.170.79.107, 61.170.79.112, .....Connecting to download.bjca.org.cn (download.bjca.org.cn)|61.170.79.113|:80... connected...HTTP request sent, awaiting response... 404 Not Found..2025-04-22 09:16:37 ERROR 404: Not Found.....
        No static file info

        Download Network PCAP: filteredfull

        • Total Packets: 7
        • 80 (HTTP)
        • 53 (DNS)
        TimestampSource PortDest PortSource IPDest IP
        Apr 22, 2025 15:16:37.090017080 CEST6082580192.168.2.2461.170.79.113
        Apr 22, 2025 15:16:38.097575903 CEST6082580192.168.2.2461.170.79.113
        Apr 22, 2025 15:16:38.382617950 CEST806082561.170.79.113192.168.2.24
        Apr 22, 2025 15:16:38.382702112 CEST6082580192.168.2.2461.170.79.113
        Apr 22, 2025 15:16:38.383625031 CEST6082580192.168.2.2461.170.79.113
        Apr 22, 2025 15:16:38.641097069 CEST806082561.170.79.113192.168.2.24
        Apr 22, 2025 15:16:38.641160011 CEST6082580192.168.2.2461.170.79.113
        Apr 22, 2025 15:16:38.668365955 CEST806082561.170.79.113192.168.2.24
        Apr 22, 2025 15:16:38.849124908 CEST806082561.170.79.113192.168.2.24
        Apr 22, 2025 15:16:38.887326956 CEST6082580192.168.2.2461.170.79.113
        TimestampSource PortDest PortSource IPDest IP
        Apr 22, 2025 15:16:36.320318937 CEST6478853192.168.2.241.1.1.1
        Apr 22, 2025 15:16:37.084569931 CEST53647881.1.1.1192.168.2.24
        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Apr 22, 2025 15:16:36.320318937 CEST192.168.2.241.1.1.10xa0aStandard query (0)download.bjca.org.cnA (IP address)IN (0x0001)false
        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Apr 22, 2025 15:16:37.084569931 CEST1.1.1.1192.168.2.240xa0aNo error (0)download.bjca.org.cndownload.bjca.org.cn.w.kunlunca.comCNAME (Canonical name)IN (0x0001)false
        Apr 22, 2025 15:16:37.084569931 CEST1.1.1.1192.168.2.240xa0aNo error (0)download.bjca.org.cn.w.kunlunca.com61.170.79.113A (IP address)IN (0x0001)false
        Apr 22, 2025 15:16:37.084569931 CEST1.1.1.1192.168.2.240xa0aNo error (0)download.bjca.org.cn.w.kunlunca.com61.170.79.107A (IP address)IN (0x0001)false
        Apr 22, 2025 15:16:37.084569931 CEST1.1.1.1192.168.2.240xa0aNo error (0)download.bjca.org.cn.w.kunlunca.com61.170.79.112A (IP address)IN (0x0001)false
        Apr 22, 2025 15:16:37.084569931 CEST1.1.1.1192.168.2.240xa0aNo error (0)download.bjca.org.cn.w.kunlunca.com61.170.79.114A (IP address)IN (0x0001)false
        Apr 22, 2025 15:16:37.084569931 CEST1.1.1.1192.168.2.240xa0aNo error (0)download.bjca.org.cn.w.kunlunca.com61.170.79.109A (IP address)IN (0x0001)false
        Apr 22, 2025 15:16:37.084569931 CEST1.1.1.1192.168.2.240xa0aNo error (0)download.bjca.org.cn.w.kunlunca.com61.170.79.108A (IP address)IN (0x0001)false
        Apr 22, 2025 15:16:37.084569931 CEST1.1.1.1192.168.2.240xa0aNo error (0)download.bjca.org.cn.w.kunlunca.com61.170.79.110A (IP address)IN (0x0001)false
        Apr 22, 2025 15:16:37.084569931 CEST1.1.1.1192.168.2.240xa0aNo error (0)download.bjca.org.cn.w.kunlunca.com61.170.79.111A (IP address)IN (0x0001)false
        • download.bjca.org.cn
        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        0192.168.2.246082561.170.79.113806968C:\Windows\SysWOW64\wget.exe
        TimestampBytes transferredDirectionData
        Apr 22, 2025 15:16:38.383625031 CEST242OUTGET /download/help/certificate/CertAppEnv_Setup.exe HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
        Accept: */*
        Accept-Encoding: identity
        Host: download.bjca.org.cn
        Connection: Keep-Alive
        Apr 22, 2025 15:16:38.849124908 CEST820INHTTP/1.1 404 Not Found
        Server: Tengine
        Content-Type: text/html; charset=iso-8859-1
        Content-Length: 244
        Connection: keep-alive
        Date: Tue, 22 Apr 2025 13:16:38 GMT
        Via: cache23.l2cn3130[123,122,404-1280,M], cache25.l2cn3130[124,0], cache25.l2cn3130[124,0], ens-cache13.cn6011[175,174,404-1280,M], ens-cache21.cn6011[179,0]
        Ali-Swift-Global-Savetime: 1745327798
        X-Cache: MISS TCP_MISS dirn:-2:-2
        X-Swift-Error: orig response 4XX error
        X-Swift-SaveTime: Tue, 22 Apr 2025 13:16:38 GMT
        X-Swift-CacheTime: 1
        Timing-Allow-Origin: *
        EagleId: 3daa4f2917453277985257295e
        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 6f 77 6e 6c 6f 61 64 2f 68 65 6c 70 2f 63 65 72 74 69 66 69 63 61 74 65 2f 43 65 72 74 41 70 70 45 6e 76 5f 53 65 74 75 70 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /download/help/certificate/CertAppEnv_Setup.exe was not found on this server.</p></body></html>


        0246s020406080100

        Click to jump to process

        0246s0.0051015MB

        Click to jump to process

        • File
        • Network

        Click to dive into process behavior distribution

        Target ID:0
        Start time:09:16:34
        Start date:22/04/2025
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe" > cmdline.out 2>&1
        Imagebase:0xda0000
        File size:245'760 bytes
        MD5 hash:7B2C2B671D3F48A01B334A0070DEC0BD
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        Target ID:1
        Start time:09:16:34
        Start date:22/04/2025
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7bdef0000
        File size:1'040'384 bytes
        MD5 hash:9698384842DA735D80D278A427A229AB
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        Target ID:3
        Start time:09:16:35
        Start date:22/04/2025
        Path:C:\Windows\SysWOW64\wget.exe
        Wow64 process (32bit):true
        Commandline:wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe"
        Imagebase:0x400000
        File size:3'895'184 bytes
        MD5 hash:3DADB6E2ECE9C4B3E1E322E617658B60
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        No disassembly