Loading ...

Analysis Report http://www.tasetofeni.com/ctsoqw4/ChromeSetup.exe

Overview

General Information

Joe Sandbox Version:24.0.0 Fire Opal
Analysis ID:86340
Start date:26.10.2018
Start time:04:00:18
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 31s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:urldownload.jbs
Sample URL:http://www.tasetofeni.com/ctsoqw4/ChromeSetup.exe
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.spyw.evad.win@16/147@8/8
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 99.8% (good quality ratio 98.4%)
  • Quality average: 87.4%
  • Quality standard deviation: 21.7%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 3
  • Number of non-executed functions: 33
Cookbook Comments:
  • Adjust boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: ChromeSetup.exe

Detection

StrategyScoreRangeReportingDetection
Threshold560 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for unpacked fileShow sources
Source: 6.2.ChromeSetup.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 4.1.ChromeSetup.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile opened: C:\Users\user\AppData\Local\Temp\inH45319154225Jump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile opened: C:\Users\user\AppData\Local\Temp\inH45319154225\bootstrap_30284.htmlJump to behavior

Networking:

barindex
Downloads filesShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\logo4[1].pngJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /ctsoqw4/ChromeSetup.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: www.tasetofeni.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /downloadimage/24620/16/8f2cd5310232df6287d0877bdd42ea0b/logo4.png?logotipo=automatico&uo=http://www.googleonline2018.com/intl/en/chrome/&nada=true HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: fsdfegtts.downloadConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Rureviv/blogo_s.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Sibarasawi/bg_comp.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Rowabobeso/icon1.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Rowabobeso/icon2.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Rowabobeso/icon3.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Rowabobeso/rsk_custom_dark_bg.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Rowabobeso/b2_win_clean.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Sibarasawi/logo_comp.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Sedelelahe/08_11_16/4.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Rowabobeso/b3_win.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Sedelelahe/08_11_16/3.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Winipizi/logo2.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Sedelelahe/08_11_16/1.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Sedelelahe/08_11_16/2.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Rowabobeso/rsk_custom_light_bg.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Tefenece/Tefenece_logo_black.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Jimomoromoj/Jimomoromoj_logo.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Wowowosog/custom_TL_hockey_bg.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Wowowosog/bg_custom_TL.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Wowowosog/logo_TL.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Tavasat/15Feb17/v2/EN.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Vavavag/V2/DE.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Mifigisere/TL_NEW_win2.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Mifigisere/logo_NEW.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Wewarebew/Bisli_logo.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Wewarebew/logo_FS.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Fadolatos/TL_win_bg.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Fadolatos/logo.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Necoroca/Necoroca_logo.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Necoroca/NecorocaB_logo.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Bomonobinok/Bomonobinok_v3.jpg HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Bomonobinok/v1_blank.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Nuhududanew/BG.jpg HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Nuhududanew/BG_FS.jpg HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Nuhududanew/BG_FS_LONG.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Nuhududanew/BG_TC_FS_N.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Nuhududanew/BG_LONG.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Nuhududanew/BG_TC_N.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Nuhududanew/BG_TT_FS.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Nuhududanew/BG_TT.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Nuhududanew/logo_new.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Nuhududanew/fusion_TL1_bg.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Nuhududanew/win_TL1_bg.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Wafadonala/bg.jpg HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Wafadonala/logo.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Rowubero/TPC_win_bg.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Lolosobeken/Lolosobeken.jpg HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Nuhududanew/logo.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Gadegam/TL_win_bg.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img/Gadegam/TL_logo.png HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: img.reholessbegise.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ofr/Solululadul/osutils.cis HTTP/1.1Accept: */*Host: remote.reholessbegise.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ofr/Niniwic/YL/Niniwic_Tefenece_12Apr16.cis HTTP/1.1Accept: */*Host: remote.reholessbegise.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ofr/Necoroca/YL/Necoroca_yl_090616.cis HTTP/1.1Accept: */*Host: remote.reholessbegise.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ofr/Niniwic/YL/Niniwic_Tefenece_12Apr16.cis HTTP/1.1Accept: */*Host: www3.reholessbegise.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ofr/Solululadul/osutils.cis HTTP/1.1Accept: */*Host: www3.reholessbegise.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ofr/Necoroca/YL/Necoroca_yl_090616.cis HTTP/1.1Accept: */*Host: www3.reholessbegise.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: ChromeSetup.exe, 00000004.00000003.1630642002.7E6E0000.00000004.sdmpString found in binary or memory: 'Value1' : 'Search Offer gives you safe and direct access to all of your favorite sites via Yahoo powered search. Yahoo is focused on making the world equals www.yahoo.com (Yahoo)
Source: 54dd.html.4.drString found in binary or memory: <p>2.2 <span class="underline">Service Providers</span>. We currently use Amazon Web Services, Inc. and Google Cloud Platform servers to store your information.The Software may include Yahoo's and/or Microsoft's and/or Google's search feed. You can read their privacy policies here: for Yahoo: <a href="https://info.yahoo.com/privacy/us/yahoo/search/details.html" target="_blank">https://info.yahoo.com/privacy/us/yahoo/search/details.html</a>, for Microsoft: <a href="http://go.Microsoft.com/fwlink/?LinkID=248686" target="_blank">http://go.Microsoft.com/fwlink/?LinkID=248686</a> and got Google: <a href="https://www.google.com/policies/privacy/" target="_blank">https://www.google.com/policies/privacy/</a>.</p> equals www.yahoo.com (Yahoo)
Source: ChromeSetup.exe, 00000004.00000003.1630642002.7E6E0000.00000004.sdmpString found in binary or memory: debug.write('Failed to write uninstall key: Search Provided by Yahoo, ' + e.message, debug.MT_INFO, this.originalId); equals www.yahoo.com (Yahoo)
Source: ChromeSetup.exe, 00000004.00000003.1630642002.7E6E0000.00000004.sdmpString found in binary or memory: acesso seguro e direto a todos os seus sites favoritos por meio do mecanismo de busca do Yahoo. O Yahoo est equals www.yahoo.com (Yahoo)
Source: ChromeSetup.exe, 00000004.00000003.1630642002.7E6E0000.00000004.sdmpString found in binary or memory: e par Yahoo. Yahoo s equals www.yahoo.com (Yahoo)
Source: ChromeSetup.exe, 00000004.00000003.1630642002.7E6E0000.00000004.sdmpString found in binary or memory: es. Transforme o Yahoo em sua p equals www.yahoo.com (Yahoo)
Source: we23.html.4.drString found in binary or memory: for Yahoo: <a href="https://info.yahoo.com/legal/us/yahoo/utos/utos-173.html">https://info.yahoo.com/legal/us/yahoo/utos/utos-173.html</a>, for Microsoft: <a href="http://go.Microsoft.com/fwlink/?LinkID=246338">http://go.Microsoft.com/fwlink/?LinkID=246338</a> and for equals www.yahoo.com (Yahoo)
Source: ChromeSetup.exe, 00000004.00000003.1630642002.7E6E0000.00000004.sdmpString found in binary or memory: glichen Gewohnheiten der Welt inspirierend und unterhaltsam zu gestalten - ob Sie nun im Internet nach etwas suchen, Fotos mit der Familie teilen oder einfach nur den Wetterbericht, Sportergebnisse oder Aktienpreise abrufen. Machen Sie Yahoo zu Ihrer Homepage, zu Ihrem neuen Tab und zu Ihrer Standardsuche in allen kompatiblen Browsern (findet Anwendung auf den Internet Explorer und auf Firefox)', equals www.yahoo.com (Yahoo)
Source: ChromeSetup.exe, 00000004.00000003.1630642002.7E6E0000.00000004.sdmpString found in binary or memory: re searching the web, sharing photos with family, or simply checking the weather, sports, or stock quotes. Make Yahoo your homepage, new tab and default search on all compatible browsers (applies to Internet Explorer and Firefox)', equals www.yahoo.com (Yahoo)
Source: ChromeSetup.exe, 00000004.00000003.1630642002.7E6E0000.00000004.sdmpString found in binary or memory: s sportives ou le cours des actions. Faites de Yahoo votre page d equals www.yahoo.com (Yahoo)
Source: ChromeSetup.exe, 00000004.00000003.1630642002.7E6E0000.00000004.sdmpString found in binary or memory: squeda desarrollada por Yahoo. Yahoo se centra en hacer los h equals www.yahoo.com (Yahoo)
Source: ChromeSetup.exe, 00000004.00000003.1630642002.7E6E0000.00000004.sdmpString found in binary or memory: tiles. Haz de Yahoo tu p equals www.yahoo.com (Yahoo)
Source: ChromeSetup.exe, 00000004.00000003.1630642002.7E6E0000.00000004.sdmpString found in binary or memory: tzt Suche. Yahoo konzentriert sich darauf, die t equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.tasetofeni.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST / HTTP/1.1Accept: */*Host: dev.reholessbegise.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoContent-Length: 1568Cache-Control: no-cache
Urls found in memory or binary dataShow sources
Source: ChromeSetup.exe, 00000004.00000003.1645798586.7FDE0000.00000004.sdmpString found in binary or memory: HTTP://ABBA.S3.AMAZONAWS.COM/ABBA/
Source: ChromeSetup.exe, 00000004.00000003.1630642002.7E6E0000.00000004.sdmpString found in binary or memory: http://abba.s3.amazonaws.com/ABBA/
Source: csshover3.htc.4.drString found in binary or memory: http://creativecommons.org/licenses/LGPL/2.1
Source: wget.exe, 00000002.00000002.1555102472.00B66000.00000004.sdmp, ChromeSetup.exe.2.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: wget.exe, 00000002.00000002.1555102472.00B66000.00000004.sdmp, ChromeSetup.exe.2.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ChromeSetup.exe, 00000004.00000003.1642828690.00329000.00000004.sdmpString found in binary or memory: http://dev.reholessbegise.com/
Source: ChromeSetup.exe, 00000004.00000003.1642828690.00329000.00000004.sdmpString found in binary or memory: http://dev.reholessbegise.com/)
Source: logo_FS[1].png.4.drString found in binary or memory: http://getwebbar.com/eula.html
Source: logo_FS[1].png.4.drString found in binary or memory: http://getwebbar.com/privacy.html
Source: logo_FS[1].png.4.drString found in binary or memory: http://getwebbar.com/uninstall.html
Source: logo_FS[1].png.4.drString found in binary or memory: http://getwebbar.com/uninstall.html&lt;/a&gt;
Source: ChromeSetup.exe, 00000004.00000003.1630642002.7E6E0000.00000004.sdmpString found in binary or memory: http://img.
Source: main.css.4.drString found in binary or memory: http://juicystudio.com/article/screen-readers-display-none.php
Source: wget.exe, 00000002.00000002.1555102472.00B66000.00000004.sdmp, ChromeSetup.exe.2.drString found in binary or memory: http://ocsp.comodoca.com0
Source: we23.html.4.drString found in binary or memory: http://searchmgr.com/pp.html.
Source: main.css.4.drString found in binary or memory: http://snook.ca/archives/html_and_css/hiding-content-for-accessibility
Source: ES.locale.4.dr, PT.locale.4.drString found in binary or memory: http://sourceforge.net/devshare/why
Source: we23.html.4.drString found in binary or memory: http://stringjs.com/
Source: we23.html.4.drString found in binary or memory: http://underscorejs.org/
Source: we23.html.4.drString found in binary or memory: http://www.chromium.org/
Source: ChromeSetup.exe, ChromeSetup.exe, 00000006.00000000.1653163815.00401000.00000020.sdmp, ChromeSetup.exe.2.drString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: ChromeSetup.exe, 00000004.00000001.1585570305.00401000.00000020.sdmp, ChromeSetup.exe, 00000006.00000000.1653163815.00401000.00000020.sdmp, ChromeSetup.exe.2.drString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: D7143069654402.dat.4.drString found in binary or memory: http://www.sqlite.org/copyright.html.
Source: wget.exe, 00000002.00000002.1555092573.00B60000.00000004.sdmp, wget.exe, 00000002.00000002.1554813373.00020000.00000004.sdmp, cmdline.out.2.drString found in binary or memory: http://www.tasetofeni.com/ctsoqw4/ChromeSetup.exe
Source: wget.exe, 00000002.00000002.1555102472.00B66000.00000004.sdmpString found in binary or memory: http://www.tasetofeni.com/ctsoqw4/ChromeSetup.exem
Source: csshover3.htc.4.drString found in binary or memory: http://www.xs4all.nl/~peterned/
Source: ChromeSetup.exe, 00000004.00000003.1630642002.7E6E0000.00000004.sdmpString found in binary or memory: https://goo.gl/1muiGO
Source: ChromeSetup.exe, 00000004.00000003.1630642002.7E6E0000.00000004.sdmpString found in binary or memory: https://goo.gl/IO8Ywm
Source: we23.html.4.drString found in binary or memory: https://info.yahoo.com/legal/us/yahoo/utos/utos-173.html
Source: 54dd.html.4.drString found in binary or memory: https://info.yahoo.com/privacy/us/yahoo/search/details.html
Source: we23.html.4.drString found in binary or memory: https://jquery.org/license/
Source: main.css.4.drString found in binary or memory: https://www.drupal.org/node/897638
Source: we23.html.4.drString found in binary or memory: https://www.google.com/policies/terms/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: ChromeSetup.exe, 00000004.00000003.1625344431.017B0000.00000004.sdmpBinary or memory string: DirectDrawCreateEx
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
Installs a raw input device (often for capturing keystrokes)Show sources
Source: ChromeSetup.exe, 00000004.00000003.1626254183.01850000.00000004.sdmpBinary or memory string: GetRawInputData

System Summary:

barindex
Potential malicious VBS script found (suspicious strings)Show sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeDropped file: Set objWshShell = CreateObject("WScript.Shell")Jump to dropped file
Source: C:\Users\user\Desktop\download\ChromeSetup.exeDropped file: Set objFSO = CreateObject("Scripting.FileSystemObject")Jump to dropped file
Source: C:\Users\user\Desktop\download\ChromeSetup.exeDropped file: Set objShell = CreateObject("Shell.Application")Jump to dropped file
Source: C:\Users\user\Desktop\download\ChromeSetup.exeDropped file: Set tasksToRemove = CreateObject("System.Collections.ArrayList")Jump to dropped file
Source: C:\Users\user\Desktop\download\ChromeSetup.exeDropped file: Set filesToDelete = CreateObject("System.Collections.ArrayList")Jump to dropped file
Source: C:\Users\user\Desktop\download\ChromeSetup.exeDropped file: Set service = CreateObject("Schedule.Service")Jump to dropped file
Source: C:\Users\user\Desktop\download\ChromeSetup.exeDropped file: Set WshShell = CreateObject("WScript.Shell")Jump to dropped file
Abnormal high CPU UsageShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeProcess Stats: CPU usage > 98%
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,6_2_00409448
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_0040A12B6_2_0040A12B
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_00409F686_2_00409F68
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_004061666_2_00406166
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_004061D66_2_004061D6
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_004062DA6_2_004062DA
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_0040840C6_2_0040840C
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_00405D1C6_2_00405D1C
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_00405D3E6_2_00405D3E
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_00405DAD6_2_00405DAD
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_00405ED46_2_00405ED4
PE file contains strange resourcesShow sources
Source: ChromeSetup.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ChromeSetup.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: sqlite3.dll.10.drStatic PE information: Section: UPX1 ZLIB complexity 0.993394987536
Classification labelShow sources
Source: classification engineClassification label: mal56.spyw.evad.win@16/147@8/8
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,6_2_00409448
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,6_2_00409C34
Creates files inside the user directoryShow sources
Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\0006EA47.logJump to behavior
Found command line outputShow sources
Source: C:\Windows\System32\timeout.exeConsole Write: ...........w..0.......W.a.i.t.i.n.g. .f.o.r. .1...............).$.....+.........?&D..............(D.........H.....dw(...Jump to behavior
Source: C:\Windows\System32\timeout.exeConsole Write: ...........w..0..... .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .................J.....+.......+.Jump to behavior
Source: C:\Windows\System32\timeout.exeConsole Write: ...........w..0.......0.............................................. .w............) .w..0.............................Jump to behavior
Source: C:\Windows\System32\timeout.exeConsole Write: ...........w..0.................V.................................... .w............) .w..0...................].........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.................................................LN.w..,..........m....r.$.,.....r....F.J......,.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.......................................................................r.$.,.....r....F.J......,.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........6#.......... . . . . . . . .1. .f.i.l.e.(.s.). .c.o.p.i.e.d........J....h.,.s.dw$.,.....#..w..,.6...`.....,.....Jump to behavior
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://www.tasetofeni.com/ctsoqw4/ChromeSetup.exe' > cmdline.out 2>&1
Source: unknownProcess created: C:\Windows\System32\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://www.tasetofeni.com/ctsoqw4/ChromeSetup.exe'
Source: unknownProcess created: C:\Users\user\Desktop\download\ChromeSetup.exe 'C:\Users\user\Desktop\download\ChromeSetup.exe'
Source: unknownProcess created: C:\Users\user\Desktop\download\ChromeSetup.exe 'C:\Users\user\Desktop\download\ChromeSetup.exe' /_ShowProgress /mnl
Source: unknownProcess created: C:\Windows\System32\cmd.exe /d /c TIMEOUT 1 & cmd /d /c copy /B /Y 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT'+'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT' 'C:\Users\HERBBL~1\AppData\Local\Temp\in6FE8C00C\sqlite3.dll' & cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT' & cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT'
Source: unknownProcess created: C:\Windows\System32\timeout.exe TIMEOUT 1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /d /c copy /B /Y 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT'+'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT' 'C:\Users\HERBBL~1\AppData\Local\Temp\in6FE8C00C\sqlite3.dll'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://www.tasetofeni.com/ctsoqw4/ChromeSetup.exe' Jump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeProcess created: C:\Users\user\Desktop\download\ChromeSetup.exe 'C:\Users\user\Desktop\download\ChromeSetup.exe' /_ShowProgress /mnlJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeProcess created: C:\Windows\System32\cmd.exe /d /c TIMEOUT 1 & cmd /d /c copy /B /Y 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT'+'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT' 'C:\Users\HERBBL~1\AppData\Local\Temp\in6FE8C00C\sqlite3.dll' & cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT' & cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe TIMEOUT 1 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /d /c copy /B /Y 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT'+'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT' 'C:\Users\HERBBL~1\AppData\Local\Temp\in6FE8C00C\sqlite3.dll' Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT' Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT'Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Binary contains paths to debug symbolsShow sources
Source: Binary string: gdi32.pdb source: ChromeSetup.exe, 00000004.00000003.1626145679.017F0000.00000004.sdmp
Source: Binary string: kernelbase.pdb0 source: ChromeSetup.exe, 00000004.00000003.1623528756.017B0000.00000004.sdmp
Source: Binary string: rpcrt4.pdb source: ChromeSetup.exe, 00000004.00000003.1625098387.017A4000.00000004.sdmp
Source: Binary string: sechost.pdb source: ChromeSetup.exe, 00000004.00000003.1626998281.018B0000.00000004.sdmp
Source: Binary string: msvcrt.pdb source: ChromeSetup.exe, 00000004.00000003.1627084344.018C4000.00000004.sdmp
Source: Binary string: msctf.pdb source: ChromeSetup.exe, 00000004.00000003.1623814977.0181C000.00000004.sdmp
Source: Binary string: ole32.pdb source: ChromeSetup.exe, 00000004.00000003.1624222815.018A0000.00000004.sdmp
Source: Binary string: advapi32.pdb source: ChromeSetup.exe, 00000004.00000003.1623612900.017F0000.00000004.sdmp
Source: Binary string: lpk.pdb source: ChromeSetup.exe, 00000004.00000003.1624169057.0181C000.00000004.sdmp
Source: Binary string: user32.pdb source: ChromeSetup.exe, 00000004.00000003.1626569209.018B4000.00000004.sdmp
Source: Binary string: comctl32.pdbH source: ChromeSetup.exe, 00000004.00000003.1623471076.018F4000.00000004.sdmp
Source: Binary string: shlwapi.pdb source: ChromeSetup.exe, 00000004.00000003.1624703771.01838000.00000004.sdmp
Source: Binary string: shlwapi.pdbU source: ChromeSetup.exe, 00000004.00000003.1624703771.01838000.00000004.sdmp
Source: Binary string: ntdll.pdb source: ChromeSetup.exe, 00000004.00000003.1626693338.018B0000.00000004.sdmp
Source: Binary string: kernel32.pdb source: ChromeSetup.exe, 00000004.00000003.1625560514.01870000.00000004.sdmp
Source: Binary string: msvcrt.pdb8 source: ChromeSetup.exe, 00000004.00000003.1627084344.018C4000.00000004.sdmp
Source: Binary string: oleaut32.pdb source: ChromeSetup.exe, 00000004.00000003.1624944821.017A4000.00000004.sdmp
Source: Binary string: imm32.pdb` source: ChromeSetup.exe, 00000004.00000003.1624116622.01820000.00000004.sdmp
Source: Binary string: comctl32.pdb source: ChromeSetup.exe, 00000004.00000003.1623104290.018A0000.00000004.sdmp
Source: Binary string: ntdll.pdb3 source: ChromeSetup.exe, 00000004.00000003.1626693338.018B0000.00000004.sdmp
Source: Binary string: advapi32.pdb source: ChromeSetup.exe, 00000004.00000003.1623612900.017F0000.00000004.sdmp
Source: Binary string: kernelbase.pdb source: ChromeSetup.exe, 00000004.00000003.1623528756.017B0000.00000004.sdmp
Source: Binary string: iexplore.pdb source: ChromeSetup.exe, 00000004.00000003.1637175035.03B40000.00000004.sdmp
Source: Binary string: imm32.pdb source: ChromeSetup.exe, 00000004.00000003.1624116622.01820000.00000004.sdmp

Data Obfuscation:

barindex
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe /d /c TIMEOUT 1 & cmd /d /c copy /B /Y 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT'+'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT' 'C:\Users\HERBBL~1\AppData\Local\Temp\in6FE8C00C\sqlite3.dll' & cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT' & cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /d /c copy /B /Y 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT'+'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT' 'C:\Users\HERBBL~1\AppData\Local\Temp\in6FE8C00C\sqlite3.dll'
Source: C:\Users\user\Desktop\download\ChromeSetup.exeProcess created: C:\Windows\System32\cmd.exe /d /c TIMEOUT 1 & cmd /d /c copy /B /Y 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT'+'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT' 'C:\Users\HERBBL~1\AppData\Local\Temp\in6FE8C00C\sqlite3.dll' & cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT' & cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /d /c copy /B /Y 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT'+'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT' 'C:\Users\HERBBL~1\AppData\Local\Temp\in6FE8C00C\sqlite3.dll' Jump to behavior
PE file contains an invalid checksumShow sources
Source: ChromeSetup.exe.2.drStatic PE information: real checksum: 0x55ebbf70 should be: 0x259c4e
Source: sqlite3.dll.10.drStatic PE information: real checksum: 0x0 should be: 0x787fb
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_004040B5 push eax; ret 6_2_004040F1
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_00408104 push ecx; mov dword ptr [esp], eax6_2_00408109
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_00404185 push 00404391h; ret 6_2_00404389
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_00404206 push 00404391h; ret 6_2_00404389
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_0040C218 push eax; ret 6_2_0040C219
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_004042E8 push 00404391h; ret 6_2_00404389
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_00404283 push 00404391h; ret 6_2_00404389
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_004065C8 push 00406605h; ret 6_2_004065FD
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_00408F38 push 00408F6Bh; ret 6_2_00408F63
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\wget.exeFile created: C:\Users\user\Desktop\download\ChromeSetup.exeJump to dropped file
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\D7143069654401.datJump to dropped file
Source: C:\Windows\System32\cmd.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\in6FE8C00C\sqlite3.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module)Show sources
Source: ChromeSetup.exe, 00000004.00000003.1625344431.017B0000.00000004.sdmpBinary or memory string: CDB.EXEWINDBG.EXE
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile opened: C:\Users\user\AppData\Local\Temp\inH45319154225Jump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile opened: C:\Users\user\AppData\Local\Temp\inH45319154225\bootstrap_30284.htmlJump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeDropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\D7143069654401.datJump to dropped file
Source: C:\Windows\System32\cmd.exeDropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\in6FE8C00C\sqlite3.dllJump to dropped file
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_6-5425
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeAPI coverage: 4.6 %
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,6_2_00409B78
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: ChromeSetup.exe, 00000004.00000003.1645798586.7FDE0000.00000004.sdmpBinary or memory string: WINDOW.DEBUG.WRITE('VIRTUALMACHINE MODE - REMOTE OFFERS DISABLED.',WINDOW.DEBUG.MT_INFO,'ADMANAGER');T.SHOWDEFAULTSLOT();RETURN;};IF(T.INDEBUGMODE){IF(TYPEOF(WINDOW.DEBUG)!=='UNDEFINED'&&WINDOW.DEBUG.WRITE)
Source: ChromeSetup.exe, 00000004.00000003.1630642002.7E6E0000.00000004.sdmpBinary or memory string: window.debug.write('VirtualMachine mode - remote offers disabled.',window.debug.MT_INFO,'adManager');t.showDefaultSlot();return;};if(t.inDebugMode){if(typeof(window.debug)!=='undefined'&&window.debug.write)
Program exit pointsShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeAPI call chain: ExitProcess graph end nodegraph_6-6449
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeSystem information queried: KernelDebuggerInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://www.tasetofeni.com/ctsoqw4/ChromeSetup.exe' Jump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeProcess created: C:\Users\user\Desktop\download\ChromeSetup.exe 'C:\Users\user\Desktop\download\ChromeSetup.exe' /_ShowProgress /mnlJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeProcess created: C:\Windows\System32\cmd.exe /d /c TIMEOUT 1 & cmd /d /c copy /B /Y 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT'+'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT' 'C:\Users\HERBBL~1\AppData\Local\Temp\in6FE8C00C\sqlite3.dll' & cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT' & cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe TIMEOUT 1 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /d /c copy /B /Y 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT'+'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT' 'C:\Users\HERBBL~1\AppData\Local\Temp\in6FE8C00C\sqlite3.dll' Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT' Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT'Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://www.tasetofeni.com/ctsoqw4/ChromeSetup.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe /d /c TIMEOUT 1 & cmd /d /c copy /B /Y 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT'+'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT' 'C:\Users\HERBBL~1\AppData\Local\Temp\in6FE8C00C\sqlite3.dll' & cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT' & cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://www.tasetofeni.com/ctsoqw4/ChromeSetup.exe' Jump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeProcess created: C:\Windows\System32\cmd.exe /d /c TIMEOUT 1 & cmd /d /c copy /B /Y 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT'+'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT' 'C:\Users\HERBBL~1\AppData\Local\Temp\in6FE8C00C\sqlite3.dll' & cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~1.DAT' & cmd /d /c del 'C:\Users\HERBBL~1\AppData\Local\Temp\D71430~2.DAT'Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: ChromeSetup.exe, 00000004.00000003.1624703771.01838000.00000004.sdmpBinary or memory string: Program Manager
Source: ChromeSetup.exe, 00000004.00000003.1626254183.01850000.00000004.sdmpBinary or memory string: GetProgmanWindow
Source: ChromeSetup.exe, 00000004.00000003.1626254183.01850000.00000004.sdmpBinary or memory string: SetProgmanWindow

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: GetLocaleInfoA,6_2_00405258
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: GetLocaleInfoA,6_2_0040520C
Queries the installation date of WindowsShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\download\ChromeSetup.exeQueries volume information: C:\Users\HERBBL~1\Desktop\download\CHROME~1.EXE VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_004026C4 GetSystemTime,6_2_004026C4
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeCode function: 6_2_00405CF4 GetVersionExA,6_2_00405CF4
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\download\ChromeSetup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\prefs.jsJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 86340 URL: http://www.tasetofeni.com/ctsoqw4/ChromeSetup.exe Startdate: 26/10/2018 Architecture: WINDOWS Score: 56 46 Obfuscated command line found 2->46 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module) 2->48 7 ChromeSetup.exe 2 174 2->7         started        12 cmd.exe 1 2->12         started        process3 dnsIp4 40 www3.reholessbegise.com 199.201.110.78, 49185, 49186, 49187 NAMECHEAP-NET-NamecheapIncUS United States 7->40 42 img.reholessbegise.com 146.185.27.45, 49166, 49167, 49168 HSI-EUROPEGB United Kingdom 7->42 44 5 other IPs or domains 7->44 36 C:\Users\HERBBL~1\...\D7143069654401.dat, PE32 7->36 dropped 50 Obfuscated command line found 7->50 52 Potential malicious VBS script found (suspicious strings) 7->52 54 Tries to harvest and steal browser information (history, passwords, etc) 7->54 14 cmd.exe 7->14         started        17 ChromeSetup.exe 7->17         started        19 wget.exe 1 12->19         started        file5 signatures6 process7 dnsIp8 56 Obfuscated command line found 14->56 23 cmd.exe 14->23         started        26 cmd.exe 14->26         started        28 cmd.exe 14->28         started        30 timeout.exe 14->30         started        38 www.tasetofeni.com 34.246.251.21, 49161, 80 AMAZON-02-AmazoncomIncUS United States 19->38 32 C:\Users\user\Desktop\...\ChromeSetup.exe, PE32 19->32 dropped file9 signatures10 process11 file12 34 C:\Users\HERBBL~1\AppData\...\sqlite3.dll, PE32 23->34 dropped

Simulations

Behavior and APIs

TimeTypeDescription
04:00:44API Interceptor2874x Sleep call for process: cmd.exe modified
04:01:08API Interceptor886x Sleep call for process: ChromeSetup.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\HERBBL~1\AppData\Local\Temp\D7143069654401.dat5%virustotalBrowse
C:\Users\HERBBL~1\AppData\Local\Temp\D7143069654401.dat0%metadefenderBrowse
C:\Users\HERBBL~1\AppData\Local\Temp\in6FE8C00C\sqlite3.dll0%virustotalBrowse
C:\Users\HERBBL~1\AppData\Local\Temp\in6FE8C00C\sqlite3.dll0%metadefenderBrowse

Unpacked PE Files

SourceDetectionScannerLabelLink
6.2.ChromeSetup.exe.400000.0.unpack100%AviraTR/Dropper.Gen
4.1.ChromeSetup.exe.400000.0.unpack100%AviraTR/Dropper.Gen

Domains

SourceDetectionScannerLabelLink
dev.reholessbegise.com0%virustotalBrowse
fsdfegtts.download0%virustotalBrowse
bbs.reholessbegise.com3%virustotalBrowse
www4.reholessbegise.com1%virustotalBrowse
www3.reholessbegise.com0%virustotalBrowse
www.tasetofeni.com1%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www4.reholessbegise.com/AdworldDLM_Bing/0%virustotalBrowse
http://www4.reholessbegise.com/AdworldDLM_Bing/0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Sedelelahe/08_11_16/3.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Rureviv/blogo_s.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Nuhududanew/BG_LONG.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Rowabobeso/rsk_custom_dark_bg.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Sedelelahe/08_11_16/2.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Nuhududanew/BG_TC_N.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Lolosobeken/Lolosobeken.jpg0%Avira URL Cloudsafe
http://fsdfegtts.download/downloadimage/24620/16/8f2cd5310232df6287d0877bdd42ea0b/logo4.png?logotipo=automatico&uo=http://www.googleonline2018.com/intl/en/chrome/&nada=true0%Avira URL Cloudsafe
http://remote.reholessbegise.com/ofr/Solululadul/osutils.cis0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Rowabobeso/b2_win_clean.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Nuhududanew/logo.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Sedelelahe/08_11_16/1.png0%Avira URL Cloudsafe
http://www3.reholessbegise.com/ofr/Niniwic/YL/Niniwic_Tefenece_12Apr16.cis0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Wowowosog/bg_custom_TL.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Gadegam/TL_win_bg.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Sibarasawi/logo_comp.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Nuhududanew/BG_FS.jpg0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Rowabobeso/b3_win.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Fadolatos/logo.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Bomonobinok/Bomonobinok_v3.jpg0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Nuhududanew/BG_FS_LONG.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Nuhududanew/BG_TC_FS_N.png0%Avira URL Cloudsafe
http://www3.reholessbegise.com/ofr/Necoroca/YL/Necoroca_yl_090616.cis0%Avira URL Cloudsafe
http://dev.reholessbegise.com/0%virustotalBrowse
http://dev.reholessbegise.com/0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Wewarebew/Bisli_logo.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Necoroca/NecorocaB_logo.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Nuhududanew/BG.jpg0%Avira URL Cloudsafe
http://remote.reholessbegise.com/ofr/Niniwic/YL/Niniwic_Tefenece_12Apr16.cis0%Avira URL Cloudsafe
http://www.tasetofeni.com/ctsoqw4/ChromeSetup.exem0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Fadolatos/TL_win_bg.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Wowowosog/custom_TL_hockey_bg.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Winipizi/logo2.png0%Avira URL Cloudsafe
http://bbs.reholessbegise.com/?woja=00%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Rowabobeso/icon2.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Tavasat/15Feb17/v2/EN.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Sibarasawi/bg_comp.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Mifigisere/logo_NEW.png0%Avira URL Cloudsafe
http://remote.reholessbegise.com/ofr/Necoroca/YL/Necoroca_yl_090616.cis0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Jimomoromoj/Jimomoromoj_logo.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Wowowosog/logo_TL.png0%Avira URL Cloudsafe
http://www.tasetofeni.com/ctsoqw4/ChromeSetup.exe0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Rowabobeso/rsk_custom_light_bg.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Rowabobeso/icon1.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Rowubero/TPC_win_bg.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Wafadonala/bg.jpg0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Nuhududanew/BG_TT.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Gadegam/TL_logo.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Tefenece/Tefenece_logo_black.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Nuhududanew/win_TL1_bg.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Mifigisere/TL_NEW_win2.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Bomonobinok/v1_blank.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Nuhududanew/logo_new.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Vavavag/V2/DE.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Nuhududanew/fusion_TL1_bg.png0%Avira URL Cloudsafe
http://dev.reholessbegise.com/)0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Rowabobeso/icon3.png0%Avira URL Cloudsafe
http://www3.reholessbegise.com/ofr/Solululadul/osutils.cis0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Necoroca/Necoroca_logo.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Nuhududanew/BG_TT_FS.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Sedelelahe/08_11_16/4.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Wafadonala/logo.png0%Avira URL Cloudsafe
http://img.reholessbegise.com/img/Wewarebew/logo_FS.png0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.