Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Sept. 18, 2021, 7:45 p.m. | Sept. 18, 2021, 7:47 p.m. |
-
-
-
taskkill.exe taskkill /f /im chrome.exe
1460
-
-
xcopy.exe xcopy "C:\Users\test22\AppData\Local\Google\Chrome\User Data" "C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
804 -
chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\test22\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
1816-
chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x90,0x94,0x98,0x8c,0x9c,0x7fef1c6f1e8,0x7fef1c6f1f8,0x7fef1c6f208
1348 -
chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2692 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6
1908
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
www.wsrygoq.com | 188.225.87.175 | |
www.listincode.com | 144.202.76.47 | |
www.iyiqian.com | 103.155.92.58 | |
iplogger.org | 88.99.66.31 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49201 -> 88.99.66.31:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49198 -> 144.202.76.47:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49201 88.99.66.31:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=*.iplogger.org | 55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb |
TLSv1 192.168.56.101:49198 144.202.76.47:443 |
C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA | CN=listincode.com | 84:23:95:42:66:09:11:39:0d:e6:22:7f:eb:b3:cc:79:dd:fa:36:ed |
pdb_path | F:\facebook_svn\trunk\database\Release\DiskScan.pdb |
file | C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\Locales\ko.pak |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome |
section | .hgwrgss |
resource name | ZIP |
suspicious_features | POST method with no referer header | suspicious_request | POST http://www.wsrygoq.com/Home/Index/lkdinl |
request | GET http://www.iyiqian.com/ |
request | POST http://www.wsrygoq.com/Home/Index/lkdinl |
request | GET https://www.listincode.com/ |
request | GET https://iplogger.org/14Jup7 |
request | POST http://www.wsrygoq.com/Home/Index/lkdinl |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\en_US\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlSoceng.store |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\lv |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\et |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ko |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\pt_PT |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\ru\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\lt\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOCK |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ca\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\et\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\ko\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ne |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\manifest.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_metadata\verified_contents.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\da |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ro\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\da\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\zh_TW\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\zh_TW\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fil |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlCsdDownloadWhitelist.store |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\hi\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\mr\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\el |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\nl |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\da |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\uk\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sl |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ta |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\te |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\tr\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\th |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\28.0.0.137\manifest.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\id\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\nl |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\hi\messages.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\craw_window.css |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\fr\messages.json |
name | ZIP | language | LANG_CHINESE | filetype | Zip archive data, at least v1.0 to extract | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00156b50 | size | 0x0000cc07 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | dBase III DBT, version number 0, next free block index 40 | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00146180 | size | 0x00010828 | ||||||||||||||||||
name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x001569a8 | size | 0x00000014 | ||||||||||||||||||
name | RT_VERSION | language | LANG_CHINESE | filetype | PGP symmetric key encrypted data - Plaintext or unencrypted data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x001569c0 | size | 0x0000018c |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\main.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\angular.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\jquery-3.3.1.min.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\mirroring_webrtc.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\mirroring_hangouts.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\background.js |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\cast_setup\cast_app.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\contentscript_bin_prod.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\feedback_script.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\common.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\PepperFlash\28.0.0.137\pepflashplayer.dll |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\main.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\page_embed_script.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\cast_setup\cast_app_redirect.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\craw_window.js |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\jquery-3.3.1.min.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\mirroring_cast_streaming.js |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\mode-ecb.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\eventpage_bin_prod.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\cast_sender.js |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\mode-ecb.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\craw_background.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\background_script.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\mirroring_common.js |
file | C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\main.js |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\background.js |
cmdline | cmd.exe /c taskkill /f /im chrome.exe |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe") |
section | {u'size_of_data': u'0x0001da00', u'virtual_address': u'0x00146000', u'entropy': 6.931167777465486, u'name': u'.rsrc', u'virtual_size': u'0x0001d8d8'} | entropy | 6.93116777747 | description | A section with a high entropy has been found |
url | https://clients4.google.com/invalidation/android/request/ |
url | http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0 |
url | http://services.ukrposhta.com/postindex_new/ |
url | http://dts.search-results.com/sr?lng= |
url | http://inposdom.gob.do/codigo-postal/ |
url | http://creativecommons.org/ns |
url | http://www.postur.fo/ |
url | https://qc.search.yahoo.com/search?ei= |
url | https://cacert.omniroot.com/baltimoreroot.crt09 |
url | https://codereview.chromium.org/25305002). |
url | https://search.yahoo.com/search?ei= |
url | http://t1.symcb.com/ThawtePCA.crl0/ |
url | http://crbug.com/31395. |
url | https://support.google.com/chrome/answer/165139 |
url | https://ct.googleapis.com/aviator/ |
url | https://datasaver.googleapis.com/v1/clientConfigs |
url | http://crl.starfieldtech.com/sfroot-g2.crl0L |
url | https://ct.startssl.com/ |
url | https://suggest.yandex.com.tr/suggest-ff.cgi?part= |
url | https://de.search.yahoo.com/favicon.ico |
url | https://github.com/GoogleChrome/Lighthouse/issues |
url | http://www.searchnu.com/favicon.ico |
url | https://support.google.com/installer/?product= |
url | http://msdn.microsoft.com/en-us/library/ms792901.aspx |
url | https://www.najdi.si/search.jsp?q= |
url | http://x.ss2.us/x.cer0 |
url | http://crl.geotrust.com/crls/gtglobal.crl04 |
url | https://accounts.google.com/ServiceLogin |
url | https://accounts.google.com/OAuthLogin |
url | https://c.android.clients.google.com/ |
url | https://search.goo.ne.jp/sgt.jsp?MT= |
url | https://www.google.com/tools/feedback/chrome/__submit |
url | https://chrome.google.com/webstore/category/collection/dark_themes |
url | http://check.googlezip.net/generate_204 |
url | http://ocsp.starfieldtech.com/08 |
url | http://www.guernseypost.com/postcode_finder/ |
url | http://crl.certum.pl/ca.crl0h |
url | http://ator |
url | https://suggest.yandex.by/suggest-ff.cgi?part= |
url | http://feed.snap.do/?q= |
url | https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico |
url | http://www.language |
url | https://support.google.com/chrome/ |
url | http://developer.chrome.com/apps/declare_permissions.html |
url | https://ct.googleapis.com/rocketeer/ |
url | https://www.globalsign.com/repository/03 |
url | http://www.startssl.com/sfsca.crl0 |
url | http://UA-Compatible |
url | https://se.search.yahoo.com/search?ei= |
url | http://EVSecure-ocsp.geotrust.com0 |
description | Communication using DGA | rule | Network_DGA | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Create a windows service | rule | Create_Service | ||||||
description | Perform crypto currency mining | rule | BitCoin | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Virtual currency | rule | Virtual_currency_Zero | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Communications over P2P network | rule | Network_P2P_Win | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Possibly employs anti-virtualization techniques | rule | vmdetect | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | Install itself for autorun at Windows startup | rule | Persistence | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Create a windows service | rule | Create_Service | ||||||
description | Perform crypto currency mining | rule | BitCoin | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Virtual currency | rule | Virtual_currency_Zero | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Steal credential | rule | local_credential_Steal |
cmdline | taskkill /f /im chrome.exe |
cmdline | cmd.exe /c taskkill /f /im chrome.exe |
parent_process | chrome.exe | martian_process | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2692 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6 | ||||||
parent_process | chrome.exe | martian_process | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1168,4075975592687563348,17893194445613590461,131072 --user-data-dir="C:\Users\test22\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --user-data-dir="C:\Users\test22\AppData\Local\Temp\cghjgasaaz99" --service-request-channel-token=6D7FEC69FADC95634C408D7858AF174A --mojo-platform-channel-handle=1188 --ignored=" --type=renderer " /prefetch:2 | ||||||
parent_process | chrome.exe | martian_process | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x90,0x94,0x98,0x8c,0x9c,0x7fef1c6f1e8,0x7fef1c6f1f8,0x7fef1c6f208 |
url | http://127.0.0.1 |