Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 20, 2021, 9:33 a.m.	Sept. 20, 2021, 9:47 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`61e0ed3cd468c91cd0641939a519c720`
SHA256	`6c976231d3a4957256814dcba485579c8b1ae5d31d9e8650db52f1eb5d13e6f3`
CRC32	`FDB0270E`
ssdeep	`24576:HIVFA1pqtg/TnMbX0lwyh0FVmEByU1fwFYyOs6bQCH6S8q4AQ8Yfwv:mFA1pvTMbOwa0TmYpMYEQNH6S8cQ8Y4v`
PDB Path	F:\facebook_svn\trunk\database\Release\DiskScan.pdb
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check Trojan_PWS_Stealer_1_Zero - Trojan.PWS.Stealer Zero Credential_User_Data_Check_Zero - Credential User Data Check Malicious_Library_Zero - Malicious_Library SQLite_cookies_Check_Zero - SQLite Cookie Check... select IsPE32 - (no description)

askinstall5.exe "C:\Users\test22\AppData\Local\Temp\askinstall5.exe"
1948
- cmd.exe cmd.exe /c taskkill /f /im chrome.exe
  2828
  - taskkill.exe taskkill /f /im chrome.exe
    2220
- xcopy.exe xcopy "C:\Users\test22\AppData\Local\Google\Chrome\User Data" "C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
  2812
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\test22\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
  2748
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb8,0xbc,0xc0,0x8c,0xc4,0x7fef1a86e00,0x7fef1a86e10,0x7fef1a86e20
    784

Name	Response	Post-Analysis Lookup
www.listincode.com	A 144.202.76.47	144.202.76.47
www.iyiqian.com	A 103.155.92.58	103.155.92.58
www.khcyysy.com	A 188.225.87.175	188.225.87.175
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
103.155.92.58	Active	Moloch
144.202.76.47	Active	Moloch
164.124.101.2	Active	Moloch
188.225.87.175	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49163 -> 144.202.76.47:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49165 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49163 144.202.76.47:443	C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA	CN=listincode.com	84:23:95:42:66:09:11:39:0d:e6:22:7f:eb:b3:cc:79:dd:fa:36:ed
TLSv1 192.168.56.102:49165 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 20, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 20, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (24 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:34 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:34 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:34 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0
IsDebuggerPresent Sept. 20, 2021, 9:33 a.m.			0	0

Command line console output was observed (50 out of 885 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Browser console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-60E58FA8-748.pma console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\6738\crl-set console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\6738\LICENSE console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\6738\manifest.fingerprint console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\6738\manifest.json console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\6738\_metadata\verified_contents.json console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\manifest.fingerprint console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\manifest.json console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_metadata\verified_contents.json console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\03019df3fd85a69a8ebd1facc6da9ba73e469774fe77f579fc5a08b8328c1d6b.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\07b75c1be57d68fff1b0c61d2315c7bae6577c5794b76aeebc613a1a69d3a21c.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\084114980071532c16190460bcfc47fdc2653afa292c72b37ff863ae29ccc9f0.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\2245450759552456963fa12ff1f76d86e0232663adc04b7f5dc6835c6ee20f02.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\293c519654c83965baaa50fc5807d4b76fbf587a2972dca4c30cf4e54547f478.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\2979bef09e393921f056739f63a577e5be577d9c600af8f94d5d265c255dc784.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\35cf191bbfb16c57bf0fad4c6d42cbbbb627202651ea3fe12aefa803c33bd64c.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\41c8cab1df22464a10c6a13a0942875e4e318b1b03ebeb4bc768f090629606f6.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\4494652eb0eeceafc44007d8a8fe28c0dae682bed8cb31b53fd33396b5b681a8.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\46a555eb75fa912030b5a28969f4f37d112c4174befd49b885abf2fc70fe6d47.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\51a3b0f5fd01799c566db837788f0ca47acc1b27cbf79e88429a0dfed48b05e5.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\5581d4c2169036014aea0b9b573c53f0c0e43878702508172fa3aa1d0713d30c.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\5614069a2fd7c2ecd3f5e1bd44b23ec74676b9bc99115cc0ef949855d689d0dd.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\5cdc4392fee6ab4544b15e9ad456e61037fbd5fa47dca17394b25ee6f6c70eca.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\5ea773f9df56c0e7b536487dd049e0327a919a0c84a112128418759681714558.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\63f2dbcde83bcc2ccf0b728427576b33a48d61778fbd75a638b1c768544bd88d.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\68f698f81f6482be3a8ceeb9281d4cfc71515d6793d444d10a67acbb4f4ffbc4.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\6f5376ac31f03119d89900a45115ff77151c11d902c10029068db2089a37d913.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\747eda8331ad331091219cce254f4270c2bffd5e422008c6373579e6107bcc56.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\7a328c54d8b72db620ea38e0521ee98416703213854d3bd22bc13a57a352eb52.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\7d3ef2f88fff88556824c2c0ca9e5289792bc50e78097f2e6a9768997e22f0d7.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\8775bfe7597cf88c43995fbdf36eff568d475636ff4ab560c1b4eaff5ea0830f.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\a4b90990b418581487bb13a2cc67700a3c359804f91bdfb8e377cd0ec80ddc10.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\ac3b9aed7fa9674757159e6d7d575672f9d98100941e9bdeffeca1313b75782d.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\adf7befa7cff10c88b9d3d9c1e3e186ab467295dcfb10c24ca858634ebdc828a.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\b21e05cc8ba2cd8a204e8766f92bb98a2520676bdafa70e7b249532def8b905e.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\b3737707e18450f86386d605a9dc11094a792db1670c0b87dcf0030e7936a59a.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\bbd9dfbc1f8a71b593942397aa927b473857950aab52e81a909664368e1ed185.sth console_handle: 0x00000013	1	1
WriteConsoleW Sept. 20, 2021, 9:33 a.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\c652a0ec48ceb3fcab170992c43a87413309e80065a26252401ba3362a17c565.sth console_handle: 0x00000013	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

F:\facebook_svn\trunk\database\Release\DiskScan.pdb

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\Locales
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.aaghher

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

ZIP

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 20, 2021, 9:34 a.m.	stacktrace: 0x180004 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 20 77 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x180004 registers.r14: 408875944 registers.r15: 238015312 registers.rcx: 1416 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 408875200 registers.rsp: 408874920 registers.r11: 408878816 registers.r8: 2007138700 registers.r9: 0 registers.rdx: 1436 registers.r12: 408875560 registers.rbp: 408875056 registers.rdi: 238024144 registers.rax: 1572864 registers.r13: 237585056	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://www.khcyysy.com/Home/Index/lkdinl

Performs some HTTP requests (4 events)

request	GET http://www.iyiqian.com/
request	POST http://www.khcyysy.com/Home/Index/lkdinl
request	GET https://www.listincode.com/
request	GET https://iplogger.org/1XJq97

Sends data using the HTTP POST Method (1 event)

request

POST http://www.khcyysy.com/Home/Index/lkdinl

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 20, 2021, 9:33 a.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb037000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:33 a.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef6d79000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 20, 2021, 9:33 a.m.	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb037000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2748 crashed
__exception__ Sept. 20, 2021, 9:34 a.m.	stacktrace: 0x180004 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 20 77 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x180004 registers.r14: 408875944 registers.r15: 238015312 registers.rcx: 1416 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 408875200 registers.rsp: 408874920 registers.r11: 408878816 registers.r8: 2007138700 registers.r9: 0 registers.rdx: 1436 registers.r12: 408875560 registers.rbp: 408875056 registers.rdi: 238024144 registers.rax: 1572864 registers.r13: 237585056	1	0	0

Steals private information from local Internet browsers (50 out of 1489 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlSoceng.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\manifest.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\common.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\_locales\hi\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\page_embed_script.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\a4b90990b418581487bb13a2cc67700a3c359804f91bdfb8e377cd0ec80ddc10.sth
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\de
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fil\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\c652a0ec48ceb3fcab170992c43a87413309e80065a26252401ba3362a17c565.sth
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fi\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\0.57.44.2492\_platform_specific\x86_64\pnacl_public_pnacl_json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\4.10.2209.0\_platform_specific
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\es_419\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\5ea773f9df56c0e7b536487dd049e0327a919a0c84a112128418759681714558.sth
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\el\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\_locales\pt_PT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ja
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\_locales\zh_HK\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\no
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\nl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\el\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\tr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\cs
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\cs
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_PT\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ru
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_metadata\computed_hashes.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\4.10.2209.0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_metadata\computed_hashes.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\91.265.200\em002_64.dll
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\da
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_PT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\lt\messages.json

Foreign language identified in PE resource (4 events)

name

ZIP

language

LANG_CHINESE

filetype

Zip archive data, at least v1.0 to extract

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00156b50

size

0x0000cc07

name

RT_ICON

language

LANG_CHINESE

filetype

dBase III DBT, version number 0, next free block index 40

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00146180

size

0x00010828

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001569a8

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

PGP symmetric key encrypted data - Plaintext or unencrypted data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001569c0

size

0x0000018c

Creates executable files on the filesystem (39 events)

file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\main.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\SwReporter\91.265.200\software_reporter_tool.exe
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\mirroring_cast_streaming.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\mode-ecb.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\mirroring_hangouts.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\jquery-3.3.1.min.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\SwReporter\91.265.200\em004_64.dll
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\background.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\background_script.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\SwReporter\91.265.200\em005_64.dll
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\main.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\SwReporter\91.265.200\edls_64.dll
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\WidevineCdm\4.10.2209.0\_platform_specific\win_x64\widevinecdm.dll
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\PepperFlash\32.0.0.445\pepflashplayer.dll
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\SwReporter\91.265.200\em002_64.dll
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\SwReporter\91.265.200\em003_64.dll
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\SwReporter\91.265.200\em000_64.dll
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\angular.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\jquery-3.3.1.min.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\mode-ecb.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\common.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\eventpage_bin_prod.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\mirroring_webrtc.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\mirroring_common.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\recovery\101.3.34.11\ChromeRecovery.exe
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\page_embed_script.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\SwReporter\91.265.200\em001_64.dll
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\cast_sender.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\feedback_script.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\main.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\background.js

Creates a suspicious process (1 event)

cmdline

cmd.exe /c taskkill /f /im chrome.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\recovery\101.3.34.11\ChromeRecovery.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 20, 2021, 9:33 a.m.	thread_identifier: 2412 thread_handle: 0x00000504 process_identifier: 2812 current_directory: filepath: track: 1 command_line: xcopy "C:\Users\test22\AppData\Local\Google\Chrome\User Data" "C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\" /s /e /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000530	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (17 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeTrustedCredManAccessPrivilege	1	1
LookupPrivilegeValueW Sept. 20, 2021, 9:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Queries for potentially installed applications (8 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Sept. 20, 2021, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adblocker base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adblocker		2
RegOpenKeyExW Sept. 20, 2021, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Sept. 20, 2021, 9:33 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Sept. 20, 2021, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004cc options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Sept. 20, 2021, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004cc options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Sept. 20, 2021, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Sept. 20, 2021, 9:33 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Sept. 20, 2021, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000504 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	taskkill /f /im chrome.exe
cmdline	cmd.exe /c taskkill /f /im chrome.exe

One or more non-whitelisted processes were created (2 events)

parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1084,6339463080112364218,17585075453215040050,131072 --user-data-dir="C:\Users\test22\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1068 /prefetch:2
parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb8,0xbc,0xc0,0x8c,0xc4,0x7fef1a86e00,0x7fef1a86e10,0x7fef1a86e20

Resumed a suspended thread in a remote process potentially indicative of process injection (25 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 784 resumed a thread in remote process 2748
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Sept. 20, 2021, 9:34 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0

Generates some ICMP traffic

Drops 286 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 61 events)

file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Crashpad\reports\4252581a-c777-4c81-91e9-8add7ba565e0.dmp
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Safe Browsing\UrlCsdWhitelist.store
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Session Storage\000003.log
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Sessions\Tabs_13270130856398073
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\TLSDeprecationConfig\4\tls_deprecation_config.pb
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\index
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Service Worker\ScriptCache\index-dir\the-real-index
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\shared_proto_db\000003.log
file	c:\users\test22\appdata\local\temp\cghjgasaaz99\crashpadmetrics.pma
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Sync Data\LevelDB\000003.log
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Local Storage\leveldb\000003.log
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extension Rules\000003.log
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_3
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\SafetyTips\2659\safety_tips.pb
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\History Provider Cache
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\ThirdPartyModuleList64\2018.8.8.0\module_list_proto
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Safe Browsing\UrlSubresourceFilter.store
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir\the-real-index
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Safe Browsing\UrlMalBin.store
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Safe Browsing\CertCsdDownloadWhitelist.store
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\index
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\File System\Origins\000003.log
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Sessions\Session_13270130856303325
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Translate Ranker Model
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\FileTypePolicies\43\download_file_types.pb
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\GrShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Safe Browsing\ChromeExtMalware.store
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\SSLErrorAssistant\7\ssl_error_assistant.pb
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extension State\000003.log
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\WidevineCdm\4.10.2209.0\_platform_specific\win_x64\widevinecdm.dll.sig
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\BrowserMetrics\BrowserMetrics-60E58FA8-748.pma
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Module Info Cache
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\FontLookupTableCache\font_unique_name_table.pb
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Safe Browsing\ChromeUrlClientIncident.store
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\CertificateRevocation\6738\crl-set
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\PnaclTranslationCache\data_1
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\index
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Visited Links
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Subresource Filter\Indexed Rules\27\9.28.0\Ruleset Data
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Cache\index
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Service Worker\Database\000003.log
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Subresource Filter\Unindexed Rules\9.28.0\Filtering Rules
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Last Browser
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\wasm\index-dir\the-real-index
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir\the-real-index
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\GrShaderCache\GPUCache\data_1

askinstall5.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All