Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 8, 2021, 4:49 p.m.	Oct. 8, 2021, 4:55 p.m.

Size	94.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4d9d9852244f8d0e19d04dce14cfce8c`
SHA256	`f68cf2d7540359cd27bae6aaa15274efd2444f148e1632a9d4bf90facfe5c927`
CRC32	`0F4A1976`
ssdeep	`1536:77fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfZxuUYOr:Xq6+ouCpk2mpcWJ0r+QNTBfZff`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

browsercleaner3.exe "C:\Users\test22\AppData\Local\Temp\browsercleaner3.exe"
1328
- cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\7B63.tmp\7B64.tmp\7B65.bat C:\Users\test22\AppData\Local\Temp\browsercleaner3.exe"
  684
  - taskkill.exe taskkill /F /IM chrome.exe /T
    2156
  - taskkill.exe taskkill /F /IM msedge.exe /T
    2264
  - timeout.exe timeout 3
    528
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --restore-last-session
    2600
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef1b86e00,0x7fef1b86e10,0x7fef1b86e20
      876

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 8, 2021, 4:41 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 8, 2021, 4:42 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (23 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 4:47 p.m.			0	0

Command line console output was observed (42 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001 console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Preferences console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the path specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the path specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the path specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the path specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the path specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the path specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the path specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the path specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: The system cannot find the file msedge. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:41 p.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:42 p.m.	buffer: ERROR: The process "msedge.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW Oct. 8, 2021, 4:49 p.m.	buffer: Waiting for 3 console_handle: 0x0000000000000007	1	1
WriteConsoleW Oct. 8, 2021, 4:49 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x0000000000000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 8, 2021, 4:49 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.code

The executable uses a known packer (1 event)

packer

PureBasic 4.x -> Neil Hodgson

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 8, 2021, 4:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 405466680 registers.r15: 206067184 registers.rcx: 1352 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 405465936 registers.rsp: 405465640 registers.r11: 405469552 registers.r8: 2007138700 registers.r9: 0 registers.rdx: 1372 registers.r12: 405466296 registers.rbp: 405465792 registers.rdi: 205877776 registers.rax: 9961472 registers.r13: 206109296	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 8, 2021, 4:42 p.m.	process_identifier: 684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb037000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 4:42 p.m.	process_identifier: 684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 4:42 p.m.	process_identifier: 684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef6d79000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 4:47 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb037000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 4:47 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef6d79000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 4:47 p.m.	process_identifier: 876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb037000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2600 crashed
__exception__ Oct. 8, 2021, 4:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 405466680 registers.r15: 206067184 registers.rcx: 1352 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 405465936 registers.rsp: 405465640 registers.r11: 405469552 registers.r8: 2007138700 registers.r9: 0 registers.rdx: 1372 registers.r12: 405466296 registers.rbp: 405465792 registers.rdi: 205877776 registers.rax: 9961472 registers.r13: 206109296	1	0	0

Steals private information from local Internet browsers (50 out of 57 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 3\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\*
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 4\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 5\Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 5\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 5\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\9eb3e28a-3a4d-4169-b1f7-347ee2924874.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 4\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 3\Sync Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 2\Sync Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 5\Sync Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Sync Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 2\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 3\Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 4\Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 3\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 4\Sync Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 2\Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 3
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 5
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 4
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6160109C-A28.pma

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\7B63.tmp\7B64.tmp\7B65.bat

Creates a suspicious process (1 event)

cmdline

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\7B63.tmp\7B64.tmp\7B65.bat C:\Users\test22\AppData\Local\Temp\browsercleaner3.exe"

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 8, 2021, 4:49 p.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\7B63.tmp\7B64.tmp\7B65.bat C:\Users\test22\AppData\Local\Temp\browsercleaner3.exe" filepath: C:\Windows\sysnative\cmd	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00003400', u'virtual_address': u'0x00013000', u'entropy': 7.110640338733982, u'name': u'.rdata', u'virtual_size': u'0x0000339d'}

entropy

7.11064033873

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 8, 2021, 4:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 8, 2021, 4:42 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\7B63.tmp\7B64.tmp\7B65.bat C:\Users\test22\AppData\Local\Temp\browsercleaner3.exe"
cmdline	taskkill /F /IM chrome.exe /T
cmdline	taskkill /F /IM msedge.exe /T
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\7B63.tmp\7B64.tmp\7B65.bat C:\Users\test22\AppData\Local\Temp\browsercleaner3.exe"

Deletes executed files from disk (3 events)

file	C:\Users\test22\AppData\Local\Temp\7B63.tmp\7B64.tmp
file	C:\Users\test22\AppData\Local\Temp\7B63.tmp
file	C:\Users\test22\AppData\Local\Temp\7B63.tmp\7B64.tmp\7B65.bat

One or more non-whitelisted processes were created (2 events)

parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1084,13969818523917713133,15378987257595440213,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1064 /prefetch:2
parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef1b86e00,0x7fef1b86e10,0x7fef1b86e20

Resumed a suspended thread in a remote process potentially indicative of process injection (27 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1328 resumed a thread in remote process 684
Process injection	Process 684 resumed a thread in remote process 2600
Process injection	Process 876 resumed a thread in remote process 2600
NtResumeThread Oct. 8, 2021, 4:49 p.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 684	1	0	0
NtResumeThread Oct. 8, 2021, 4:42 p.m.	thread_handle: 0x0000000000000294 suspend_count: 1 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:47 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:47 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:47 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:47 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:47 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:47 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:48 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:48 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:48 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:48 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:48 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:48 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:48 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:48 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:48 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:48 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:48 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:48 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:48 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:48 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:48 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0
NtResumeThread Oct. 8, 2021, 4:48 p.m.	thread_handle: 0x0000000000000148 suspend_count: 2 process_identifier: 2600	1	0	0

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
FireEye	Generic.mg.4d9d9852244f8d0e
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.221f87
Cyren	W32/Kryptik.FDM.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Trojan-gen
Rising	Trojan.Generic@ML.98 (RDML:QU+MmyrBm8gQ2qpF4lhmhw)
Sophos	Generic ML PUA (PUA)
Zillya	Tool.Lazagne.Win32.102
McAfee-GW-Edition	BehavesLike.Win32.Generic.nh
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.PowerShell.bj
eGambit	Unsafe.AI_Score_94%
Antiy-AVL	Trojan/Generic.ASMalwS.2B9EB3B
Microsoft	Trojan:Script/Phonzy.B!ml
Cynet	Malicious (score: 100)
Zoner	Trojan.Win32.85523
Ikarus	Trojan.PowerShell.Rozena
Webroot	W32.Malware.Gen
AVG	Win32:Trojan-gen

browsercleaner3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All