Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 19, 2021, 9:20 a.m.	Oct. 19, 2021, 9:27 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`edd9798569447f5264a467bc71e42964`
SHA256	`229eb4820a74104923a8714a8e2b8a8fcb4b6c44f0559572b08a8ad542b8cdc4`
CRC32	`2B31D98B`
ssdeep	`24576:cxpXPaR2J33o3S7P5zuHHOF2ahfehMHsGKzOYf8EEvX3CZ1zo:spy+VDa8rtPvX3CZlo`
PDB Path	F:\facebook_svn\trunk\database\Release\DiskScan.pdb
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen Malicious_Library_Zero - Malicious_Library Credential_User_Data_Check_Zero - Credential User Data Check SQLite_cookies_Check_Zero - SQLite Cookie Check... select UPX_Zero - UPX packed file Trojan_PWS_Stealer_1_Zero - Trojan.PWS.Stealer Zero

askinstall24.exe "C:\Users\test22\AppData\Local\Temp\askinstall24.exe"
1616
- cmd.exe cmd.exe /c taskkill /f /im chrome.exe
  2440
  - taskkill.exe taskkill /f /im chrome.exe
    2324
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
  2364
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef1a86e00,0x7fef1a86e10,0x7fef1a86e20
    784

Name	Response	Post-Analysis Lookup
www.cjnovone.top	A 188.225.87.175	188.225.87.175
www.listincode.com	A 144.202.76.47	144.202.76.47
www.iyiqian.com	A 103.155.92.58	103.155.92.58
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
103.155.92.58	Active	Moloch
144.202.76.47	Active	Moloch
164.124.101.2	Active	Moloch
188.225.87.175	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49164 -> 144.202.76.47:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:64472 -> 8.8.8.8:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49172 -> 188.225.87.175:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49164 144.202.76.47:443	C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA	CN=listincode.com	84:23:95:42:66:09:11:39:0d:e6:22:7f:eb:b3:cc:79:dd:fa:36:ed
TLSv1 192.168.56.102:49166 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 19, 2021, 9:21 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 19, 2021, 9:21 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (23 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 19, 2021, 9:18 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:18 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:18 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:18 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:18 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:18 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:18 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:18 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:18 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:18 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:18 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:18 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:19 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:19 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:19 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:19 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:19 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:19 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:19 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:19 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:18 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:18 a.m.			0	0
IsDebuggerPresent Oct. 19, 2021, 9:18 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 19, 2021, 9:21 a.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

F:\facebook_svn\trunk\database\Release\DiskScan.pdb

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\Locales
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.cgahget

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

ZIP

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 19, 2021, 9:19 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 406122072 registers.r15: 216677776 registers.rcx: 1432 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 406121328 registers.rsp: 406121032 registers.r11: 406124944 registers.r8: 2007138700 registers.r9: 0 registers.rdx: 1440 registers.r12: 406121688 registers.rbp: 406121184 registers.rdi: 235977472 registers.rax: 9961472 registers.r13: 216738912	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://www.cjnovone.top/Home/Index/lkdinl

Performs some HTTP requests (4 events)

request	GET http://www.iyiqian.com/
request	POST http://www.cjnovone.top/Home/Index/lkdinl
request	GET https://www.listincode.com/
request	GET https://iplogger.org/1bV787

Sends data using the HTTP POST Method (1 event)

request

POST http://www.cjnovone.top/Home/Index/lkdinl

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.cjnovone.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb037000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:19 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef6d79000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb037000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2364 crashed
__exception__ Oct. 19, 2021, 9:19 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 406122072 registers.r15: 216677776 registers.rcx: 1432 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 406121328 registers.rsp: 406121032 registers.r11: 406124944 registers.r8: 2007138700 registers.r9: 0 registers.rdx: 1440 registers.r12: 406121688 registers.rbp: 406121184 registers.rdi: 235977472 registers.rax: 9961472 registers.r13: 216738912	1	0	0

Steals private information from local Internet browsers (36 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\icon.png
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-616E56E4-93C.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\db4a3a6b-400e-4dd5-890c-66ae1b31d11d.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\jquery-3.3.1.min.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\background.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\background.html
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\mode-ecb.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Foreign language identified in PE resource (4 events)

name

ZIP

language

LANG_CHINESE

filetype

Zip archive data, at least v1.0 to extract

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00162b50

size

0x0000c3cc

name

RT_ICON

language

LANG_CHINESE

filetype

dBase III DBT, version number 0, next free block index 40

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00152180

size

0x00010828

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001629a8

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

PGP symmetric key encrypted data - Plaintext or unencrypted data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001629c0

size

0x0000018c

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\jquery-3.3.1.min.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\mode-ecb.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\background.js

Creates a suspicious process (1 event)

cmdline

cmd.exe /c taskkill /f /im chrome.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

Checks for the Locally Unique Identifier on the system for a suspicious privilege (17 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 19, 2021, 9:20 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:20 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:20 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:20 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:20 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:20 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:20 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:20 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:20 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:20 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:20 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:20 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:20 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:20 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:20 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:20 a.m.	system_name: privilege_name: SeTrustedCredManAccessPrivilege	1	1
LookupPrivilegeValueW Oct. 19, 2021, 9:21 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Queries for potentially installed applications (8 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Oct. 19, 2021, 9:21 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adblocker base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adblocker		2
RegOpenKeyExW Oct. 19, 2021, 9:21 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Oct. 19, 2021, 9:21 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Oct. 19, 2021, 9:21 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Oct. 19, 2021, 9:21 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Oct. 19, 2021, 9:21 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Oct. 19, 2021, 9:21 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Oct. 19, 2021, 9:21 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000538 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	cmd.exe /c taskkill /f /im chrome.exe
cmdline	taskkill /f /im chrome.exe

One or more non-whitelisted processes were created (2 events)

parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef1a86e00,0x7fef1a86e10,0x7fef1a86e20
parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1096,615235730391199880,11927573767798533455,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1088 /prefetch:2

Resumed a suspended thread in a remote process potentially indicative of process injection (25 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 784 resumed a thread in remote process 2364
NtResumeThread Oct. 19, 2021, 9:19 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:19 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:19 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:19 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:19 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:19 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:19 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:19 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:19 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:19 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:19 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:19 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:19 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:19 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:19 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:20 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:20 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:20 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:20 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:20 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:20 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:20 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:20 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0
NtResumeThread Oct. 19, 2021, 9:20 a.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 2364	1	0	0

Generates some ICMP traffic

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Bkav	W32.DisbRecoKAB.Trojan
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.371633
FireEye	Generic.mg.edd9798569447f52
McAfee	GenericRXAA-AA!EDD979856944
Cylance	Unsafe
Zillya	Backdoor.Agent.Win32.82381
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_60% (W)
K7GW	Spyware ( 005484541 )
K7AntiVirus	Spyware ( 005484541 )
Cyren	W32/Socelars.K.gen!Eldorado
ESET-NOD32	Win32/Spy.Socelars.S
APEX	Malicious
ClamAV	Win.Malware.Razy-9789744-0
Kaspersky	HEUR:Trojan-PSW.Win32.Disbuk.gen
BitDefender	Gen:Variant.Zusy.371633
SUPERAntiSpyware	Trojan.Agent/Gen-SpySocelars
Avast	Win32:PWSX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10cf4ac5
Ad-Aware	Gen:Variant.Zusy.371633
Emsisoft	Trojan-Spy.Socelars (A)
DrWeb	Trojan.Siggen15.15860
McAfee-GW-Edition	BehavesLike.Win32.Dropper.th
Sophos	Troj/Agent-BGVO
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.PSW.Disbuk.dj
Avira	HEUR/AGEN.1124060
MAX	malware (ai score=86)
Antiy-AVL	Trojan/Generic.ASMalwS.34A5AAB
Microsoft	Trojan:Win32/Tnega!ml
Gridinsoft	Trojan.Win32.Agent.oa!s1
Arcabit	Trojan.Zusy.D5ABB1
GData	Gen:Variant.Zusy.371633
Cynet	Malicious (score: 100)
AhnLab-V3	Infostealer/Win.Socelars.R372531
VBA32	BScope.Trojan.Agentb
ALYac	Gen:Variant.Zusy.371633
TACHYON	Backdoor/W32.Agent.1495552.D
Malwarebytes	Glupteba.Backdoor.Bruteforce.DDS
Rising	Stealer.FBAdsCard!1.CE03 (CLASSIC)
Yandex	TrojanSpy.Socelars!mVLM7EpAvLc
Fortinet	W32/Socelars.S!tr.spy
BitDefenderTheta	Gen:NN.ZexaF.34218.B10@aCyunWdj
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/Genetic.gen

askinstall24.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All