askinstall59.exe| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6402 | Oct. 20, 2021, 9:12 a.m. | Oct. 20, 2021, 9:18 a.m. |
-
-
-
taskkill.exe taskkill /f /im chrome.exe
2208
-
-
-
chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef1b16e00,0x7fef1b16e10,0x7fef1b16e20
532
-
-
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.listincode.com | 144.202.76.47 | |
| www.iyiqian.com | 103.155.92.58 | |
| iplogger.org | 88.99.66.31 |
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49166 -> 88.99.66.31:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49164 -> 144.202.76.47:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.102:49166 88.99.66.31:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=*.iplogger.org | 55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb |
|
TLSv1 192.168.56.102:49164 144.202.76.47:443 |
C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA | CN=listincode.com | 84:23:95:42:66:09:11:39:0d:e6:22:7f:eb:b3:cc:79:dd:fa:36:ed |
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
| pdb_path | F:\facebook_svn\trunk\database\Release\DiskScan.pdb |
| file | C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\resources\web_store\_metadata\computed_hashes.json |
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome |
| section | .iasfafg |
| resource name | ZIP |
| request | GET https://www.listincode.com/ |
| request | GET https://iplogger.org/1GWfv7 |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOCK |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\icon.png |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\ |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB__tmp_for_rebuild |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Visited Links |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Preferences |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Media History-wal |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History-journal |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb__tmp_for_rebuild |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Bookmarks |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Application Cache\Cache |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\ |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\README |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database__tmp_for_rebuild |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\File System\primary.origin |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History-wal |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb |
| name | ZIP | language | LANG_CHINESE | filetype | Zip archive data, at least v1.0 to extract | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00162b50 | size | 0x0000c3cc | ||||||||||||||||||
| name | RT_ICON | language | LANG_CHINESE | filetype | dBase III DBT, version number 0, next free block index 40 | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00152180 | size | 0x00010828 | ||||||||||||||||||
| name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x001629a8 | size | 0x00000014 | ||||||||||||||||||
| name | RT_VERSION | language | LANG_CHINESE | filetype | PGP symmetric key encrypted data - Plaintext or unencrypted data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x001629c0 | size | 0x0000018c | ||||||||||||||||||
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\jquery-3.3.1.min.js |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\mode-ecb.js |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\background.js |
| cmdline | cmd.exe /c taskkill /f /im chrome.exe |
| wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe") |
| section | {u'size_of_data': u'0x0001d200', u'virtual_address': u'0x00152000', u'entropy': 6.844743738672484, u'name': u'.rsrc', u'virtual_size': u'0x0001d0a0'} | entropy | 6.84474373867 | description | A section with a high entropy has been found | |||||||||
| cmdline | taskkill /f /im chrome.exe |
| cmdline | cmd.exe /c taskkill /f /im chrome.exe |
| parent_process | chrome.exe | martian_process | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef1b16e00,0x7fef1b16e10,0x7fef1b16e20 | ||||||
| Bkav | W32.DisbRecoKAB.Trojan |
| Elastic | malicious (high confidence) |
| MicroWorld-eScan | Gen:Variant.Zusy.371633 |
| FireEye | Generic.mg.80dfcce79746fa5f |
| McAfee | GenericRXAA-AA!80DFCCE79746 |
| Cylance | Unsafe |
| Zillya | Backdoor.Agent.Win32.82381 |
| Sangfor | Trojan.Win32.Save.a |
| K7AntiVirus | Spyware ( 005484541 ) |
| K7GW | Spyware ( 005484541 ) |
| Cybereason | malicious.79746f |
| BitDefenderTheta | Gen:NN.ZexaF.34218.B10@aWxOSdmj |
| Cyren | W32/Socelars.K.gen!Eldorado |
| Symantec | ML.Attribute.HighConfidence |
| ESET-NOD32 | Win32/Spy.Socelars.S |
| APEX | Malicious |
| Paloalto | generic.ml |
| ClamAV | Win.Malware.Razy-9789744-0 |
| Kaspersky | HEUR:Backdoor.Win32.Agent.gen |
| BitDefender | Gen:Variant.Zusy.371633 |
| SUPERAntiSpyware | Trojan.Agent/Gen-SpySocelars |
| Avast | Win32:PWSX-gen [Trj] |
| Rising | Stealer.FBAdsCard!1.CE03 (CLASSIC) |
| Ad-Aware | Gen:Variant.Zusy.371633 |
| Sophos | Mal/Generic-R + Troj/Agent-BGVO |
| DrWeb | Trojan.Siggen15.15860 |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.th |
| Emsisoft | Trojan-Spy.Socelars (A) |
| SentinelOne | Static AI - Malicious PE |
| GData | Gen:Variant.Zusy.371633 |
| Jiangmin | Trojan.PSW.Disbuk.dj |
| Avira | HEUR/AGEN.1124060 |
| MAX | malware (ai score=100) |
| Antiy-AVL | Trojan/Generic.ASMalwS.34A5AAB |
| Gridinsoft | Trojan.Win32.Agent.oa!s1 |
| Microsoft | Trojan:Win32/Tnega!ml |
| Cynet | Malicious (score: 100) |
| AhnLab-V3 | Infostealer/Win.Socelars.R372531 |
| VBA32 | BScope.Trojan.Agentb |
| ALYac | Gen:Variant.Zusy.371633 |
| TACHYON | Backdoor/W32.Agent.1495552.D |
| Malwarebytes | Glupteba.Backdoor.Bruteforce.DDS |
| TrendMicro-HouseCall | TROJ_GEN.R002C0RJJ21 |
| Tencent | Malware.Win32.Gencirc.10cf4ac5 |
| Fortinet | W32/Socelars.S!tr.spy |
| AVG | Win32:PWSX-gen [Trj] |
| Panda | Trj/Genetic.gen |
| CrowdStrike | win/malicious_confidence_100% (W) |