Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 27, 2021, 10 a.m.	Oct. 27, 2021, 10:15 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b0148682e7c912ae740355e8a37c23f6`
SHA256	`a3a51141e8038a83816e80175c29608f2d528c7c33d538c22adde723bd004a8e`
CRC32	`ACCF0F27`
ssdeep	`24576:5EpxuQz0RYuJAliK0J4gf52W4yD74LlIyNZ87anYVDPY0joDeZx:6pL9VaUyf14ganYdY0joaZx`
PDB Path	F:\facebook_svn\trunk\database\Release\DiskScan.pdb
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen Malicious_Library_Zero - Malicious_Library Credential_User_Data_Check_Zero - Credential User Data Check SQLite_cookies_Check_Zero - SQLite Cookie Check... select UPX_Zero - UPX packed file Trojan_PWS_Stealer_1_Zero - Trojan.PWS.Stealer Zero

askinstall59.exe "C:\Users\test22\AppData\Local\Temp\askinstall59.exe"
2444
- cmd.exe cmd.exe /c taskkill /f /im chrome.exe
  2692
  - taskkill.exe taskkill /f /im chrome.exe
    2376
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
  2992
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2a96e00,0x7fef2a96e10,0x7fef2a96e20
    2852

Name	Response	Post-Analysis Lookup
www.cjnovone.top	A 188.225.87.175	188.225.87.175
www.listincode.com	A 149.28.253.196	149.28.253.196
www.iyiqian.com	A 103.155.92.58	103.155.92.58
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
103.155.92.58	Active	Moloch
149.28.253.196	Active	Moloch
164.124.101.2	Active	Moloch
188.225.87.175	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49176 -> 188.225.87.175:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 149.28.253.196:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:50665 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49166 149.28.253.196:443	C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA	CN=listincode.com	84:23:95:42:66:09:11:39:0d:e6:22:7f:eb:b3:cc:79:dd:fa:36:ed
TLSv1 192.168.56.103:49169 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 27, 2021, 10 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 27, 2021, 10 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (20 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 27, 2021, 10 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10:01 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10:01 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10:01 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10:01 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10:01 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10:01 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10 a.m.			0	0
IsDebuggerPresent Oct. 27, 2021, 10 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 27, 2021, 10 a.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

F:\facebook_svn\trunk\database\Release\DiskScan.pdb

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\Locales
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.iagehet

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

ZIP

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 27, 2021, 10:01 a.m.	stacktrace: 0x980004 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 dc 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x980004 registers.r14: 276361512 registers.r15: 52675904 registers.rcx: 1260 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 276360768 registers.rsp: 276360488 registers.r11: 276364384 registers.r8: 2001240460 registers.r9: 0 registers.rdx: 1348 registers.r12: 276361128 registers.rbp: 276360624 registers.rdi: 52634928 registers.rax: 9961472 registers.r13: 52937008	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://www.cjnovone.top/Home/Index/lkdinl

Performs some HTTP requests (4 events)

request	GET http://www.iyiqian.com/
request	POST http://www.cjnovone.top/Home/Index/lkdinl
request	GET https://www.listincode.com/
request	GET https://iplogger.org/1GWfv7

Sends data using the HTTP POST Method (1 event)

request

POST http://www.cjnovone.top/Home/Index/lkdinl

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.cjnovone.top

description

Generic top level domain TLD

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2992 crashed
__exception__ Oct. 27, 2021, 10:01 a.m.	stacktrace: 0x980004 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 dc 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x980004 registers.r14: 276361512 registers.r15: 52675904 registers.rcx: 1260 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 276360768 registers.rsp: 276360488 registers.r11: 276364384 registers.r8: 2001240460 registers.r9: 0 registers.rdx: 1348 registers.r12: 276361128 registers.rbp: 276360624 registers.rdi: 52634928 registers.rax: 9961472 registers.r13: 52937008	1	0	0

Steals private information from local Internet browsers (34 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\ee7c92da-f714-4953-a087-f405b4bb5bc5.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\icon.png
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-61791094-BB0.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\jquery-3.3.1.min.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\background.html
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\mode-ecb.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\background.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Foreign language identified in PE resource (4 events)

name

ZIP

language

LANG_CHINESE

filetype

Zip archive data, at least v1.0 to extract

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0015fb50

size

0x0000c3cc

name

RT_ICON

language

LANG_CHINESE

filetype

dBase III DBT, version number 0, next free block index 40

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014f180

size

0x00010828

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0015f9a8

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

PGP symmetric key encrypted data - Plaintext or unencrypted data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0015f9c0

size

0x0000018c

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\jquery-3.3.1.min.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\mode-ecb.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\background.js

Creates a suspicious process (1 event)

cmdline

cmd.exe /c taskkill /f /im chrome.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0001d200', u'virtual_address': u'0x0014f000', u'entropy': 6.83084920321199, u'name': u'.rsrc', u'virtual_size': u'0x0001d0a0'}

entropy

6.83084920321

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (17 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeTrustedCredManAccessPrivilege	1	1
LookupPrivilegeValueW Oct. 27, 2021, 10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Queries for potentially installed applications (8 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Oct. 27, 2021, 10 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adblocker base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adblocker		2
RegOpenKeyExW Oct. 27, 2021, 10 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Oct. 27, 2021, 10 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Oct. 27, 2021, 10 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004c4 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Oct. 27, 2021, 10 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004c4 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Oct. 27, 2021, 10 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Oct. 27, 2021, 10 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Oct. 27, 2021, 10 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000500 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 27, 2021, 10:01 a.m.	status_code: 0xc0000005 process_identifier: 2992 process_handle: 0x00000000000000bc		0	0
NtTerminateProcess Oct. 27, 2021, 10:01 a.m.	status_code: 0xc0000005 process_identifier: 2992 process_handle: 0x00000000000000bc	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	taskkill /f /im chrome.exe
cmdline	cmd.exe /c taskkill /f /im chrome.exe

One or more non-whitelisted processes were created (2 events)

parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1048,4079857880596193986,17642116108154374734,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1032 /prefetch:2
parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2a96e00,0x7fef2a96e10,0x7fef2a96e20

Resumed a suspended thread in a remote process potentially indicative of process injection (23 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2852 resumed a thread in remote process 2992
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0
NtResumeThread Oct. 27, 2021, 10:01 a.m.	thread_handle: 0x000000000000011c suspend_count: 2 process_identifier: 2992	1	0	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Lionic	Adware.Win32.ExtInstaller.2!c
Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen15.15508
MicroWorld-eScan	Gen:Variant.Razy.852832
FireEye	Generic.mg.b0148682e7c912ae
ALYac	Gen:Variant.Razy.852832
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Spyware ( 0056c7821 )
K7GW	Spyware ( 0056c7821 )
CrowdStrike	win/malicious_confidence_60% (W)
BitDefenderTheta	Gen:NN.ZexaF.34236.BD0@aS80jDbj
Cyren	W32/Socelars.I.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Spy.Agent.PYV
APEX	Malicious
ClamAV	Win.Malware.Razy-9789744-0
Kaspersky	not-a-virus:HEUR:AdWare.Win32.ExtInstaller.gen
BitDefender	Gen:Variant.Razy.852832
Avast	Win32:PWSX-gen [Trj]
Tencent	Malware.Win32.Gencirc.11d3e580
Ad-Aware	Gen:Variant.Razy.852832
Sophos	Troj/Agent-BGVO
TrendMicro	TROJ_GEN.R002C0RJQ21
McAfee-GW-Edition	BehavesLike.Win32.Generic.th
Emsisoft	Trojan-Spy.Socelars (A)
SentinelOne	Static AI - Malicious PE
GData	Win32.Trojan.Ilgergop.WYVFOC
Jiangmin	Trojan.PSW.Disbuk.dj
Avira	HEUR/AGEN.1124060
MAX	malware (ai score=82)
ZoneAlarm	not-a-virus:HEUR:AdWare.Win32.ExtInstaller.gen
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
Cynet	Malicious (score: 100)
AhnLab-V3	Spyware/Win.Socelars.C4656653
McAfee	GenericRXAA-AA!B0148682E7C9
VBA32	BScope.Trojan.Agentb
Malwarebytes	Spyware.Socelars
TrendMicro-HouseCall	TROJ_GEN.R002C0RJQ21
Rising	Stealer.FBAdsCard!1.CE03 (CLASSIC)
Fortinet	W32/Socelars.S!tr.spy
AVG	Win32:PWSX-gen [Trj]
Cybereason	malicious.2e7c91
Panda	Trj/Genetic.gen

askinstall59.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All