Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 1, 2023, 7:44 p.m.	June 1, 2023, 7:46 p.m.

Size	19.8KB
Type	HTML document, ASCII text, with very long lines
MD5	`9b78bbb925f4d5e4fb3b19b1962674b9`
SHA256	`59c04be1dd57909128065639ac22c840e0f7de4b7d115a881594b2771f8ea253`
CRC32	`89611E4A`
ssdeep	`384:Y+Gn948+gKC/5vhcAbaVD6hBGOJstYEGwvctaheTupw9IglFAbaVD6hBGdYw6hjJ:An9GQhmsnBGOEG0ctwHpdUFsnBGdxQqW`
Yara	Antivirus - Contains references to security software

chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" C:\Users\test22\AppData\Local\Temp\1.html
3012
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3476e00,0x7fef3476e10,0x7fef3476e20
  1884

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (23 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:45 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:45 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:45 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0
IsDebuggerPresent June 1, 2023, 7:44 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\Locales

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 1, 2023, 7:45 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 262860232 registers.r15: 73366288 registers.rcx: 1404 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 262859488 registers.rsp: 262859192 registers.r11: 262863104 registers.r8: 2000388492 registers.r9: 0 registers.rdx: 1416 registers.r12: 262859848 registers.rbp: 262859344 registers.rdi: 83635792 registers.rax: 11010048 registers.r13: 74184768	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 1, 2023, 7:44 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 1, 2023, 7:44 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 1, 2023, 7:44 p.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 3012 crashed
__exception__ June 1, 2023, 7:45 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 262860232 registers.r15: 73366288 registers.rcx: 1404 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 262859488 registers.rsp: 262859192 registers.r11: 262863104 registers.r8: 2000388492 registers.r9: 0 registers.rdx: 1416 registers.r12: 262859848 registers.rbp: 262859344 registers.rdi: 83635792 registers.rax: 11010048 registers.r13: 74184768	1	0	0

Steals private information from local Internet browsers (23 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\0f87a6d0-2bd1-4bab-9720-a0262628e10a.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Policy\User Policy
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6478D8FA-BC4.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess June 1, 2023, 7:45 p.m.	status_code: 0xc0000005 process_identifier: 3012 process_handle: 0x00000000000000bc		0	0
NtTerminateProcess June 1, 2023, 7:45 p.m.	status_code: 0xc0000005 process_identifier: 3012 process_handle: 0x00000000000000bc	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1184,2596835032492610852,15094728775894625055,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1192 /prefetch:2
parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3476e00,0x7fef3476e10,0x7fef3476e20

Resumed a suspended thread in a remote process potentially indicative of process injection (24 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1884 resumed a thread in remote process 3012
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0
NtResumeThread June 1, 2023, 7:45 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 3012	1	0	0

1.html

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All