Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 14, 2023, 3:31 p.m.	June 14, 2023, 3:33 p.m.

Size	2.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`428d5dbe757e12d9981141ebc01725c5`
SHA256	`8ba99d9a743aac170f2ed64305054195f3b601decf1dcdc54cb62c8be0ebc63c`
CRC32	`309D5602`
ssdeep	`49152:V5O+OAPVVZ69xpRgssDTqNkMUwWey+kiEjisBiG/Sn5nwAbAJrvVG3NBCdAYsN/9:V5oGcsXgkmy+wisQG/S5OJbVG3NB2sNF`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

23.exe "C:\Users\test22\AppData\Local\Temp\23.exe"
288
- cglwharps.exe "C:\Windows\Temp\cglwharps.exe"
  2292
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --remote-debugging-port=25563 --headless --user-data-dir="C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D" --profile-directory="Default"
    2408
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb8,0xbc,0xc0,0x8c,0xc4,0x7fef3dd6e00,0x7fef3dd6e10,0x7fef3dd6e20
      2468
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod= --annotation=ver= --initial-client-data=0x180,0x184,0x188,0x17c,0x18c,0x7fef35c3d58,0x7fef35c3d68,0x7fef35c3d78
      2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (31 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 14, 2023, 3:31 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:31 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:25 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:25 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:25 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:25 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:25 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:25 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:25 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:25 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 3:24 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey June 14, 2023, 3:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e98f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2023, 3:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e98f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2023, 3:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007e9770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 14, 2023, 3:31 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 14, 2023, 3:25 p.m.	stacktrace: 0x190004 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x190004 registers.r14: 213708360 registers.r15: 101055920 registers.rcx: 1324 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 213707616 registers.rsp: 213707336 registers.r11: 213711232 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1336 registers.r12: 213707976 registers.rbp: 213707472 registers.rdi: 100706448 registers.rax: 1638400 registers.r13: 297207312	1	0	0

Starts servers listening (13 events)

Time & API	Arguments	Status	Return
bind June 14, 2023, 3:31 p.m.	ip_address: 0.0.0.0 socket: 1264 port: 0	1	0
bind June 14, 2023, 3:31 p.m.	ip_address: 0.0.0.0 socket: 1264 port: 0	1	0
bind June 14, 2023, 3:31 p.m.	ip_address: 0.0.0.0 socket: 1320 port: 0	1	0
bind June 14, 2023, 3:31 p.m.	ip_address: 0.0.0.0 socket: 1264 port: 0	1	0
bind June 14, 2023, 3:31 p.m.	ip_address: 0.0.0.0 socket: 1320 port: 0	1	0
bind June 14, 2023, 3:31 p.m.	ip_address: 0.0.0.0 socket: 1264 port: 0	1	0
bind June 14, 2023, 3:31 p.m.	ip_address: 0.0.0.0 socket: 84 port: 0	1	0
bind June 14, 2023, 3:31 p.m.	ip_address: 0.0.0.0 socket: 1324 port: 0	1	0
bind June 14, 2023, 3:31 p.m.	ip_address: 0.0.0.0 socket: 84 port: 0	1	0
bind June 14, 2023, 3:31 p.m.	ip_address: 0.0.0.0 socket: 1352 port: 0	1	0
bind June 14, 2023, 3:24 p.m.	ip_address: 127.0.0.1 socket: 1132 port: 25563	1	0
listen June 14, 2023, 3:24 p.m.	socket: 1132 backlog: 10	1	0
accept June 14, 2023, 3:24 p.m.	ip_address: socket: 1132 port: 0		-1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 71 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ea1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ea2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00772000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0077a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0077c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c49000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c2e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c2f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c4d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 3:31 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2408 crashed
__exception__ June 14, 2023, 3:25 p.m.	stacktrace: 0x190004 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x190004 registers.r14: 213708360 registers.r15: 101055920 registers.rcx: 1324 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 213707616 registers.rsp: 213707336 registers.r11: 213711232 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1336 registers.r12: 213707976 registers.rbp: 213707472 registers.rdi: 100706448 registers.rax: 1638400 registers.r13: 297207312	1	0	0

Steals private information from local Internet browsers (50 out of 93 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Last Version
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\previews_opt_out.db-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Local Storage\leveldb\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Origin Bound Certs
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Network Persistent State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Shortcuts-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Code Cache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\previews_opt_out.db
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\blob_storage
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Web Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Local Storage\leveldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Local Storage\leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Service Worker\Database\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Safe Browsing Channel IDs-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\000006.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Trust Tokens-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Local Storage\leveldb\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Visited Links
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Cookies-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\heavy_ad_intervention_opt_out.db
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\blob_storage\f8dc9e0e-3e8c-450a-8fe8-e37b46c0beff
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\History Provider Cache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Code Cache\wasm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Local Storage\leveldb\000003.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Top Sites
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Google Profile.ico
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Translate Ranker Model
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Media History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Local Storage\leveldb\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\chrome_debug.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\File System\primary.origin
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\in_progress_download_metadata_store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\TransportSecurity
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Top Sites-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Default\Code Cache\js\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Crashpad\settings.dat

Creates executable files on the filesystem (1 event)

file	C:\Windows\Temp\cglwharps.exe

Drops a binary and executes it (1 event)

file	C:\Windows\Temp\cglwharps.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 14, 2023, 3:31 p.m.	flags: 1158 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000e200', u'virtual_address': u'0x0005d000', u'entropy': 6.802287495720708, u'name': u'.rsrc', u'virtual_size': u'0x0000e034'}

entropy

6.80228749572

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 14, 2023, 3:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (3 events)

Time & API	Arguments	Status
NtTerminateProcess June 14, 2023, 3:31 p.m.	status_code: 0xffffffff process_identifier: 2292 process_handle: 0x00000530
NtTerminateProcess June 14, 2023, 3:25 p.m.	status_code: 0xc0000005 process_identifier: 2408 process_handle: 0x000000000000018c
NtTerminateProcess June 14, 2023, 3:25 p.m.	status_code: 0xc0000005 process_identifier: 2408 process_handle: 0x000000000000018c	1

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 14, 2023, 3:31 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

cglwharps.exe tried to sleep 2728175 seconds, actually delayed analysis time by 2728175 seconds

One or more non-whitelisted processes were created (3 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod= --annotation=ver= --initial-client-data=0x180,0x184,0x188,0x17c,0x18c,0x7fef35c3d58,0x7fef35c3d68,0x7fef35c3d78
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data2154D" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb8,0xbc,0xc0,0x8c,0xc4,0x7fef3dd6e00,0x7fef3dd6e10,0x7fef3dd6e20
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=952,16976014561143161409,14701308911366242812,131072 --headless --headless --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=964 /prefetch:2

Resumed a suspended thread in a remote process potentially indicative of process injection (28 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 resumed a thread in remote process 2408
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0
NtResumeThread June 14, 2023, 3:25 p.m.	thread_handle: 0x00000000000000f8 suspend_count: 2 process_identifier: 2408	1	0	0

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.HTA.4!c
Elastic	malicious (high confidence)
Malwarebytes	Malware.AI.3831405213
Sangfor	Trojan.Win32.Hta.V640
Alibaba	Trojan:Win32/GenKryptik.96f60348
Cyren	W32/S-8ed38c1a!Eldorado
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Win32/GenKryptik_AGen.ACV
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	Trojan.Win32.HTA.tj
NANO-Antivirus	Trojan.Win32.HTA.jwlzcw
Avast	Win32:Evo-gen [Trj]
F-Secure	Trojan.TR/AD.Nekark.ghxkv
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
FireEye	Generic.mg.428d5dbe757e12d9
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious SFX
Avira	TR/AD.Nekark.veact
Antiy-AVL	Trojan/Win32.GenKryptik
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Trojan.Win32.HTA.tj
Google	Detected
McAfee	Artemis!428D5DBE757E
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0DFD23
Rising	Trojan.HTA!8.11E8A (TFE:5:N4c784Php0B)
Yandex	Trojan.GenKryptik_AGen!p9Ocdg5jnyI
BitDefenderTheta	Gen:NN.ZexaF.36250.@N1@a8Ktm2fi
AVG	Win32:Evo-gen [Trj]
DeepInstinct	MALICIOUS

23.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All