Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 22, 2023, 11:08 a.m.	June 22, 2023, 11:10 a.m.

Size	982.2KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`0a37c2dbf12101e1f082e345c76fd594`
SHA256	`0f1a0986662dfca5f0c0fbaa0a8ec6eefdb114ad1eaa7437058ff951f679689c`
CRC32	`D884BFB4`
ssdeep	`24576:bRAg7EfoR6pOoVqw2HsxwGP2bNsPwHXa6h:bRuHpO3E+bNbv`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description)

123.exe "C:\Users\test22\AppData\Local\Temp\123.exe"
496
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --remote-debugging-port=43537 --headless --user-data-dir="C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT" --profile-directory="Default"
  2156
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb8,0xbc,0xc0,0x8c,0xc4,0x7fef3e16e00,0x7fef3e16e10,0x7fef3e16e20
    2208
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod= --annotation=ver= --initial-client-data=0x180,0x184,0x188,0x17c,0x18c,0x7fef3603d58,0x7fef3603d68,0x7fef3603d78
    2320

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (26 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:09 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0
IsDebuggerPresent June 22, 2023, 11:08 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey June 22, 2023, 11:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2023, 11:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2023, 11:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 22, 2023, 11:08 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

MUI

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 22, 2023, 11:08 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 238941080 registers.r15: 91071312 registers.rcx: 1248 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 238940336 registers.rsp: 238940040 registers.r11: 238943952 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1260 registers.r12: 238940696 registers.rbp: 238940192 registers.rdi: 91090000 registers.rax: 12058624 registers.r13: 91172064	1	0	0

Starts servers listening (13 events)

Time & API	Arguments	Status	Return
bind June 22, 2023, 11:08 a.m.	ip_address: 0.0.0.0 socket: 1264 port: 0	1	0
bind June 22, 2023, 11:08 a.m.	ip_address: 0.0.0.0 socket: 1324 port: 0	1	0
bind June 22, 2023, 11:08 a.m.	ip_address: 0.0.0.0 socket: 1328 port: 0	1	0
bind June 22, 2023, 11:08 a.m.	ip_address: 0.0.0.0 socket: 1324 port: 0	1	0
bind June 22, 2023, 11:08 a.m.	ip_address: 0.0.0.0 socket: 1328 port: 0	1	0
bind June 22, 2023, 11:08 a.m.	ip_address: 0.0.0.0 socket: 1324 port: 0	1	0
bind June 22, 2023, 11:08 a.m.	ip_address: 0.0.0.0 socket: 1328 port: 0	1	0
bind June 22, 2023, 11:08 a.m.	ip_address: 0.0.0.0 socket: 1324 port: 0	1	0
bind June 22, 2023, 11:08 a.m.	ip_address: 0.0.0.0 socket: 1328 port: 0	1	0
bind June 22, 2023, 11:08 a.m.	ip_address: 0.0.0.0 socket: 1352 port: 0	1	0
bind June 22, 2023, 11:08 a.m.	ip_address: 127.0.0.1 socket: 1012 port: 43537	1	0
listen June 22, 2023, 11:08 a.m.	socket: 1012 backlog: 10	1	0
accept June 22, 2023, 11:08 a.m.	ip_address: socket: 1012 port: 0		-1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 71 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ee0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ee0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00871000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00872000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00873000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00874000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01026000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02641000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01029000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f8e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f8f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02647000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02648000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02649000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0102d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 22, 2023, 11:08 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0264a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2156 crashed
__exception__ June 22, 2023, 11:08 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 238941080 registers.r15: 91071312 registers.rcx: 1248 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 238940336 registers.rsp: 238940040 registers.r11: 238943952 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1260 registers.r12: 238940696 registers.rbp: 238940192 registers.rdi: 91090000 registers.rax: 12058624 registers.r13: 91172064	1	0	0

Steals private information from local Internet browsers (50 out of 84 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\QuotaManager
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Network Persistent State
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\000006.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Safe Browsing Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Top Sites-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\History Provider Cache
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Module Info Cache
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Shortcuts-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Last Version
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Trust Tokens-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\previews_opt_out.db
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Local Storage\leveldb\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\DevToolsActivePort
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Local Storage\leveldb\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Safe Browsing Cookies-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Network Action Predictor
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Safe Browsing Channel IDs-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\heavy_ad_intervention_opt_out.db
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Favicons
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\blob_storage
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Local Storage\leveldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Web Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Visited Links
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Local Storage\leveldb\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Origin Bound Certs-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Google Profile.ico
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Origin Bound Certs
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\File System\primary.origin
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Trust Tokens
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\History-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Media History-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Cookies-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\chrome_debug.log
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Favicons-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Default\Reporting and NEL-journal

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 22, 2023, 11:08 a.m.	flags: 1158 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0000e600', u'virtual_address': u'0x00001000', u'entropy': 7.055871058095526, u'name': u'.text', u'virtual_size': u'0x0000e5e4'}

entropy

7.0558710581

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0006fe00', u'virtual_address': u'0x00010000', u'entropy': 7.994060822584475, u'name': u'.data', u'virtual_size': u'0x0006fd88'}

entropy

7.99406082258

description

A section with a high entropy has been found

entropy

0.517683239364

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 22, 2023, 11:08 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (3 events)

Time & API	Arguments	Status
NtTerminateProcess June 22, 2023, 11:08 a.m.	status_code: 0xffffffff process_identifier: 496 process_handle: 0x00000548
NtTerminateProcess June 22, 2023, 11:09 a.m.	status_code: 0xc0000005 process_identifier: 2156 process_handle: 0x000000000000018c
NtTerminateProcess June 22, 2023, 11:09 a.m.	status_code: 0xc0000005 process_identifier: 2156 process_handle: 0x000000000000018c	1

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 22, 2023, 11:08 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

123.exe tried to sleep 2728175 seconds, actually delayed analysis time by 2728175 seconds

One or more non-whitelisted processes were created (3 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,132481510902047191,17935017906015812452,131072 --headless --headless --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1164 /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User DataG1KPT" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb8,0xbc,0xc0,0x8c,0xc4,0x7fef3e16e00,0x7fef3e16e10,0x7fef3e16e20
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod= --annotation=ver= --initial-client-data=0x180,0x184,0x188,0x17c,0x18c,0x7fef3603d58,0x7fef3603d68,0x7fef3603d78

Resumed a suspended thread in a remote process potentially indicative of process injection (24 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2320 resumed a thread in remote process 2156
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:08 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:09 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:09 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:09 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:09 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0
NtResumeThread June 22, 2023, 11:09 a.m.	thread_handle: 0x00000000000000fc suspend_count: 2 process_identifier: 2156	1	0	0

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.HTA.tsnj
MicroWorld-eScan	Trojan.GenericKD.67584453
FireEye	Generic.mg.0a37c2dbf12101e1
ALYac	Trojan.GenericKD.67584453
Cylance	unsafe
VIPRE	Trojan.GenericKD.67584453
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005a6c471 )
Alibaba	Trojan:Win32/GenKryptik.9fde0e05
K7GW	Trojan ( 005a6c471 )
Cybereason	malicious.67f80b
Arcabit	Trojan.Generic.D40741C5
Cyren	W32/ABRisk.JDYE-6828
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/GenKryptik_AGen.ACV
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	Trojan.Win32.HTA.tl
BitDefender	Trojan.GenericKD.67584453
NANO-Antivirus	Trojan.Win32.HTA.jwlzcw
Avast	Win32:Evo-gen [Trj]
Tencent	Malware.Win32.Gencirc.10bef843
Emsisoft	Trojan.GenericKD.67584453 (B)
F-Secure	Trojan.TR/AD.Nekark.ldyqm
DrWeb	Trojan.Siggen20.64563
Zillya	Trojan.HTA.Win32.157
TrendMicro	TROJ_GEN.R002C0PFK23
McAfee-GW-Edition	RDN/Generic PWS.y
Trapmine	malicious.moderate.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.PSW.Stealer.cca
Avira	TR/AD.Nekark.ldyqm
Antiy-AVL	Trojan/Win32.GenKryptik
Gridinsoft	Ransom.Win32.Wacatac.cl
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Trojan.Win32.HTA.tl
GData	Win32.Trojan.Agent.GZHHU5
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R587297
McAfee	RDN/Generic PWS.y
MAX	malware (ai score=88)
Malwarebytes	Generic.Crypt.Trojan.DDS
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0PFK23
Rising	Trojan.HTA!8.11E8A (TFE:5:N4c784Php0B)
Yandex	Trojan.GenKryptik_AGen!p9Ocdg5jnyI
Ikarus	Trojan.Win32.Krypt

123.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All