Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 22, 2024, 3:16 p.m.	Aug. 22, 2024, 3:27 p.m.

Size	89.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2793052c06a09759b35d30e329294b6a`
SHA256	`b56e0f29fe0a20461f809c72831738d84a0643bf652f0a72533c54f306db2418`
CRC32	`64292B2A`
ssdeep	`1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfhxE6BO+:Hq6+ouCpk2mpcWJ0r+QNTBfhuS`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) UPX_Zero - UPX packed file

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
2436
- cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\F112.tmp\F122.tmp\F123.bat C:\Users\test22\AppData\Local\Temp\random.exe"
  2600
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
    2696
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2f46e00,0x7fef2f46e10,0x7fef2f46e20
      2848
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
    2776

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (22 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:09 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:08 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\Locales
file	C:\Program Files\Mozilla Firefox\firefox.exe

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.code

The executable uses a known packer (1 event)

packer

PureBasic 4.x -> Neil Hodgson

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 22, 2024, 3:09 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 251130200 registers.r15: 82431424 registers.rcx: 1292 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 251129456 registers.rsp: 251129160 registers.r11: 251133072 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1360 registers.r12: 251129816 registers.rbp: 251129312 registers.rdi: 82761008 registers.rax: 9961472 registers.r13: 82478784	1	0	0

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2696 crashed
__exception__ Aug. 22, 2024, 3:09 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 251130200 registers.r15: 82431424 registers.rcx: 1292 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 251129456 registers.rsp: 251129160 registers.r11: 251133072 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1360 registers.r12: 251129816 registers.rbp: 251129312 registers.rdi: 82761008 registers.rax: 9961472 registers.r13: 82478784	1	0	0

Steals private information from local Internet browsers (20 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66C74CB9-A88.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\aa576b35-bdd7-491b-8b62-5585625fae6e.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\F112.tmp\F122.tmp\F123.bat

Creates a suspicious process (1 event)

cmdline

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\F112.tmp\F122.tmp\F123.bat C:\Users\test22\AppData\Local\Temp\random.exe"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 22, 2024, 3:15 p.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\F112.tmp\F122.tmp\F123.bat C:\Users\test22\AppData\Local\Temp\random.exe" filepath: C:\Windows\sysnative\cmd	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00003400', u'virtual_address': u'0x00013000', u'entropy': 7.110640338733982, u'name': u'.rdata', u'virtual_size': u'0x0000339d'}

entropy

7.11064033873

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001000', u'virtual_address': u'0x00019000', u'entropy': 7.551037045478658, u'name': u'.rsrc', u'virtual_size': u'0x00000ffc'}

entropy

7.55103704548

description

A section with a high entropy has been found

Potentially malicious URLs were found in the process memory dump (50 out of 127 events)

url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://users.ocsp.d-trust.net03
url	https://accounts.google.com/ServiceLogin?service=accountsettings
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.e-szigno.hu/SZSZ/0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://www.certplus.com/CRL/class3.crl0
url	http://logo.verisign.com/vslogo.gif0
url	http://www.acabogacia.org/doc0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	https://www.catcert.net/verarrel
url	http://www.sk.ee/cps/0
url	http://www.quovadis.bm0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	http://crl.chambersign.org/chambersroot.crl0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url	http://crl.ssc.lt/root-a/cacrl.crl0
url	http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url	http://www.certicamara.com/certicamaraca.crl0
url	http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url	http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url	http://www.post.trust.ie/reposit/cps.html0
url	http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
url	http://www2.public-trust.com/crl/ct/ctroot.crl0
url	http://www.certicamara.com0
url	http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url	http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url	http://www.comsign.co.il/cps0
url	http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url	https://crash-reports.mozilla.com/submit?id=
url	http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
url	http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0

Yara rule detected in process memory (49 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Aug. 22, 2024, 3:09 p.m.	status_code: 0xc0000005 process_identifier: 2696 process_handle: 0x00000000000000bc		0	0
NtTerminateProcess Aug. 22, 2024, 3:09 p.m.	status_code: 0xc0000005 process_identifier: 2696 process_handle: 0x00000000000000bc	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\F112.tmp\F122.tmp\F123.bat C:\Users\test22\AppData\Local\Temp\random.exe"
cmdline	C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\F112.tmp\F122.tmp\F123.bat C:\Users\test22\AppData\Local\Temp\random.exe"

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 22, 2024, 3:08 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000058	1	0	0
NtProtectVirtualMemory Aug. 22, 2024, 3:08 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000058	1	0	0

Manipulates memory of a non-child process indicative of process injection (13 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 manipulating memory of non-child process 2892
NtProtectVirtualMemory Aug. 22, 2024, 3:08 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 4 (PAGE_READWRITE) base_address: 0x000000013fc12000 process_handle: 0x0000000000000054	1	0	0
NtProtectVirtualMemory Aug. 22, 2024, 3:08 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 2 (PAGE_READONLY) base_address: 0x000000013fc12000 process_handle: 0x0000000000000054	1	0	0
NtMapViewOfSection Aug. 22, 2024, 3:08 p.m.	section_handle: 0x0000000000000068 process_identifier: 2892 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x0000000077010000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000058	1	0	0
NtAllocateVirtualMemory Aug. 22, 2024, 3:08 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000077010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000058	1	0	0
NtProtectVirtualMemory Aug. 22, 2024, 3:08 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000058	1	0	0
NtProtectVirtualMemory Aug. 22, 2024, 3:08 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000077711000 process_handle: 0x0000000000000058	1	0	0
NtProtectVirtualMemory Aug. 22, 2024, 3:08 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000058	1	0	0
NtProtectVirtualMemory Aug. 22, 2024, 3:08 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000776e7000 process_handle: 0x0000000000000058	1	0	0
NtProtectVirtualMemory Aug. 22, 2024, 3:08 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 4 (PAGE_READWRITE) base_address: 0x000000013fbc0000 process_handle: 0x0000000000000054	1	0	0
NtProtectVirtualMemory Aug. 22, 2024, 3:08 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 2 (PAGE_READONLY) base_address: 0x000000013fbc0000 process_handle: 0x0000000000000054	1	0	0
NtProtectVirtualMemory Aug. 22, 2024, 3:08 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 4 (PAGE_READWRITE) base_address: 0x000000013fc1a000 process_handle: 0x0000000000000054	1	0	0
NtProtectVirtualMemory Aug. 22, 2024, 3:08 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 2 (PAGE_READONLY) base_address: 0x000000013fc1a000 process_handle: 0x0000000000000054	1	0	0

Potential code injection by writing to the memory of another process (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 injected into non-child 2892
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: base_address: 0x000000013fc122b0 process_identifier: 2892 process_handle: 0x0000000000000054	1	1	0
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: base_address: 0x000000013fc20d88 process_identifier: 2892 process_handle: 0x0000000000000054	1	1	0
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: I»`#¾?Aÿã base_address: 0x0000000077711590 process_identifier: 2892 process_handle: 0x0000000000000058	1	1	0
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: w base_address: 0x000000013fc20d78 process_identifier: 2892 process_handle: 0x0000000000000054	1	1	0
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: I» ¾?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2892 process_handle: 0x0000000000000058	1	1	0
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: w base_address: 0x000000013fc20d70 process_identifier: 2892 process_handle: 0x0000000000000054	1	1	0
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: ÏT base_address: 0x000000013fbc0108 process_identifier: 2892 process_handle: 0x0000000000000054	1	1	0
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013fc1aae8 process_identifier: 2892 process_handle: 0x0000000000000054	1	1	0
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: base_address: 0x000000013fc20c78 process_identifier: 2892 process_handle: 0x0000000000000054	1	1	0

One or more non-whitelisted processes were created (3 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,5541684671558472443,12650463613368348251,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1020 /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2f46e00,0x7fef2f46e10,0x7fef2f46e20
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

Resumed a suspended thread in a remote process potentially indicative of process injection (31 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2436 resumed a thread in remote process 2600
Process injection	Process 2600 resumed a thread in remote process 2696
Process injection	Process 2600 resumed a thread in remote process 2776
Process injection	Process 2776 resumed a thread in remote process 2892
Process injection	Process 2848 resumed a thread in remote process 2696
NtResumeThread Aug. 22, 2024, 3:15 p.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2600	1	0	0
NtResumeThread Aug. 22, 2024, 3:08 p.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:08 p.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 2776	1	0	0
NtResumeThread Aug. 22, 2024, 3:08 p.m.	thread_handle: 0x000000000000004c suspend_count: 1 process_identifier: 2892	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 68 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 22, 2024, 3:15 p.m.	thread_handle: 0x000001d8 suspend_count: 1 process_identifier: 2436	1	0
CreateProcessInternalW Aug. 22, 2024, 3:15 p.m.	thread_identifier: 2604 thread_handle: 0x00000218 process_identifier: 2600 current_directory: C:\Users\test22\AppData\Local\Temp\ filepath: C:\Windows\sysnative\cmd.exe track: 1 command_line: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\F112.tmp\F122.tmp\F123.bat C:\Users\test22\AppData\Local\Temp\random.exe" filepath_r: C:\Windows\sysnative\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000021c	1	1
NtResumeThread Aug. 22, 2024, 3:15 p.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2600	1	0
CreateProcessInternalW Aug. 22, 2024, 3:08 p.m.	thread_identifier: 2700 thread_handle: 0x000000000000006c process_identifier: 2696 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd" filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
NtResumeThread Aug. 22, 2024, 3:08 p.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2696	1	0
CreateProcessInternalW Aug. 22, 2024, 3:08 p.m.	thread_identifier: 2780 thread_handle: 0x0000000000000068 process_identifier: 2776 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd" filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000006c	1	1
NtResumeThread Aug. 22, 2024, 3:08 p.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 2776	1	0
NtResumeThread Aug. 22, 2024, 3:08 p.m.	thread_handle: 0x0000000000000078 suspend_count: 1 process_identifier: 2696	1	0
CreateProcessInternalW Aug. 22, 2024, 3:08 p.m.	thread_identifier: 2852 thread_handle: 0x00000000000000c0 process_identifier: 2848 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2f46e00,0x7fef2f46e10,0x7fef2f46e20 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000000c4	1	1
CreateProcessInternalW Aug. 22, 2024, 3:09 p.m.	thread_identifier: 2280 thread_handle: 0x000000000000054c process_identifier: 2136 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,5541684671558472443,12650463613368348251,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1020 /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000550	1	1
CreateProcessInternalW Aug. 22, 2024, 3:08 p.m.	thread_identifier: 2896 thread_handle: 0x000000000000004c process_identifier: 2892 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x0000000000000054	1	1
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: base_address: 0x000000013fc122b0 process_identifier: 2892 process_handle: 0x0000000000000054	1	1
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: base_address: 0x000000013fc20d88 process_identifier: 2892 process_handle: 0x0000000000000054	1	1
NtMapViewOfSection Aug. 22, 2024, 3:08 p.m.	section_handle: 0x0000000000000068 process_identifier: 2892 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x0000000077010000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000058	1	0
NtAllocateVirtualMemory Aug. 22, 2024, 3:08 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000077010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000058	1	0
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: I»`#¾?Aÿã base_address: 0x0000000077711590 process_identifier: 2892 process_handle: 0x0000000000000058	1	1
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: w base_address: 0x000000013fc20d78 process_identifier: 2892 process_handle: 0x0000000000000054	1	1
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: I» ¾?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2892 process_handle: 0x0000000000000058	1	1
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: w base_address: 0x000000013fc20d70 process_identifier: 2892 process_handle: 0x0000000000000054	1	1
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: ÏT base_address: 0x000000013fbc0108 process_identifier: 2892 process_handle: 0x0000000000000054	1	1
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013fc1aae8 process_identifier: 2892 process_handle: 0x0000000000000054	1	1
WriteProcessMemory Aug. 22, 2024, 3:08 p.m.	buffer: base_address: 0x000000013fc20c78 process_identifier: 2892 process_handle: 0x0000000000000054	1	1
NtResumeThread Aug. 22, 2024, 3:08 p.m.	thread_handle: 0x000000000000004c suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread Aug. 22, 2024, 3:08 p.m.	thread_handle: 0x00000000000000f0 suspend_count: 1 process_identifier: 2848	1	0
NtGetContextThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0
NtGetContextThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0
NtGetContextThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0
NtGetContextThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0
NtGetContextThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0
NtGetContextThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0
NtGetContextThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0
NtGetContextThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0
NtGetContextThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0
NtGetContextThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0
NtGetContextThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0
NtGetContextThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0
NtGetContextThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Aug. 22, 2024, 3:09 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2696	1	0

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.IGENERICPMF.S2481492
Skyhigh	BehavesLike.Win32.Generic.mh
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
VirIT	Trojan.Win32.Genus.IHW
ESET-NOD32	BAT/Agent.QJD
APEX	Malicious
McAfee	GenericRXWO-YL!2793052C06A0
Avast	Win32:Evo-gen [Trj]
Zillya	Tool.Lazagne.Win32.102
McAfeeD	Real Protect-LS!2793052C06A0
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.2793052c06a09759
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.Gen
Google	Detected
Antiy-AVL	Trojan/Win32.Tiggre
Kingsoft	malware.kb.a.980
Microsoft	Trojan:Win32/Babadeda.AMD!MTB
Varist	W32/Kryptik.FDM.gen!Eldorado
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan.Win32
Zoner	Trojan.Win32.85523
Tencent	Trojan.Bat.Agent.ha
huorong	HEUR:Trojan/BAT.Agent.da
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	W32/Babadeda.SS!tr
AVG	Win32:Evo-gen [Trj]
CrowdStrike	win/malicious_confidence_60% (D)

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All