clr.exe| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6403_us | Nov. 13, 2024, 2:05 p.m. | Nov. 13, 2024, 2:11 p.m. |
-
-
-
taskkill.exe taskkill /f /im miter.exe
2140 -
instsrv.exe instsrv.exe alark C:\Windows\alark.exe
2240 -
PING.EXE ping 127.0.0.1 -n 2
2304 -
reg.exe Reg Add "HKLM\SYSTEM\CurrentControlSet\services\alark" /v "Description" /t REG_SZ /d "Alarm service for default browser." /f
2368 -
reg.exe Reg Add "HKLM\SYSTEM\CurrentControlSet\services\alark" /v "DisplayName" /t REG_SZ /d "Alarm Key Service" /f
2412 -
reg.exe Reg Add "HKLM\SYSTEM\CurrentControlSet\services\alark" /v "ObjectName" /t REG_SZ /d "LocalSystem" /f
2456 -
reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\services\alark" /v "Start" /t REG_DWORD /d "2" /f
2500 -
reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\services\alark" /v "Type" /t REG_DWORD /d "16" /f
2544 -
reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\services\alark" /v "ErrorControl" /t REG_DWORD /d "1" /f
2588 -
reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\services\alark" /v "ImagePath" /t REG_EXPAND_SZ /d "C:\Windows\alark.exe" /f
2632 -
reg.exe Reg Add "HKLM\SYSTEM\CurrentControlSet\services\alark\Parameters" /v "Application" /t REG_SZ /d "cmd /c start C:\Windows\miter.exe -t3010 C:\Windows\sysclr.bat" /f
2676 -
PING.EXE ping 127.0.0.1 -n 2
2724 -
-
net1.exe C:\Windows\system32\net1 start alark
2832
-
-
PING.EXE ping 127.0.0.1 -n 4
2972 -
timeout.exe timeout 4 /NOBREAK
508 -
taskkill.exe taskkill /f /im alark.exe
2416
-
-
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| No hosts contacted. | ||
| IP Address | Status | Action |
|---|---|---|
| No hosts contacted. | ||
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
| file | C:\Windows\miterINST.exe |
| file | C:\Windows\clrinst.bat |
| file | C:\Windows\alark.exe |
| file | C:\Windows\sysclr.bat |
| file | C:\Windows\instsrv.exe |
| file | C:\Windows\sysclr.exe |
| file | C:\Windows\clrinst.bat |
| file | C:\Windows\instsrv.exe |
| wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "alark.exe") |
| wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "miter.exe") |
| section | {u'size_of_data': u'0x0000b400', u'virtual_address': u'0x0001a000', u'entropy': 7.888577112876484, u'name': u'UPX1', u'virtual_size': u'0x0000c000'} | entropy | 7.88857711288 | description | A section with a high entropy has been found | |||||||||
| entropy | 0.909090909091 | description | Overall entropy of this PE file is high | |||||||||||
| section | UPX0 | description | Section name indicates UPX | ||||||
| section | UPX1 | description | Section name indicates UPX | ||||||
| cmdline | ping 127.0.0.1 -n 4 |
| cmdline | reg add "HKLM\SYSTEM\CurrentControlSet\services\alark" /v "ImagePath" /t REG_EXPAND_SZ /d "C:\Windows\alark.exe" /f |
| cmdline | taskkill /f /im miter.exe |
| cmdline | reg add "HKLM\SYSTEM\CurrentControlSet\services\alark" /v "ErrorControl" /t REG_DWORD /d "1" /f |
| cmdline | ping 127.0.0.1 -n 2 |
| cmdline | Reg Add "HKLM\SYSTEM\CurrentControlSet\services\alark" /v "Description" /t REG_SZ /d "Alarm service for default browser." /f |
| cmdline | reg add "HKLM\SYSTEM\CurrentControlSet\services\alark" /v "Start" /t REG_DWORD /d "2" /f |
| cmdline | Reg Add "HKLM\SYSTEM\CurrentControlSet\services\alark\Parameters" /v "Application" /t REG_SZ /d "cmd /c start C:\Windows\miter.exe -t3010 C:\Windows\sysclr.bat" /f |
| cmdline | Reg Add "HKLM\SYSTEM\CurrentControlSet\services\alark" /v "DisplayName" /t REG_SZ /d "Alarm Key Service" /f |
| cmdline | reg add "HKLM\SYSTEM\CurrentControlSet\services\alark" /v "Type" /t REG_DWORD /d "16" /f |
| cmdline | taskkill /f /im alark.exe |
| cmdline | Reg Add "HKLM\SYSTEM\CurrentControlSet\services\alark" /v "ObjectName" /t REG_SZ /d "LocalSystem" /f |
| cmdline | net start alark |
| service_name | alark | service_path | C:\Windows\alark.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\alark\ImagePath | reg_value | C:\Windows\alark.exe | ||||||
| service | alark (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\alark\Start) |
| Lionic | Trojan.Win32.Generic.lCIq |
| Cynet | Malicious (score: 99) |
| Skyhigh | Clearlogs |
| ALYac | Application.Clearlog.A |
| Cylance | Unsafe |
| VIPRE | Application.Bat.VJC |
| CrowdStrike | win/grayware_confidence_90% (W) |
| BitDefender | Application.Bat.VJC |
| K7GW | Riskware ( 0015e4f01 ) |
| K7AntiVirus | Riskware ( 0015e4f01 ) |
| Arcabit | Application.Bat.VJC [many] |
| Baidu | Win32.HackTool.Clearlog.b |
| VirIT | Trojan.Win32.Agent.AYQF |
| Symantec | Hacktool.Clearlogs |
| Elastic | malicious (moderate confidence) |
| ESET-NOD32 | multiple detections |
| Avast | SFX:Dropper-L [Drp] |
| ClamAV | Win.Trojan.Genome-5527 |
| Kaspersky | UDS:Trojan.Win32.Scar |
| NANO-Antivirus | Trojan.Win32.DownLoad3.cqqapi |
| MicroWorld-eScan | Application.Bat.VJC |
| Rising | Hack.Clearlog.k (CLASSIC) |
| Emsisoft | Application.Bat.VJC (B) |
| F-Secure | Trojan.TR/Spy.6144.213 |
| DrWeb | VirusConstructor.ClearLogs |
| TrendMicro | TSPY_FAREIT.YYSRV |
| McAfeeD | ti!D00D806F1DF7 |
| CTX | exe.trojan.clearlog |
| Sophos | Mal/Generic-S |
| Ikarus | HackTool.Win32.Clearlog |
| FireEye | Generic.mg.a736e23ae291f6d3 |
| Jiangmin | HackTool.Clearlog.l |
| Detected | |
| Avira | TR/Dropper.Gen |
| Antiy-AVL | HackTool/Win32.KeyGen |
| Gridinsoft | Trojan.Win32.Gen.cc!s2 |
| Xcitium | Malware@#2f8qa3jru3l1h |
| Microsoft | HackTool:Win32/Multiverze |
| ZoneAlarm | HackTool.Win32.Clearlog.c |
| GData | Gen:Variant.Razy.117592 |
| Varist | W32/Trojan.RFBI-8246 |
| AhnLab-V3 | PUP/Win32.Agent.R348454 |
| McAfee | Artemis!A736E23AE291 |
| DeepInstinct | MALICIOUS |
| VBA32 | BScope.Trojan.Ditertag |
| Malwarebytes | Malware.AI.1986806844 |
| Panda | Trj/CI.A |
| Zoner | Probably Heur.ExeHeaderL |
| TrendMicro-HouseCall | TSPY_FAREIT.YYSRV |
| Tencent | Win32.Hacktool.Clearlog.Qimw |