Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 28, 2021, 11:08 a.m.	April 28, 2021, 11:10 a.m.

Size	373.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`10e868b5ebf405fe2ca10e0552023d44`
SHA256	`71fb7537b5a88f41f407fcfda5781b4834f3fce234ff50030e48569574b4b043`
CRC32	`709935B8`
ssdeep	`6144:kbUTp1H7vzPjAcM+zsT8qEJEbrPBj3AIDkk7vCdWYDbHIae+0U/aM4tp5iFw2EWb:kIX7788J2aIDz7asspeuSLp5iefq`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDigitalSignature - DigitalSignature Check HasRichSignature - Rich Signature Check

FreeMaps.af75d672c26d4cc59fc74465083f473c.exe "C:\Users\test22\AppData\Local\Temp\FreeMaps.af75d672c26d4cc59fc74465083f473c.exe"
996

Name	Response	Post-Analysis Lookup
dp.tb.ask.com	A 34.107.128.118	34.107.128.118
anx.mindspark.com	A 34.102.222.207	34.102.222.207

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
34.102.222.207	Active	Moloch
34.107.128.118	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49809 -> 34.107.128.118:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49809 34.107.128.118:443	C=US, O=Let's Encrypt, CN=R3	CN=dp.tb.ask.com	44:f8:0d:13:ec:93:20:8d:aa:87:47:8b:43:be:99:08:b7:64:ef:7b

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 28, 2021, 11:08 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Performs some HTTP requests (3 events)

request	GET http://anx.mindspark.com/anx.gif?anxa=CAPDownloadProcess&anxe=Error&errorCode=-16&errorType=nsisError&errorDetails=af75d672c26d4cc59fc74465083f473c&platform=vicinio&anxv=2.7.1.3000&anxd=2018-10-23&coid=af75d672c26d4cc59fc74465083f473c&refPartner=^BXV^mni000^S29402&refSub=&anxl=en-US&anxr=2022722323&refCobrand=BXV&refCampaign=mni000&refTrack=S29402&refCountry=
request	GET http://anx.mindspark.com/anx.gif?anxa=CAPDownloadProcess&anxe=Error&errorCode=-11&errorType=nsisError&errorDetails=File+Not+Found+%28404%29&platform=vicinio&anxv=2.7.1.3000&anxd=2018-10-23&coid=af75d672c26d4cc59fc74465083f473c&refPartner=^BXV^mni000^S29402&refSub=&anxl=en-US&anxr=2075128396&refCobrand=BXV&refCampaign=mni000&refTrack=S29402&refCountry=
request	GET https://dp.tb.ask.com/installerParams.jhtml?coId=af75d672c26d4cc59fc74465083f473c

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 28, 2021, 11:08 a.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2021, 11:08 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2021, 11:08 a.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\nseFFE5.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nseFFE5.tmp\nsDialogs.dll

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\nseFFE5.tmp\nsDialogs.dll
file	C:\Users\test22\AppData\Local\Temp\nseFFE5.tmp\System.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (42 events)

Time & API	Arguments	Status	Return
Process32FirstW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: [System Process] process_identifier: 0	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: System process_identifier: 4	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: smss.exe process_identifier: 224	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: csrss.exe process_identifier: 300	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: wininit.exe process_identifier: 348	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: winlogon.exe process_identifier: 396	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: services.exe process_identifier: 440	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: lsass.exe process_identifier: 456	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: lsm.exe process_identifier: 464	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 568	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 640	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 700	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 776	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 968	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 264	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: spoolsv.exe process_identifier: 820	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 1192	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: srvany.exe process_identifier: 1244	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: taskhost.exe process_identifier: 1284	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: KMService.exe process_identifier: 1324	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: conhost.exe process_identifier: 1376	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: sppsvc.exe process_identifier: 1800	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 1876	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: dwm.exe process_identifier: 1496	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: explorer.exe process_identifier: 1848	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: SearchIndexer.exe process_identifier: 2548	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: thunderbird.exe process_identifier: 3960	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: pw.exe process_identifier: 5008	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: audiodg.exe process_identifier: 7936	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: splwow64.exe process_identifier: 3928	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: SearchProtocolHost.exe process_identifier: 3816	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: SearchFilterHost.exe process_identifier: 7776	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: mobsync.exe process_identifier: 9120	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: pw.exe process_identifier: 2552	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: taskhost.exe process_identifier: 176	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: cmd.exe process_identifier: 9180	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: conhost.exe process_identifier: 8600	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: pw.exe process_identifier: 2952	1	1
Process32NextW April 28, 2021, 11:08 a.m.	snapshot_handle: 0x000001f4 process_name: FreeMaps.af75d672c26d4cc59fc74465083f473c.exe process_identifier: 996	1	1

Expresses interest in specific running processes (1 event)

process

freemaps.af75d672c26d4cc59fc74465083f473c.exe

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW April 28, 2021, 11:08 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\FreeMapsTooltab Uninstall Internet Explorer base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FreeMapsTooltab Uninstall Internet Explorer		2	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

CAT-QuickHeal	PUA.Mindsparki.Gen
Cylance	Unsafe
K7GW	Adware ( 004e15d51 )
K7AntiVirus	Adware ( 004e15d51 )
Invincea	heuristic
F-Prot	W32/Adware.ANBU
Kaspersky	not-a-virus:HEUR:WebToolbar.Win32.Agent.gen
ViRobot	Adware.Mindspark.382768.A
Rising	PUF.MySearch!1.AEA3 (CLASSIC:bWQ1OnZ3N/AEVQMtiToiO3hiHy0)
Emsisoft	Application.WebToolbar (A)
Comodo	ApplicUnwnt@#101t2rdwcqm0e
DrWeb	Adware.MyWebSearch.145
Fortinet	Adware/Agent
Cyren	W32/Adware.JQZB-7335
Webroot	W32.Adware.Installcore
Antiy-AVL	GrayWare/Win32.StartPage.gen
Endgame	malicious (high confidence)
SUPERAntiSpyware	PUP.MindSpark/Variant
ZoneAlarm	not-a-virus:HEUR:Downloader.Win32.Agent.gen
Microsoft	PUA:Win32/MyWebSearch
AhnLab-V3	PUP/Win32.Mindspark.R233545
VBA32	Adware.Agent
Malwarebytes	PUP.Optional.MindSpark
Zoner	Trojan.Win32.70060
ESET-NOD32	Win32/Toolbar.MyWebSearch.BA potentially unwanted
Yandex	PUA.Agent!
SentinelOne	static engine - malicious
GData	Win32.Adware.Mindspark.E
AVG	Win32:UnwantedSig [PUP]
Avast	Win32:UnwantedSig [PUP]
CrowdStrike	malicious_confidence_100% (D)
Qihoo-360	Win32/Virus.Adware.e71

FreeMaps.af75d672c26d4cc59fc74465083f473c.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All