Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 13, 2022, 10:09 a.m.	Dec. 13, 2022, 10:13 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6aa856e8e3543c832d0a6c13e64a76fa`
SHA256	`cebcf731c5512e8515c8fe5dfa2921b763d7f574a5dadd30d9b83caef9cb56ae`
CRC32	`063523D0`
ssdeep	`24576:oJSLpwfVWRh0SGQ48Lm2194mKa4qrNdW9NTPjalbqBgTHd:oup62ESMTjTPjalqKT9`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen Malicious_Library_Zero - Malicious_Library Credential_User_Data_Check_Zero - Credential User Data Check SQLite_cookies_Check_Zero - SQLite Cookie Check... select PE_Header_Zero - PE File Signature Trojan_PWS_Stealer_1_Zero - Trojan.PWS.Stealer Zero Malicious_Packer_Zero - Malicious Packer UPX_Zero - UPX packed file

mp3studios_92.exe "C:\Users\test22\AppData\Local\Temp\mp3studios_92.exe"
1948
- cmd.exe cmd.exe /c taskkill /f /im chrome.exe
  2200
  - taskkill.exe taskkill /f /im chrome.exe
    2264
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
  2428
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3e06e00,0x7fef3e06e10,0x7fef3e06e20
    2476

Name	Response	Post-Analysis Lookup
iplogger.org	A 148.251.234.83	148.251.234.83
www.icodeps.com	A 149.28.253.196	149.28.253.196

IP Address	Status	Action
148.251.234.83	Active	Moloch
149.28.253.196	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49164 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49162 -> 149.28.253.196:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.83:443 -> 192.168.56.103:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49165 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49165 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49165 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49165 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49164 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49162 149.28.253.196:443	C=CN, O=TrustAsia Technologies, Inc., CN=TrustAsia RSA DV TLS CA G2	CN=icodeps.com	87:db:69:7b:62:f3:12:4a:c6:40:1e:05:07:04:95:6d:41:8c:f8:26

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Dec. 13, 2022, 10:09 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Dec. 13, 2022, 10:09 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (21 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:03 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0
IsDebuggerPresent Dec. 13, 2022, 10:02 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Dec. 13, 2022, 10:09 a.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\Locales
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.lvrodpl

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

ZIP

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 13, 2022, 10:03 a.m.	stacktrace: 0xa90004 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa90004 registers.r14: 248246632 registers.r15: 84214560 registers.rcx: 1252 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 248245888 registers.rsp: 248245608 registers.r11: 248249504 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1348 registers.r12: 248246248 registers.rbp: 248245744 registers.rdi: 84195728 registers.rax: 11075584 registers.r13: 82808960	1	0	0

Performs some HTTP requests (1 event)

request

GET https://www.icodeps.com/

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2428 crashed
__exception__ Dec. 13, 2022, 10:03 a.m.	stacktrace: 0xa90004 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa90004 registers.r14: 248246632 registers.r15: 84214560 registers.rcx: 1252 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 248245888 registers.rsp: 248245608 registers.r11: 248249504 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1348 registers.r12: 248246248 registers.rbp: 248245744 registers.rdi: 84195728 registers.rax: 11075584 registers.r13: 82808960	1	0	0

Steals private information from local Internet browsers (26 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-639858C8-97C.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\a4dbcb14-ea02-434d-bdb3-96996545c423.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Foreign language identified in PE resource (4 events)

name

ZIP

language

LANG_CHINESE

filetype

Zip archive data, at least v1.0 to extract

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0015fb50

size

0x0000c351

name

RT_ICON

language

LANG_CHINESE

filetype

dBase III DBT, version number 0, next free block index 40

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014f180

size

0x00010828

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0015f9a8

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

PGP symmetric key encrypted data - Plaintext or unencrypted data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0015f9c0

size

0x0000018c

Creates executable files on the filesystem (6 events)

file	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js
file	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js
file	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js
file	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js
file	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js
file	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js

Creates a suspicious process (1 event)

cmdline

cmd.exe /c taskkill /f /im chrome.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0001d200', u'virtual_address': u'0x0014f000', u'entropy': 7.260576810941372, u'name': u'.rsrc', u'virtual_size': u'0x0001d028'}

entropy

7.26057681094

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (17 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeTrustedCredManAccessPrivilege	1	1
LookupPrivilegeValueW Dec. 13, 2022, 10:09 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Queries for potentially installed applications (7 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Dec. 13, 2022, 10:09 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Dec. 13, 2022, 10:09 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Dec. 13, 2022, 10:09 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004e8 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Dec. 13, 2022, 10:09 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004e8 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Dec. 13, 2022, 10:09 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Dec. 13, 2022, 10:09 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW Dec. 13, 2022, 10:09 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x0000052c options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Dec. 13, 2022, 10:03 a.m.	status_code: 0xc0000005 process_identifier: 2428 process_handle: 0x00000000000000bc		0	0
NtTerminateProcess Dec. 13, 2022, 10:03 a.m.	status_code: 0xc0000005 process_identifier: 2428 process_handle: 0x00000000000000bc	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	taskkill /f /im chrome.exe
cmdline	cmd.exe /c taskkill /f /im chrome.exe

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

One or more non-whitelisted processes were created (2 events)

parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1056,2238680125934728714,8778810353709579778,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1060 /prefetch:2
parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3e06e00,0x7fef3e06e10,0x7fef3e06e20

Resumed a suspended thread in a remote process potentially indicative of process injection (23 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2476 resumed a thread in remote process 2428
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0
NtResumeThread Dec. 13, 2022, 10:03 a.m.	thread_handle: 0x0000000000000114 suspend_count: 2 process_identifier: 2428	1	0	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.BadrTikserV.Trojan
tehtris	Generic.Malware
MicroWorld-eScan	Trojan.GenericKDZ.93875
CAT-QuickHeal	PUA.GenericRI.S23474139
ALYac	Trojan.GenericKDZ.93875
Zillya	Trojan.Agent.Win32.3088749
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Spyware ( 005690661 )
K7GW	Spyware ( 005690661 )
Cybereason	malicious.8e3543
Arcabit	Trojan.Generic.D16EB3
VirIT	Trojan.Win32.Genus.LKW
Cyren	W32/Socelars.M.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Spy.Agent.PYV
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan.Script.FBStealer.gen
BitDefender	Trojan.GenericKDZ.93875
SUPERAntiSpyware	Trojan.Agent/Gen-SpyStealer
Avast	Win32:PWSX-gen [Trj]
Tencent	Adware.Win32.Extinstaller.b
Ad-Aware	Trojan.GenericKDZ.93875
TACHYON	Trojan/W32.FBStealer.1494016.C
Emsisoft	Trojan-Spy.Agent (A)
DrWeb	Trojan.Siggen17.50710
VIPRE	Trojan.GenericKDZ.93875
McAfee-GW-Edition	BehavesLike.Win32.Generic.th
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.6aa856e8e3543c83
Sophos	Troj/Socelars-A
SentinelOne	Static AI - Suspicious PE
Jiangmin	Trojan.PSW.Disbuk.dj
Avira	JS/SpyBanker.G2
Antiy-AVL	Trojan/Win32.RedLineStealer
Gridinsoft	Trojan.Heur!.02012021
Microsoft	Trojan:Win32/RedLineStealer.RT!MTB
GData	Win32.Trojan.PSE.1XYZ9KF
Google	Detected
AhnLab-V3	Trojan/Win.Socelars.R523153
Acronis	suspicious
McAfee	GenericRXSB-FG!6AA856E8E354
MAX	malware (ai score=86)
VBA32	BScope.Trojan.Agentb
Malwarebytes	Spyware.Socelars
Rising	Stealer.FBAdsCard!1.CE03 (CLASSIC)
Yandex	TrojanSpy.Agent!EfXMZhOQIc0
Ikarus	Trojan-Spy.Agent
MaxSecure	Trojan.Malware.121218.susgen

mp3studios_92.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All