Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 21, 2024, 2:07 p.m.	Oct. 21, 2024, 2:16 p.m.

Size	279.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`d0cce7870080bd889dba1f4cfd2b3b26`
SHA256	`8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a`
CRC32	`23A753BB`
ssdeep	`6144:imUMliX/k5k646sOcT86ISrQdoBX67Hgo2TWD:AMl6Y/fyQdWeHgo2a`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

Sniffthem.exe "C:\Users\test22\AppData\Local\Temp\Sniffthem.exe"
2544
- svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
  2248
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 21, 2024, 2:08 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 21, 2024, 2:08 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 21, 2024, 2:07 p.m.			0	0
IsDebuggerPresent Oct. 21, 2024, 2:09 p.m.			0	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 21, 2024, 2:09 p.m.	stacktrace: RtlPcToFileHeader+0x9b RtlCreateTimer-0x55 ntdll+0xce6b @ 0x76d3ce6b GlobalAlloc+0xbc GlobalFree-0x34 kernelbase+0xbc7c @ 0x7fefd4fbc7c GetModuleHandleExA+0x4d FreeResource-0x413 kernelbase+0x1b80d @ 0x7fefd50b80d WSPStartup+0xbf inet_network-0xd361 mswsock+0x921f @ 0x7fefc9c921f WahOpenApcHelper+0x20a send-0x236 ws2_32+0x7dca @ 0x7fefd697dca __WSAFDIsSet+0xe02 WahCreateHandleContextTable-0xa2e ws2_32+0x5d22 @ 0x7fefd695d22 WSASendTo+0x1db WEP-0x75c5 ws2_32+0xef2b @ 0x7fefd69ef2b WSAAddressToStringW+0x9d getnameinfo-0x73 ws2_32+0xe73d @ 0x7fefd69e73d GetNameInfoW+0xdb accept-0x55 ws2_32+0xe9ab @ 0x7fefd69e9ab getnameinfo+0xa2 GetNameInfoW-0x7e ws2_32+0xe852 @ 0x7fefd69e852 InternetOpenA+0xb24 IsHostInProxyBypassList-0x2524 wininet+0x1aac0 @ 0x76acaac0 InternetOpenA+0x23df IsHostInProxyBypassList-0xc69 wininet+0x1c37b @ 0x76acc37b InternetOpenA+0x2171 IsHostInProxyBypassList-0xed7 wininet+0x1c10d @ 0x76acc10d InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x76abe400 InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x76abe31d InternetOpenA+0x210b IsHostInProxyBypassList-0xf3d wininet+0x1c0a7 @ 0x76acc0a7 InternetOpenA+0x1fdd IsHostInProxyBypassList-0x106b wininet+0x1bf79 @ 0x76acbf79 InternetOpenA+0x163c IsHostInProxyBypassList-0x1a0c wininet+0x1b5d8 @ 0x76acb5d8 InternetOpenA+0xba1 IsHostInProxyBypassList-0x24a7 wininet+0x1ab3d @ 0x76acab3d InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x76abe400 InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x76abe31d InternetOpenA+0x1161 IsHostInProxyBypassList-0x1ee7 wininet+0x1b0fd @ 0x76acb0fd InternetOpenA+0x1bba IsHostInProxyBypassList-0x148e wininet+0x1bb56 @ 0x76acbb56 InternetInitializeAutoProxyDll+0x3ae1 InternetOpenA-0x83fb wininet+0x11ba1 @ 0x76ac1ba1 InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x76abe400 InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x76abe31d InternetInitializeAutoProxyDll+0x4a7b InternetOpenA-0x7461 wininet+0x12b3b @ 0x76ac2b3b InternetInitializeAutoProxyDll+0x4632 InternetOpenA-0x78aa wininet+0x126f2 @ 0x76ac26f2 InternetInitializeAutoProxyDll+0x458d InternetOpenA-0x794f wininet+0x1264d @ 0x76ac264d InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x76abe400 InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x76abe31d InternetInitializeAutoProxyDll+0x3458 InternetOpenA-0x8a84 wininet+0x11518 @ 0x76ac1518 InternetInitializeAutoProxyDll+0x3321 InternetOpenA-0x8bbb wininet+0x113e1 @ 0x76ac13e1 InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x76abe400 InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x76abe31d InternetInitializeAutoProxyDll+0x2600 InternetOpenA-0x98dc wininet+0x106c0 @ 0x76ac06c0 InternetInitializeAutoProxyDll+0x1dee InternetOpenA-0xa0ee wininet+0xfeae @ 0x76abfeae InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x76abe400 InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x76abe31d IsHostInProxyBypassList+0x647f InternetOpenUrlA-0x5b1 wininet+0x23463 @ 0x76ad3463 IsHostInProxyBypassList+0x643d InternetOpenUrlA-0x5f3 wininet+0x23421 @ 0x76ad3421 InternetOpenUrlA+0x986 InternetCrackUrlW-0x49a6 wininet+0x2439a @ 0x76ad439a InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x76abe400 InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x76abe31d InternetOpenUrlA+0x603 InternetCrackUrlW-0x4d29 wininet+0x24017 @ 0x76ad4017 InternetOpenUrlA+0x345 InternetCrackUrlW-0x4fe7 wininet+0x23d59 @ 0x76ad3d59 InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x76abe400 InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x76abe31d InternetOpenUrlA+0x26a InternetCrackUrlW-0x50c2 wininet+0x23c7e @ 0x76ad3c7e InternetOpenUrlA+0x65 InternetCrackUrlW-0x52c7 wininet+0x23a79 @ 0x76ad3a79 New_wininet_InternetOpenUrlA+0x62 New_wininet_InternetOpenUrlW-0x15e @ 0x7399c563 InternetOpenUrlW+0x109 InternetGetLastResponseInfoW-0x93 wininet+0x833c9 @ 0x76b333c9 New_wininet_InternetOpenUrlW+0x143 New_wininet_InternetOpenW-0x7d @ 0x7399c804 0x1400032e8 0x140003bfe 0x140003ed9 0x14000ecc6 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 41 8b 43 50 48 03 43 30 48 3b f8 73 c9 48 8b 73 exception.symbol: RtlPcToFileHeader+0x9b RtlCreateTimer-0x55 ntdll+0xce6b exception.instruction: mov eax, dword ptr [r11 + 0x50] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 52843 exception.address: 0x76d3ce6b registers.r14: 0 registers.r15: 0 registers.rcx: 23117 registers.rsi: 0 registers.r10: 3221225595 registers.rbx: 0 registers.rsp: 1637680 registers.r11: 0 registers.r8: 0 registers.r9: 1623416 registers.rdx: 5368709120 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 3221225595 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 21, 2024, 2:09 p.m.

stacktrace:

RtlPcToFileHeader+0x9b RtlCreateTimer-0x55 ntdll+0xce6b @ 0x76d3ce6b
GlobalAlloc+0xbc GlobalFree-0x34 kernelbase+0xbc7c @ 0x7fefd4fbc7c
GetModuleHandleExA+0x4d FreeResource-0x413 kernelbase+0x1b80d @ 0x7fefd50b80d
WSPStartup+0xbf inet_network-0xd361 mswsock+0x921f @ 0x7fefc9c921f
WahOpenApcHelper+0x20a send-0x236 ws2_32+0x7dca @ 0x7fefd697dca
__WSAFDIsSet+0xe02 WahCreateHandleContextTable-0xa2e ws2_32+0x5d22 @ 0x7fefd695d22
WSASendTo+0x1db WEP-0x75c5 ws2_32+0xef2b @ 0x7fefd69ef2b
WSAAddressToStringW+0x9d getnameinfo-0x73 ws2_32+0xe73d @ 0x7fefd69e73d
GetNameInfoW+0xdb accept-0x55 ws2_32+0xe9ab @ 0x7fefd69e9ab
getnameinfo+0xa2 GetNameInfoW-0x7e ws2_32+0xe852 @ 0x7fefd69e852
InternetOpenA+0xb24 IsHostInProxyBypassList-0x2524 wininet+0x1aac0 @ 0x76acaac0
InternetOpenA+0x23df IsHostInProxyBypassList-0xc69 wininet+0x1c37b @ 0x76acc37b
InternetOpenA+0x2171 IsHostInProxyBypassList-0xed7 wininet+0x1c10d @ 0x76acc10d
InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x76abe400
InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x76abe31d
InternetOpenA+0x210b IsHostInProxyBypassList-0xf3d wininet+0x1c0a7 @ 0x76acc0a7
InternetOpenA+0x1fdd IsHostInProxyBypassList-0x106b wininet+0x1bf79 @ 0x76acbf79
InternetOpenA+0x163c IsHostInProxyBypassList-0x1a0c wininet+0x1b5d8 @ 0x76acb5d8
InternetOpenA+0xba1 IsHostInProxyBypassList-0x24a7 wininet+0x1ab3d @ 0x76acab3d
InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x76abe400
InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x76abe31d
InternetOpenA+0x1161 IsHostInProxyBypassList-0x1ee7 wininet+0x1b0fd @ 0x76acb0fd
InternetOpenA+0x1bba IsHostInProxyBypassList-0x148e wininet+0x1bb56 @ 0x76acbb56
InternetInitializeAutoProxyDll+0x3ae1 InternetOpenA-0x83fb wininet+0x11ba1 @ 0x76ac1ba1
InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x76abe400
InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x76abe31d
InternetInitializeAutoProxyDll+0x4a7b InternetOpenA-0x7461 wininet+0x12b3b @ 0x76ac2b3b
InternetInitializeAutoProxyDll+0x4632 InternetOpenA-0x78aa wininet+0x126f2 @ 0x76ac26f2
InternetInitializeAutoProxyDll+0x458d InternetOpenA-0x794f wininet+0x1264d @ 0x76ac264d
InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x76abe400
InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x76abe31d
InternetInitializeAutoProxyDll+0x3458 InternetOpenA-0x8a84 wininet+0x11518 @ 0x76ac1518
InternetInitializeAutoProxyDll+0x3321 InternetOpenA-0x8bbb wininet+0x113e1 @ 0x76ac13e1
InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x76abe400
InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x76abe31d
InternetInitializeAutoProxyDll+0x2600 InternetOpenA-0x98dc wininet+0x106c0 @ 0x76ac06c0
InternetInitializeAutoProxyDll+0x1dee InternetOpenA-0xa0ee wininet+0xfeae @ 0x76abfeae
InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x76abe400
InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x76abe31d
IsHostInProxyBypassList+0x647f InternetOpenUrlA-0x5b1 wininet+0x23463 @ 0x76ad3463
IsHostInProxyBypassList+0x643d InternetOpenUrlA-0x5f3 wininet+0x23421 @ 0x76ad3421
InternetOpenUrlA+0x986 InternetCrackUrlW-0x49a6 wininet+0x2439a @ 0x76ad439a
InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x76abe400
InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x76abe31d
InternetOpenUrlA+0x603 InternetCrackUrlW-0x4d29 wininet+0x24017 @ 0x76ad4017
InternetOpenUrlA+0x345 InternetCrackUrlW-0x4fe7 wininet+0x23d59 @ 0x76ad3d59
InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x76abe400
InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x76abe31d
InternetOpenUrlA+0x26a InternetCrackUrlW-0x50c2 wininet+0x23c7e @ 0x76ad3c7e
InternetOpenUrlA+0x65 InternetCrackUrlW-0x52c7 wininet+0x23a79 @ 0x76ad3a79
New_wininet_InternetOpenUrlA+0x62 New_wininet_InternetOpenUrlW-0x15e @ 0x7399c563
InternetOpenUrlW+0x109 InternetGetLastResponseInfoW-0x93 wininet+0x833c9 @ 0x76b333c9
New_wininet_InternetOpenUrlW+0x143 New_wininet_InternetOpenW-0x7d @ 0x7399c804
0x1400032e8
0x140003bfe
0x140003ed9
0x14000ecc6
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 41 8b 43 50 48 03 43 30 48 3b f8 73 c9 48 8b 73
exception.symbol: RtlPcToFileHeader+0x9b RtlCreateTimer-0x55 ntdll+0xce6b
exception.instruction: mov eax, dword ptr [r11 + 0x50]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 52843
exception.address: 0x76d3ce6b
registers.r14: 0
registers.r15: 0
registers.rcx: 23117
registers.rsi: 0
registers.r10: 3221225595
registers.rbx: 0
registers.rsp: 1637680
registers.r11: 0
registers.r8: 0
registers.r9: 1623416
registers.rdx: 5368709120
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 3221225595
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 21, 2024, 2:09 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\prefs.js
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeUpdate.lnk

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Oct. 21, 2024, 2:07 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\{03BD451ED4621855818353}\{03BD451ED4621855818353}.exe filepath: C:\Users\test22\AppData\Roaming\{03BD451ED4621855818353}\{03BD451ED4621855818353}.exe	1	1	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeUpdate.lnk

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 21, 2024, 2:07 p.m.	snapshot_handle: 0x0000000000000098 process_name: wsqmcons.exe process_identifier: 2348	1	1
Process32NextW Oct. 21, 2024, 2:07 p.m.	snapshot_handle: 0x0000000000000098 process_name: sdclt.exe process_identifier: 2376	1	1
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x0000000000000098 process_name: taskhost.exe process_identifier: 2944	1	1
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x0000000000000098 process_name: svchost.exe process_identifier: 940	1	1
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x0000000000000098 process_name: svchost.exe process_identifier: 2248	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (18 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Oct. 21, 2024, 2:07 p.m.	snapshot_handle: 0x0000000000000098 process_name: Sniffthem.exe process_identifier: 2544		0	0
Process32NextW Oct. 21, 2024, 2:07 p.m.	snapshot_handle: 0x0000000000000098 process_name: Sniffthem.exe process_identifier: 2544		0	0
Process32NextW Oct. 21, 2024, 2:07 p.m.	snapshot_handle: 0x0000000000000098 process_name: Sniffthem.exe process_identifier: 2544		0	0
Process32NextW Oct. 21, 2024, 2:07 p.m.	snapshot_handle: 0x0000000000000098 process_name: Sniffthem.exe process_identifier: 2544		0	0
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x0000000000000098 process_name: svchost.exe process_identifier: 2248		0	0
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x0000000000000098 process_name: svchost.exe process_identifier: 2248		0	0
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x0000000000000098 process_name: svchost.exe process_identifier: 2248		0	0
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x00000000000000d0 process_name: svchost.exe process_identifier: 2248		0	0
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x00000000000000d4 process_name: svchost.exe process_identifier: 2248		0	0
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x00000000000000d4 process_name: svchost.exe process_identifier: 2248		0	0
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x00000000000000d4 process_name: svchost.exe process_identifier: 2248		0	0
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x00000000000000d4 process_name: svchost.exe process_identifier: 2248		0	0
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x00000000000000d4 process_name: svchost.exe process_identifier: 2248		0	0
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x00000000000001ec process_name: svchost.exe process_identifier: 2248		0	0
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x00000000000001ec process_name: svchost.exe process_identifier: 2248		0	0
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x00000000000001ec process_name: svchost.exe process_identifier: 2248		0	0
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x00000000000001ec process_name: svchost.exe process_identifier: 2248		0	0
Process32NextW Oct. 21, 2024, 2:09 p.m.	snapshot_handle: 0x00000000000001ec process_name: svchost.exe process_identifier: 2248		0	0

Yara rule detected in process memory (15 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Escalate priviledges	rule	Escalate_priviledges
description	Communications over HTTP	rule	Network_HTTP
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names.	rule	vmdetect_misc
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 109a275331f41b063e5995513949989d1f2fd412

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Services				reg_value	C:\Users\test22\AppData\Roaming\{03BD451ED4621855818353}\{03BD451ED4621855818353}.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeUpdate.lnk

Attempts to disable SPDY support in Firefox to improve web infostealing capability (1 event)

Time & API	Arguments	Status	Return	Repeated
NtWriteFile Oct. 21, 2024, 2:09 p.m.	buffer: feec0-ffee-c0ff-eec0-ffeec0ffeec0"); user_pref("toolkit.telemetry.pioneer-new-studies-available", true); user_pref("toolkit.telemetry.previousBuildID", "20220922151854"); user_pref("toolkit.telemetry.reportingpolicy.firstRun", false); user_pref("trailhead.firstrun.didSeeAboutWelcome", true); user_pref("network.http.http2.enabled", false); user_pref("network.http.http3.enable", false); user_pref("network.http.version", 1); user_pref("network.http.http4.enable", false); user_pref("network.http.spdy.enabled", false); user_pref("network.http.spdy.enabled.v3", false); user_pref("network.http.spdy.enabled.v3-1", false); offset: 0 file_handle: 0x00000000000000cc filepath: C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\prefs.js	1	0	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 21, 2024, 2:09 p.m.	buffer: @ base_address: 0x000007fffffd6010 process_identifier: 2248 process_handle: 0x0000000000000240	1	1	0

Modifies the Firefox configuration file (4 events)

Time & API	Arguments	Status
NtWriteFile Oct. 21, 2024, 2:09 p.m.	buffer: // Mozilla User Preferences // DO NOT EDIT THIS FILE. // // If you make changes to this file while the application is running, // the changes will be overwritten when the application exits. // // To change a preference value, you can either: // - modify it via the UI (e.g. via about:config in the browser); or // - set it within a user.js file in your profile. user_pref("app.installation.timestamp", "133087271025332031"); user_pref("app.normandy.first_run", false); user_pref("app.normandy.migrationsApplied", 12); user_pref("app.normandy.user_id", "2855b7b1-3af9-4497-acb5-686dcaa31c47"); user_pref("app.shield.optoutstudies.enabled", false); user_pref("app.update.auto.migrated", true); user_pref("app.update.background.lastInstalledTaskVersion", 3); user_pref("app.update.background.previous.reasons", "[\"app.update.auto=false\",\"app.update.langpack.enabled=true and at least one langpack is installed\"]"); user_pref("app.update.background.rolledout", true); user_pref("app.update.lastUpdateTime.addon-background-update-timer", 0); user_pref("app.update.lastUpdateTime.background-update-timer", 1664253878); user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1664253533); user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1664253765); user_pref("app.update.lastUpdateTime.region-update-timer", 0); user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1664253506); user_pref("app.update.lastUpdateTime.search-engine-update-timer", 1664253649); user_pref("app.update.lastUpdateTime.services-settings-poll-changes", 0); user_pref("app.update.lastUpdateTime.telemetry_modules_ping", 1664253561); user_pref("app.update.lastUpdateTime.telemetry_untrustedmodules_ping", 0); user_pref("app.update.lastUpdateTime.xpi-signature-verification", 0); user_pref("app.update.migrated.updateDir3.308046B0AF4A39CB", true); user_pref("app.update.service.enabled", false); user_pref("browser.bookmarks.addedImportButton", true); user_pref("browser.bookmarks.restore_default_bookmarks", false); user_pref("browser.contentblocking.category", "custom"); user_pref("browser.contextual-services.contextId", "{45d8cf56-f6a3-47b5-90bb-f1357160be28}"); user_pref("browser.download.viewableInternally.typeWasRegistered.avif", true); user_pref("browser.download.viewableInternally.typeWasRegistered.webp", true); user_pref("browser.laterrun.bookkeeping.profileCreationTime", 1664253506); user_pref("browser.laterrun.bookkeeping.sessionCount", 1); user_pref("browser.laterrun.enabled", true); user_pref("browser.launcherProcess.enabled", true); user_pref("browser.migration.version", 128); user_pref("browser.newtabpage.activity-stream.impressionId", "{58eea94c-a09e-4f5e-9166-73e6a44cdef7}"); user_pref("browser.newtabpage.storageVersion", 1); user_pref("browser.pageActions.persistedActions", "{\"ids\":[\"bookmark\"],\"idsInUrlbar\":[\"bookmark\"],\"idsInUrlbarPreProton\":[],\"version\":1}"); user_pref("browser.pagethumbnails.storage_version", 3); user_pref("browser.proton.toolbar.version", 3); user_pref("browser.region.update.updated", 1664253506); user_pref("browser.safebrowsing.malware.enabled", false); user_pref("browser.safebrowsing.phishing.enabled", false); user_pref("browser.safebrowsing.provider.google4.lastupdatetime", "1664253568000"); user_pref("browser.safebrowsing.provider.google4.nextupdatetime", "1664255363000"); user_pref("browser.safebrowsing.provider.mozilla.lastupdatetime", "1664253603826"); user_pref("browser.safebrowsing.provider.mozilla.nextupdatetime", "1664275203826"); user_pref("browser.search.region", "KR"); user_pref("browser.sessionstore.resume_session_once", true); user_pref("browser.sessionstore.resuming_after_os_restart", true); user_pref("browser.shell.checkDefaultBrowser", false); user_pref("browser.shell.didSkipDefaultBrowserCheckOnFirstRun", true); user_pref("browser.startup.couldRestoreSession.count", 1); user_pref("browser.startup.homepage_override.buildID", "20220922151854"); user_pref("browser.startup.homepage_override.mstone", "105.0.1"); user_p offset: 0 file_handle: 0x00000000000000cc filepath: C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\prefs.js	1
NtWriteFile Oct. 21, 2024, 2:09 p.m.	buffer: ef("browser.theme.content-theme", 1); user_pref("browser.uiCustomization.state", "{\"placements\":{\"widget-overflow-fixed-list\":[],\"nav-bar\":[\"back-button\",\"forward-button\",\"stop-reload-button\",\"customizableui-special-spring1\",\"urlbar-container\",\"customizableui-special-spring2\",\"save-to-pocket-button\",\"downloads-button\",\"fxa-toolbar-menu-button\"],\"toolbar-menubar\":[\"menubar-items\"],\"TabsToolbar\":[\"tabbrowser-tabs\",\"new-tab-button\",\"alltabs-button\"],\"PersonalToolbar\":[\"import-button\",\"personal-bookmarks\"]},\"seen\":[\"save-to-pocket-button\",\"developer-button\"],\"dirtyAreaCache\":[\"nav-bar\",\"PersonalToolbar\"],\"currentVersion\":17,\"newElementCount\":2}"); user_pref("browser.urlbar.placeholderName", "Google"); user_pref("browser.urlbar.quicksuggest.migrationVersion", 2); user_pref("browser.urlbar.quicksuggest.scenario", "history"); user_pref("datareporting.healthreport.uploadEnabled", false); user_pref("datareporting.policy.dataSubmissionPolicyAcceptedVersion", 2); user_pref("datareporting.policy.dataSubmissionPolicyNotifiedTime", "1664253511607"); user_pref("distribution.iniFile.exists.appversion", "105.0.1"); user_pref("distribution.iniFile.exists.value", false); user_pref("doh-rollout.doneFirstRun", true); user_pref("doh-rollout.home-region", "KR"); user_pref("dom.disable_open_during_load", false); user_pref("dom.forms.autocomplete.formautofill", true); user_pref("dom.push.userAgentID", "5e5437fe26414c41b76f8040665ea28f"); user_pref("extensions.activeThemeID", "default-theme@mozilla.org"); user_pref("extensions.blocklist.pingCountVersion", 0); user_pref("extensions.databaseSchema", 35); user_pref("extensions.getAddons.databaseSchema", 6); user_pref("extensions.lastAppBuildId", "20220922151854"); user_pref("extensions.lastAppVersion", "105.0.1"); user_pref("extensions.lastPlatformVersion", "105.0.1"); user_pref("extensions.pendingOperations", false); user_pref("extensions.pictureinpicture.enable_picture_in_picture_overrides", true); user_pref("extensions.systemAddonSet", "{\"schema\":1,\"addons\":{}}"); user_pref("extensions.webcompat.enable_shims", true); user_pref("extensions.webcompat.perform_injections", true); user_pref("extensions.webcompat.perform_ua_overrides", true); user_pref("extensions.webextensions.ExtensionStorageIDB.migrated.screenshots@mozilla.org", true); user_pref("extensions.webextensions.uuids", "{\"formautofill@mozilla.org\":\"8e2d33b7-435a-4346-9d8d-ce724460e4f0\",\"pictureinpicture@mozilla.org\":\"7f4301d4-df3b-4412-a32b-ad7cc761aba6\",\"screenshots@mozilla.org\":\"cdbc4c93-5383-4dc3-ad89-02a1afb93438\",\"webcompat-reporter@mozilla.org\":\"43cde495-6686-4b84-a44d-f7c14a03a583\",\"webcompat@mozilla.org\":\"4721c04f-a670-47a8-8dfd-f82f0506f354\",\"default-theme@mozilla.org\":\"7b8eacfd-7c90-4135-ad55-a4b796c42901\",\"addons-search-detection@mozilla.com\":\"57af4285-ce03-4ac5-ab7b-6f4ced9a3fd9\",\"google@search.mozilla.org\":\"a1b4383b-9a99-4c23-9131-de1a180c7511\",\"amazondotcom@search.mozilla.org\":\"f163c254-409d-413b-9e64-fd9f74401062\",\"wikipedia@search.mozilla.org\":\"c7b7235c-db2c-40ea-bb61-9f0ec6cde8c0\",\"bing@search.mozilla.org\":\"a1dc61e9-c342-4250-9d43-a11e93fdcb2e\",\"ddg@search.mozilla.org\":\"01ccae4b-2e5b-4707-8f7e-8e355288e169\"}"); user_pref("fission.experiment.max-origins.last-disqualified", 0); user_pref("fission.experiment.max-origins.last-qualified", 1664253511); user_pref("fission.experiment.max-origins.qualified", true); user_pref("gecko.handlerService.defaultHandlersVersion", 1); user_pref("intl.locale.requested", "en-US"); user_pref("media.gmp-gmpopenh264.abi", "x86_64-msvc-x64"); user_pref("media.gmp-gmpopenh264.lastDownload", 1664253832); user_pref("media.gmp-gmpopenh264.lastInstallStart", 1664253832); user_pref("media.gmp-gmpopenh264.lastUpdate", 1664253833); user_pref("media.gmp-gmpopenh264.version", "1.8.1.2"); user_pref("media.gmp-manager.buildID", "20220922151854"); user_pref("media.gmp-manager.lastCheck", 1664253832); user_pref("media.gmp-widevinecdm.abi", "x86_64-msvc-x64"); u offset: 0 file_handle: 0x00000000000000cc filepath: C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\prefs.js	1
NtWriteFile Oct. 21, 2024, 2:09 p.m.	buffer: d", 1664253833); user_pref("media.gmp-widevinecdm.lastInstallStart", 1664253833); user_pref("media.gmp-widevinecdm.lastUpdate", 1664253833); user_pref("media.gmp-widevinecdm.version", "4.10.2449.0"); user_pref("media.gmp.storage.version.observed", 1); user_pref("media.hardware-video-decoding.failed", false); user_pref("network.cookie.cookieBehavior", 0); user_pref("pdfjs.enabledCache.state", true); user_pref("pdfjs.migrationVersion", 2); user_pref("privacy.sanitize.pending", "[]"); user_pref("privacy.trackingprotection.cryptomining.enabled", false); user_pref("privacy.trackingprotection.fingerprinting.enabled", false); user_pref("privacy.trackingprotection.pbmode.enabled", false); user_pref("sanity-test.device-id", "0xbeef"); user_pref("sanity-test.driver-version", "6.1.7600.16385"); user_pref("sanity-test.running", true); user_pref("sanity-test.version", "20220922151854"); user_pref("security.OCSP.enabled", 0); user_pref("security.sandbox.content.tempDirSuffix", "{bce5b85f-de16-4587-81fd-6cd99c368775}"); user_pref("services.settings.blocklists.addons-bloomfilters.last_check", 1664253847); user_pref("services.settings.blocklists.gfx.last_check", 1664253847); user_pref("services.settings.clock_skew_seconds", -16); user_pref("services.settings.last_etag", "\"1664249251749\""); user_pref("services.settings.last_update_seconds", 1664253847); user_pref("services.settings.main.addons-manager-settings.last_check", 1664253847); user_pref("services.settings.main.anti-tracking-url-decoration.last_check", 1664253847); user_pref("services.settings.main.cfr.last_check", 1664253847); user_pref("services.settings.main.devtools-compatibility-browsers.last_check", 1664253847); user_pref("services.settings.main.devtools-devices.last_check", 1664253847); user_pref("services.settings.main.doh-config.last_check", 1664253847); user_pref("services.settings.main.doh-providers.last_check", 1664253847); user_pref("services.settings.main.fxmonitor-breaches.last_check", 1664253847); user_pref("services.settings.main.hijack-blocklists.last_check", 1664253847); user_pref("services.settings.main.language-dictionaries.last_check", 1664253847); user_pref("services.settings.main.message-groups.last_check", 1664253847); user_pref("services.settings.main.nimbus-desktop-experiments.last_check", 1664253847); user_pref("services.settings.main.normandy-recipes-capabilities.last_check", 1664253847); user_pref("services.settings.main.password-recipes.last_check", 1664253847); user_pref("services.settings.main.password-rules.last_check", 1664253847); user_pref("services.settings.main.pioneer-study-addons-v1.last_check", 1664253847); user_pref("services.settings.main.public-suffix-list.last_check", 1664253847); user_pref("services.settings.main.query-stripping.last_check", 1664253847); user_pref("services.settings.main.search-config.last_check", 1664253847); user_pref("services.settings.main.search-default-override-allowlist.last_check", 1664253847); user_pref("services.settings.main.search-telemetry-v2.last_check", 1664253847); user_pref("services.settings.main.sites-classification.last_check", 1664253847); user_pref("services.settings.main.top-sites.last_check", 1664253847); user_pref("services.settings.main.url-classifier-skip-urls.last_check", 1664253847); user_pref("services.settings.main.websites-with-shared-credential-backends.last_check", 1664253847); user_pref("services.settings.main.whats-new-panel.last_check", 1664253847); user_pref("services.settings.security-state.cert-revocations.last_check", 1664253847); user_pref("services.settings.security-state.intermediates.last_check", 1664253847); user_pref("services.settings.security-state.onecrl.last_check", 1664253847); user_pref("services.sync.clients.lastSync", "0"); user_pref("services.sync.declinedEngines", ""); user_pref("services.sync.engine.addresses.available", true); user_pref("services.sync.globalScore", 0); user_pref("services.sync.nextSync", 0); user_pref("services.sync.tabs.lastSync", "0"); user_pref("toolkit.startup.last_success", 1664 offset: 0 file_handle: 0x00000000000000cc filepath: C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\prefs.js	1
NtWriteFile Oct. 21, 2024, 2:09 p.m.	buffer: feec0-ffee-c0ff-eec0-ffeec0ffeec0"); user_pref("toolkit.telemetry.pioneer-new-studies-available", true); user_pref("toolkit.telemetry.previousBuildID", "20220922151854"); user_pref("toolkit.telemetry.reportingpolicy.firstRun", false); user_pref("trailhead.firstrun.didSeeAboutWelcome", true); user_pref("network.http.http2.enabled", false); user_pref("network.http.http3.enable", false); user_pref("network.http.version", 1); user_pref("network.http.http4.enable", false); user_pref("network.http.spdy.enabled", false); user_pref("network.http.spdy.enabled.v3", false); user_pref("network.http.spdy.enabled.v3-1", false); offset: 0 file_handle: 0x00000000000000cc filepath: C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\prefs.js	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 called NtSetContextThread to modify thread in remote process 2248
NtSetContextThread Oct. 21, 2024, 2:09 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5368769800 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 0 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 0 registers.rdx: 8796092850176 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000000e0 process_identifier: 2248	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 resumed a thread in remote process 2248
NtResumeThread Oct. 21, 2024, 2:09 p.m.	thread_handle: 0x00000000000000e0 suspend_count: 1 process_identifier: 2248	1	0	0

Attempts to modify Explorer settings to prevent hidden files from being displayed (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden

Executed a process and injected code into it, probably while unpacking (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 21, 2024, 2:09 p.m.	thread_identifier: 2252 thread_handle: 0x00000000000000e0 process_identifier: 2248 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x0000000000000240	1	1
NtMapViewOfSection Oct. 21, 2024, 2:09 p.m.	section_handle: 0x00000000000000dc process_identifier: 2248 commit_size: 0 win32_protect: 2 (PAGE_READONLY) buffer: base_address: 0x0000000140000000 allocation_type: 0 () section_offset: 0 view_size: 311296 process_handle: 0x0000000000000240	1	0
NtGetContextThread Oct. 21, 2024, 2:09 p.m.	thread_handle: 0x00000000000000e0	1	0
NtSetContextThread Oct. 21, 2024, 2:09 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5368769800 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 0 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 0 registers.rdx: 8796092850176 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000000e0 process_identifier: 2248	1	0
NtGetContextThread Oct. 21, 2024, 2:09 p.m.	thread_handle: 0x00000000000000e0	1	0
WriteProcessMemory Oct. 21, 2024, 2:09 p.m.	buffer: @ base_address: 0x000007fffffd6010 process_identifier: 2248 process_handle: 0x0000000000000240	1	1
NtResumeThread Oct. 21, 2024, 2:09 p.m.	thread_handle: 0x00000000000000e0 suspend_count: 1 process_identifier: 2248	1	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Androm.m!c
Cynet	Malicious (score: 100)
Skyhigh	Artemis!Trojan
ALYac	Gen:Variant.Zusy.561042
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.561042
Sangfor	Backdoor.Win32.Androm.V18v
CrowdStrike	win/malicious_confidence_90% (D)
BitDefender	Gen:Variant.Zusy.561042
K7GW	Riskware ( 00584baa1 )
K7AntiVirus	Riskware ( 00584baa1 )
Arcabit	Trojan.Zusy.D88F92
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Agent.EAQ
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	Backdoor.Win32.Androm.vssw
Alibaba	Trojan:Win32/Tnaket.b6bf018d
MicroWorld-eScan	Gen:Variant.Zusy.561042
Rising	Backdoor.Androm!8.113 (TFE:5:bHkt5PxagPF)
Emsisoft	Gen:Variant.Zusy.561042 (B)
F-Secure	Trojan.TR/AD.Nekark.uifjw
DrWeb	Trojan.Siggen29.53958
McAfeeD	ti!8FF3039072EC
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.androm
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.d0cce7870080bd88
Jiangmin	Trojan.Hosts2.dmx
Google	Detected
Avira	TR/AD.Nekark.uifjw
Antiy-AVL	Trojan[Backdoor]/Win32.Androm
Kingsoft	malware.kb.a.890
Gridinsoft	Trojan.Win64.Agent.sa
Microsoft	Trojan:Win32/Tnaket.A!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Zusy.561042
Varist	W64/ABTrojan.LQGG-6679
AhnLab-V3	Trojan/Win.Tnaket.C5679843
McAfee	Artemis!D0CCE7870080
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.798652179
Ikarus	Trojan.Win64.Agent
Panda	Trj/GdSda.A
Tencent	Malware.Win32.Gencirc.10c05b48
huorong	Backdoor/Tinukebot.b
Fortinet	W64/Agent.EAQ!tr

Sniffthem.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All