Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 13, 2024, 1:55 p.m.	Nov. 13, 2024, 1:57 p.m.

Size	273.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`5523f28f2224dde8d74286b09146bb47`
SHA256	`b2f9c3002820fa654f514db1779c55a606ec8c164b744aacb9e886a7e1e7c4d9`
CRC32	`735FB3AA`
ssdeep	`6144:+nNuJp9FtYk5k3uZElT63edWRK9Izm/sHgo2TW:+nMp9AYqtoKapHgo2a`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

MJPVgHw.exe "C:\Users\test22\AppData\Local\Temp\MJPVgHw.exe"
444
- svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
  2728
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 13, 2024, 1:55 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Nov. 13, 2024, 1:55 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 13, 2024, 1:55 p.m.			0	0
IsDebuggerPresent Nov. 13, 2024, 1:56 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 13, 2024, 1:55 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 13, 2024, 1:56 p.m.	stacktrace: RtlPcToFileHeader+0x9b RtlCreateTimer-0x55 ntdll+0xce6b @ 0x776cce6b GlobalAlloc+0xbc GlobalFree-0x34 kernelbase+0xbc7c @ 0x7fefdbfbc7c GetModuleHandleExA+0x4d FreeResource-0x413 kernelbase+0x1b80d @ 0x7fefdc0b80d WSPStartup+0xbf inet_network-0xd361 mswsock+0x921f @ 0x7fefd35921f WahOpenApcHelper+0x20a send-0x236 ws2_32+0x7dca @ 0x7fefe447dca __WSAFDIsSet+0xe02 WahCreateHandleContextTable-0xa2e ws2_32+0x5d22 @ 0x7fefe445d22 WSASendTo+0x1db WEP-0x75c5 ws2_32+0xef2b @ 0x7fefe44ef2b WSAAddressToStringW+0x9d getnameinfo-0x73 ws2_32+0xe73d @ 0x7fefe44e73d GetNameInfoW+0xdb accept-0x55 ws2_32+0xe9ab @ 0x7fefe44e9ab getnameinfo+0xa2 GetNameInfoW-0x7e ws2_32+0xe852 @ 0x7fefe44e852 InternetOpenA+0xb24 IsHostInProxyBypassList-0x2524 wininet+0x1aac0 @ 0x770faac0 InternetOpenA+0x23df IsHostInProxyBypassList-0xc69 wininet+0x1c37b @ 0x770fc37b InternetOpenA+0x2171 IsHostInProxyBypassList-0xed7 wininet+0x1c10d @ 0x770fc10d InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x770ee400 InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x770ee31d InternetOpenA+0x210b IsHostInProxyBypassList-0xf3d wininet+0x1c0a7 @ 0x770fc0a7 InternetOpenA+0x1fdd IsHostInProxyBypassList-0x106b wininet+0x1bf79 @ 0x770fbf79 InternetOpenA+0x163c IsHostInProxyBypassList-0x1a0c wininet+0x1b5d8 @ 0x770fb5d8 InternetOpenA+0xba1 IsHostInProxyBypassList-0x24a7 wininet+0x1ab3d @ 0x770fab3d InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x770ee400 InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x770ee31d InternetOpenA+0x1161 IsHostInProxyBypassList-0x1ee7 wininet+0x1b0fd @ 0x770fb0fd InternetOpenA+0x1bba IsHostInProxyBypassList-0x148e wininet+0x1bb56 @ 0x770fbb56 InternetInitializeAutoProxyDll+0x3ae1 InternetOpenA-0x83fb wininet+0x11ba1 @ 0x770f1ba1 InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x770ee400 InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x770ee31d InternetInitializeAutoProxyDll+0x4a7b InternetOpenA-0x7461 wininet+0x12b3b @ 0x770f2b3b InternetInitializeAutoProxyDll+0x4632 InternetOpenA-0x78aa wininet+0x126f2 @ 0x770f26f2 InternetInitializeAutoProxyDll+0x458d InternetOpenA-0x794f wininet+0x1264d @ 0x770f264d InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x770ee400 InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x770ee31d InternetInitializeAutoProxyDll+0x3458 InternetOpenA-0x8a84 wininet+0x11518 @ 0x770f1518 InternetInitializeAutoProxyDll+0x3321 InternetOpenA-0x8bbb wininet+0x113e1 @ 0x770f13e1 InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x770ee400 InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x770ee31d InternetInitializeAutoProxyDll+0x2600 InternetOpenA-0x98dc wininet+0x106c0 @ 0x770f06c0 InternetInitializeAutoProxyDll+0x1dee InternetOpenA-0xa0ee wininet+0xfeae @ 0x770efeae InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x770ee400 InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x770ee31d IsHostInProxyBypassList+0x647f InternetOpenUrlA-0x5b1 wininet+0x23463 @ 0x77103463 IsHostInProxyBypassList+0x643d InternetOpenUrlA-0x5f3 wininet+0x23421 @ 0x77103421 InternetOpenUrlA+0x986 InternetCrackUrlW-0x49a6 wininet+0x2439a @ 0x7710439a InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x770ee400 InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x770ee31d InternetOpenUrlA+0x603 InternetCrackUrlW-0x4d29 wininet+0x24017 @ 0x77104017 InternetOpenUrlA+0x345 InternetCrackUrlW-0x4fe7 wininet+0x23d59 @ 0x77103d59 InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x770ee400 InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x770ee31d InternetOpenUrlA+0x26a InternetCrackUrlW-0x50c2 wininet+0x23c7e @ 0x77103c7e InternetOpenUrlA+0x65 InternetCrackUrlW-0x52c7 wininet+0x23a79 @ 0x77103a79 New_wininet_InternetOpenUrlA+0x62 New_wininet_InternetOpenUrlW-0x15e @ 0x749bc563 InternetOpenUrlW+0x109 InternetGetLastResponseInfoW-0x93 wininet+0x833c9 @ 0x771633c9 New_wininet_InternetOpenUrlW+0x143 New_wininet_InternetOpenW-0x7d @ 0x749bc804 0x140003324 0x140003c5c 0x140003ee2 0x14000ddda BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 41 8b 43 50 48 03 43 30 48 3b f8 73 c9 48 8b 73 exception.symbol: RtlPcToFileHeader+0x9b RtlCreateTimer-0x55 ntdll+0xce6b exception.instruction: mov eax, dword ptr [r11 + 0x50] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 52843 exception.address: 0x776cce6b registers.r14: 0 registers.r15: 0 registers.rcx: 23117 registers.rsi: 0 registers.r10: 3221225595 registers.rbx: 0 registers.rsp: 719632 registers.r11: 0 registers.r8: 0 registers.r9: 705368 registers.rdx: 5368709120 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 3221225595 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 13, 2024, 1:56 p.m.

stacktrace:

RtlPcToFileHeader+0x9b RtlCreateTimer-0x55 ntdll+0xce6b @ 0x776cce6b
GlobalAlloc+0xbc GlobalFree-0x34 kernelbase+0xbc7c @ 0x7fefdbfbc7c
GetModuleHandleExA+0x4d FreeResource-0x413 kernelbase+0x1b80d @ 0x7fefdc0b80d
WSPStartup+0xbf inet_network-0xd361 mswsock+0x921f @ 0x7fefd35921f
WahOpenApcHelper+0x20a send-0x236 ws2_32+0x7dca @ 0x7fefe447dca
__WSAFDIsSet+0xe02 WahCreateHandleContextTable-0xa2e ws2_32+0x5d22 @ 0x7fefe445d22
WSASendTo+0x1db WEP-0x75c5 ws2_32+0xef2b @ 0x7fefe44ef2b
WSAAddressToStringW+0x9d getnameinfo-0x73 ws2_32+0xe73d @ 0x7fefe44e73d
GetNameInfoW+0xdb accept-0x55 ws2_32+0xe9ab @ 0x7fefe44e9ab
getnameinfo+0xa2 GetNameInfoW-0x7e ws2_32+0xe852 @ 0x7fefe44e852
InternetOpenA+0xb24 IsHostInProxyBypassList-0x2524 wininet+0x1aac0 @ 0x770faac0
InternetOpenA+0x23df IsHostInProxyBypassList-0xc69 wininet+0x1c37b @ 0x770fc37b
InternetOpenA+0x2171 IsHostInProxyBypassList-0xed7 wininet+0x1c10d @ 0x770fc10d
InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x770ee400
InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x770ee31d
InternetOpenA+0x210b IsHostInProxyBypassList-0xf3d wininet+0x1c0a7 @ 0x770fc0a7
InternetOpenA+0x1fdd IsHostInProxyBypassList-0x106b wininet+0x1bf79 @ 0x770fbf79
InternetOpenA+0x163c IsHostInProxyBypassList-0x1a0c wininet+0x1b5d8 @ 0x770fb5d8
InternetOpenA+0xba1 IsHostInProxyBypassList-0x24a7 wininet+0x1ab3d @ 0x770fab3d
InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x770ee400
InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x770ee31d
InternetOpenA+0x1161 IsHostInProxyBypassList-0x1ee7 wininet+0x1b0fd @ 0x770fb0fd
InternetOpenA+0x1bba IsHostInProxyBypassList-0x148e wininet+0x1bb56 @ 0x770fbb56
InternetInitializeAutoProxyDll+0x3ae1 InternetOpenA-0x83fb wininet+0x11ba1 @ 0x770f1ba1
InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x770ee400
InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x770ee31d
InternetInitializeAutoProxyDll+0x4a7b InternetOpenA-0x7461 wininet+0x12b3b @ 0x770f2b3b
InternetInitializeAutoProxyDll+0x4632 InternetOpenA-0x78aa wininet+0x126f2 @ 0x770f26f2
InternetInitializeAutoProxyDll+0x458d InternetOpenA-0x794f wininet+0x1264d @ 0x770f264d
InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x770ee400
InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x770ee31d
InternetInitializeAutoProxyDll+0x3458 InternetOpenA-0x8a84 wininet+0x11518 @ 0x770f1518
InternetInitializeAutoProxyDll+0x3321 InternetOpenA-0x8bbb wininet+0x113e1 @ 0x770f13e1
InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x770ee400
InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x770ee31d
InternetInitializeAutoProxyDll+0x2600 InternetOpenA-0x98dc wininet+0x106c0 @ 0x770f06c0
InternetInitializeAutoProxyDll+0x1dee InternetOpenA-0xa0ee wininet+0xfeae @ 0x770efeae
InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x770ee400
InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x770ee31d
IsHostInProxyBypassList+0x647f InternetOpenUrlA-0x5b1 wininet+0x23463 @ 0x77103463
IsHostInProxyBypassList+0x643d InternetOpenUrlA-0x5f3 wininet+0x23421 @ 0x77103421
InternetOpenUrlA+0x986 InternetCrackUrlW-0x49a6 wininet+0x2439a @ 0x7710439a
InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x770ee400
InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x770ee31d
InternetOpenUrlA+0x603 InternetCrackUrlW-0x4d29 wininet+0x24017 @ 0x77104017
InternetOpenUrlA+0x345 InternetCrackUrlW-0x4fe7 wininet+0x23d59 @ 0x77103d59
InternetInitializeAutoProxyDll+0x340 InternetOpenA-0xbb9c wininet+0xe400 @ 0x770ee400
InternetInitializeAutoProxyDll+0x25d InternetOpenA-0xbc7f wininet+0xe31d @ 0x770ee31d
InternetOpenUrlA+0x26a InternetCrackUrlW-0x50c2 wininet+0x23c7e @ 0x77103c7e
InternetOpenUrlA+0x65 InternetCrackUrlW-0x52c7 wininet+0x23a79 @ 0x77103a79
New_wininet_InternetOpenUrlA+0x62 New_wininet_InternetOpenUrlW-0x15e @ 0x749bc563
InternetOpenUrlW+0x109 InternetGetLastResponseInfoW-0x93 wininet+0x833c9 @ 0x771633c9
New_wininet_InternetOpenUrlW+0x143 New_wininet_InternetOpenW-0x7d @ 0x749bc804
0x140003324
0x140003c5c
0x140003ee2
0x14000ddda
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: 41 8b 43 50 48 03 43 30 48 3b f8 73 c9 48 8b 73
exception.symbol: RtlPcToFileHeader+0x9b RtlCreateTimer-0x55 ntdll+0xce6b
exception.instruction: mov eax, dword ptr [r11 + 0x50]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 52843
exception.address: 0x776cce6b
registers.r14: 0
registers.r15: 0
registers.rcx: 23117
registers.rsi: 0
registers.r10: 3221225595
registers.rbx: 0
registers.rsp: 719632
registers.r11: 0
registers.r8: 0
registers.r9: 705368
registers.rdx: 5368709120
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 3221225595
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 13, 2024, 1:55 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\prefs.js
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Nov. 13, 2024, 1:55 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\03BD451ED4621855818353\03BD451ED4621855818353.exe filepath: C:\Users\test22\AppData\Roaming\03BD451ED4621855818353\03BD451ED4621855818353.exe	1	1	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000000a8 process_name: pw.exe process_identifier: 804	1	1
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000000a8 process_name: taskhost.exe process_identifier: 872	1	1
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000000a8 process_name: SearchProtocolHost.exe process_identifier: 416	1	1
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000000a8 process_name: SearchFilterHost.exe process_identifier: 1552	1	1
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000000a8 process_name: mscorsvw.exe process_identifier: 2372	1	1
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000000a8 process_name: sppsvc.exe process_identifier: 2440	1	1
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000000a8 process_name: cmd.exe process_identifier: 2676	1	1
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000000a8 process_name: conhost.exe process_identifier: 2684	1	1
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000000a8 process_name: svchost.exe process_identifier: 2728	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (10 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000000ac process_name: svchost.exe process_identifier: 2728		0	0
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000000ac process_name: svchost.exe process_identifier: 2728		0	0
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000000ac process_name: svchost.exe process_identifier: 2728		0	0
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000000ac process_name: svchost.exe process_identifier: 2728		0	0
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000000ac process_name: svchost.exe process_identifier: 2728		0	0
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000001ec process_name: svchost.exe process_identifier: 2728		0	0
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000001ec process_name: svchost.exe process_identifier: 2728		0	0
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000001ec process_name: svchost.exe process_identifier: 2728		0	0
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000001ec process_name: svchost.exe process_identifier: 2728		0	0
Process32NextW Nov. 13, 2024, 1:56 p.m.	snapshot_handle: 0x00000000000001ec process_name: svchost.exe process_identifier: 2728		0	0

Yara rule detected in process memory (14 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Escalate priviledges	rule	Escalate_priviledges
description	Communications over HTTP	rule	Network_HTTP
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: fb0ea4ed67a51fa03f9827d26eb4a6a2f9755e85

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Services				reg_value	C:\Users\test22\AppData\Roaming\03BD451ED4621855818353\03BD451ED4621855818353.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk

Attempts to disable SPDY support in Firefox to improve web infostealing capability (1 event)

Time & API	Arguments	Status	Return	Repeated
NtWriteFile Nov. 13, 2024, 1:56 p.m.	buffer: OCSP.enabled", 0); user_pref("security.sandbox.content.tempDirSuffix", "{8465afaa-02dc-4a49-becf-92e61d0dc562}"); user_pref("services.sync.clients.lastSync", "0"); user_pref("services.sync.declinedEngines", ""); user_pref("services.sync.engine.addresses.available", true); user_pref("services.sync.globalScore", 0); user_pref("services.sync.nextSync", 0); user_pref("services.sync.tabs.lastSync", "0"); user_pref("toolkit.startup.last_success", 1664254201); user_pref("toolkit.telemetry.cachedClientID", "c0ffeec0-ffee-c0ff-eec0-ffeec0ffeec0"); user_pref("toolkit.telemetry.previousBuildID", "20220922151854"); user_pref("toolkit.telemetry.reportingpolicy.firstRun", false); user_pref("trailhead.firstrun.didSeeAboutWelcome", true); user_pref("network.http.http2.enabled", false); user_pref("network.http.http3.enable", false); user_pref("network.http.version", 1); user_pref("network.http.http4.enable", false); user_pref("network.http.spdy.enabled", false); user_pref("network.http.spdy.enabled.v3", false); user_pref("network.http.spdy.enabled.v3-1", false); offset: 0 file_handle: 0x00000000000000a4 filepath: C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\prefs.js	1	0	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 13, 2024, 1:56 p.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 2728 process_handle: 0x0000000000000240	1	1	0

Modifies the Firefox configuration file (3 events)

Time & API	Arguments	Status
NtWriteFile Nov. 13, 2024, 1:56 p.m.	buffer: // Mozilla User Preferences // DO NOT EDIT THIS FILE. // // If you make changes to this file while the application is running, // the changes will be overwritten when the application exits. // // To change a preference value, you can either: // - modify it via the UI (e.g. via about:config in the browser); or // - set it within a user.js file in your profile. user_pref("app.normandy.first_run", false); user_pref("app.normandy.migrationsApplied", 12); user_pref("app.normandy.user_id", "4b0502c8-d999-4e5d-bc01-40dbfc7f094c"); user_pref("app.shield.optoutstudies.enabled", false); user_pref("app.update.auto.migrated", true); user_pref("app.update.background.lastInstalledTaskVersion", 3); user_pref("app.update.background.previous.reasons", "[\"app.update.auto=false\"]"); user_pref("app.update.background.rolledout", true); user_pref("app.update.lastUpdateTime.addon-background-update-timer", 0); user_pref("app.update.lastUpdateTime.background-update-timer", 0); user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1664254233); user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1664254474); user_pref("app.update.lastUpdateTime.region-update-timer", 0); user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1664254204); user_pref("app.update.lastUpdateTime.search-engine-update-timer", 1664254355); user_pref("app.update.lastUpdateTime.services-settings-poll-changes", 0); user_pref("app.update.lastUpdateTime.telemetry_modules_ping", 1664254262); user_pref("app.update.lastUpdateTime.telemetry_untrustedmodules_ping", 0); user_pref("app.update.lastUpdateTime.xpi-signature-verification", 0); user_pref("app.update.migrated.updateDir3.308046B0AF4A39CB", true); user_pref("app.update.service.enabled", false); user_pref("browser.bookmarks.addedImportButton", true); user_pref("browser.bookmarks.restore_default_bookmarks", false); user_pref("browser.contentblocking.category", "custom"); user_pref("browser.contextual-services.contextId", "{c9624c3e-7e30-43e5-b7ce-43d0e5ec2df8}"); user_pref("browser.download.viewableInternally.typeWasRegistered.avif", true); user_pref("browser.download.viewableInternally.typeWasRegistered.webp", true); user_pref("browser.laterrun.bookkeeping.profileCreationTime", 1664254204); user_pref("browser.laterrun.bookkeeping.sessionCount", 1); user_pref("browser.laterrun.enabled", true); user_pref("browser.launcherProcess.enabled", true); user_pref("browser.migration.version", 128); user_pref("browser.newtabpage.activity-stream.impressionId", "{f7dc90a4-c1bb-483f-b205-27955a4d79de}"); user_pref("browser.newtabpage.storageVersion", 1); user_pref("browser.pageActions.persistedActions", "{\"ids\":[\"bookmark\"],\"idsInUrlbar\":[\"bookmark\"],\"idsInUrlbarPreProton\":[],\"version\":1}"); user_pref("browser.pagethumbnails.storage_version", 3); user_pref("browser.proton.toolbar.version", 3); user_pref("browser.region.update.updated", 1664254203); user_pref("browser.safebrowsing.malware.enabled", false); user_pref("browser.safebrowsing.phishing.enabled", false); user_pref("browser.safebrowsing.provider.google4.lastupdatetime", "1664254245212"); user_pref("browser.safebrowsing.provider.google4.nextupdatetime", "1664256064212"); user_pref("browser.safebrowsing.provider.mozilla.lastupdatetime", "1664254285756"); user_pref("browser.safebrowsing.provider.mozilla.nextupdatetime", "1664275885756"); user_pref("browser.search.region", "KR"); user_pref("browser.sessionstore.resume_session_once", true); user_pref("browser.sessionstore.resuming_after_os_restart", true); user_pref("browser.shell.checkDefaultBrowser", false); user_pref("browser.shell.didSkipDefaultBrowserCheckOnFirstRun", true); user_pref("browser.startup.couldRestoreSession.count", 1); user_pref("browser.startup.homepage_override.buildID", "20220922151854"); user_pref("browser.startup.homepage_override.mstone", "105.0.1"); user_pref("browser.startup.lastColdStartupCheck", 1664254205); user_pref("browser.theme.content-theme", 1); user_pref("browser.uiCustomization.state", "{ offset: 0 file_handle: 0x00000000000000a4 filepath: C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\prefs.js	1
NtWriteFile Nov. 13, 2024, 1:56 p.m.	buffer: back-button\",\"forward-button\",\"stop-reload-button\",\"customizableui-special-spring1\",\"urlbar-container\",\"customizableui-special-spring2\",\"save-to-pocket-button\",\"downloads-button\",\"fxa-toolbar-menu-button\"],\"toolbar-menubar\":[\"menubar-items\"],\"TabsToolbar\":[\"tabbrowser-tabs\",\"new-tab-button\",\"alltabs-button\"],\"PersonalToolbar\":[\"import-button\",\"personal-bookmarks\"]},\"seen\":[\"save-to-pocket-button\",\"developer-button\"],\"dirtyAreaCache\":[\"nav-bar\",\"PersonalToolbar\"],\"currentVersion\":17,\"newElementCount\":2}"); user_pref("browser.urlbar.placeholderName", "Google"); user_pref("browser.urlbar.quicksuggest.migrationVersion", 2); user_pref("browser.urlbar.quicksuggest.scenario", "history"); user_pref("datareporting.healthreport.uploadEnabled", false); user_pref("datareporting.policy.dataSubmissionPolicyAcceptedVersion", 2); user_pref("datareporting.policy.dataSubmissionPolicyNotifiedTime", "1664254208723"); user_pref("distribution.iniFile.exists.appversion", "105.0.1"); user_pref("distribution.iniFile.exists.value", false); user_pref("doh-rollout.doneFirstRun", true); user_pref("doh-rollout.home-region", "KR"); user_pref("dom.disable_open_during_load", false); user_pref("dom.forms.autocomplete.formautofill", true); user_pref("dom.push.userAgentID", "c35e365f56e94badb3e93676b0f781c0"); user_pref("extensions.activeThemeID", "default-theme@mozilla.org"); user_pref("extensions.blocklist.pingCountVersion", 0); user_pref("extensions.databaseSchema", 35); user_pref("extensions.getAddons.databaseSchema", 6); user_pref("extensions.lastAppBuildId", "20220922151854"); user_pref("extensions.lastAppVersion", "105.0.1"); user_pref("extensions.lastPlatformVersion", "105.0.1"); user_pref("extensions.pendingOperations", false); user_pref("extensions.pictureinpicture.enable_picture_in_picture_overrides", true); user_pref("extensions.systemAddonSet", "{\"schema\":1,\"addons\":{}}"); user_pref("extensions.webcompat.enable_shims", true); user_pref("extensions.webcompat.perform_injections", true); user_pref("extensions.webcompat.perform_ua_overrides", true); user_pref("extensions.webextensions.ExtensionStorageIDB.migrated.screenshots@mozilla.org", true); user_pref("extensions.webextensions.uuids", "{\"formautofill@mozilla.org\":\"36465c14-ad32-4790-af90-f73e184e1ed6\",\"pictureinpicture@mozilla.org\":\"ca4f20cf-0699-4a43-a928-cafdaf26d379\",\"screenshots@mozilla.org\":\"a61f2e8e-9cba-4146-bf3e-48fa1ae6f857\",\"webcompat-reporter@mozilla.org\":\"c3764442-a37a-4af0-a10c-287637035383\",\"webcompat@mozilla.org\":\"31c1c612-5384-488b-8340-99aad3bb7285\",\"default-theme@mozilla.org\":\"9c20bdee-2eb2-41c2-a4f9-5d4c0feb2116\",\"addons-search-detection@mozilla.com\":\"65b1aa66-3227-48c9-95b9-bbe3036f4ce6\",\"google@search.mozilla.org\":\"4ffa87b4-c331-47bb-a348-4762ef7eb7ef\",\"amazondotcom@search.mozilla.org\":\"657a4f48-e730-4731-85eb-18137207c37b\",\"wikipedia@search.mozilla.org\":\"997ee8a2-1e08-4957-9138-1715aa5da79c\",\"bing@search.mozilla.org\":\"d337f188-ffa3-4cb9-9f92-21a6e180d5a7\",\"ddg@search.mozilla.org\":\"6f58f936-1499-4d12-aa30-20bfbd7c4ac8\"}"); user_pref("fission.experiment.max-origins.last-disqualified", 0); user_pref("fission.experiment.max-origins.last-qualified", 1664254208); user_pref("fission.experiment.max-origins.qualified", true); user_pref("gecko.handlerService.defaultHandlersVersion", 1); user_pref("media.gmp.storage.version.observed", 1); user_pref("media.hardware-video-decoding.failed", false); user_pref("network.cookie.cookieBehavior", 0); user_pref("pdfjs.enabledCache.state", true); user_pref("pdfjs.migrationVersion", 2); user_pref("privacy.sanitize.pending", "[]"); user_pref("privacy.trackingprotection.cryptomining.enabled", false); user_pref("privacy.trackingprotection.fingerprinting.enabled", false); user_pref("privacy.trackingprotection.pbmode.enabled", false); user_pref("sanity-test.device-id", "0xbeef"); user_pref("sanity-test.driver-version", "6.1.7600.16385"); user_pref("sanity-test.running", true); user_pref("sanity-test.vers offset: 0 file_handle: 0x00000000000000a4 filepath: C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\prefs.js	1
NtWriteFile Nov. 13, 2024, 1:56 p.m.	buffer: OCSP.enabled", 0); user_pref("security.sandbox.content.tempDirSuffix", "{8465afaa-02dc-4a49-becf-92e61d0dc562}"); user_pref("services.sync.clients.lastSync", "0"); user_pref("services.sync.declinedEngines", ""); user_pref("services.sync.engine.addresses.available", true); user_pref("services.sync.globalScore", 0); user_pref("services.sync.nextSync", 0); user_pref("services.sync.tabs.lastSync", "0"); user_pref("toolkit.startup.last_success", 1664254201); user_pref("toolkit.telemetry.cachedClientID", "c0ffeec0-ffee-c0ff-eec0-ffeec0ffeec0"); user_pref("toolkit.telemetry.previousBuildID", "20220922151854"); user_pref("toolkit.telemetry.reportingpolicy.firstRun", false); user_pref("trailhead.firstrun.didSeeAboutWelcome", true); user_pref("network.http.http2.enabled", false); user_pref("network.http.http3.enable", false); user_pref("network.http.version", 1); user_pref("network.http.http4.enable", false); user_pref("network.http.spdy.enabled", false); user_pref("network.http.spdy.enabled.v3", false); user_pref("network.http.spdy.enabled.v3-1", false); offset: 0 file_handle: 0x00000000000000a4 filepath: C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\prefs.js	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 444 called NtSetContextThread to modify thread in remote process 2728
NtSetContextThread Nov. 13, 2024, 1:56 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5368765980 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 0 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 0 registers.rdx: 8796092887040 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000000b8 process_identifier: 2728	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 444 resumed a thread in remote process 2728
NtResumeThread Nov. 13, 2024, 1:56 p.m.	thread_handle: 0x00000000000000b8 suspend_count: 1 process_identifier: 2728	1	0	0

Attempts to modify Explorer settings to prevent hidden files from being displayed (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden

Executed a process and injected code into it, probably while unpacking (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 13, 2024, 1:56 p.m.	thread_identifier: 2732 thread_handle: 0x00000000000000b8 process_identifier: 2728 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x0000000000000240	1	1
NtMapViewOfSection Nov. 13, 2024, 1:56 p.m.	section_handle: 0x00000000000000b4 process_identifier: 2728 commit_size: 0 win32_protect: 2 (PAGE_READONLY) buffer: base_address: 0x0000000140000000 allocation_type: 0 () section_offset: 0 view_size: 303104 process_handle: 0x0000000000000240	1	0
NtGetContextThread Nov. 13, 2024, 1:56 p.m.	thread_handle: 0x00000000000000b8	1	0
NtSetContextThread Nov. 13, 2024, 1:56 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5368765980 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 0 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 0 registers.rdx: 8796092887040 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000000b8 process_identifier: 2728	1	0
NtGetContextThread Nov. 13, 2024, 1:56 p.m.	thread_handle: 0x00000000000000b8	1	0
WriteProcessMemory Nov. 13, 2024, 1:56 p.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 2728 process_handle: 0x0000000000000240	1	1
NtResumeThread Nov. 13, 2024, 1:56 p.m.	thread_handle: 0x00000000000000b8 suspend_count: 1 process_identifier: 2728	1	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.Common.D481E2D7
Lionic	Trojan.Win32.Androm.m!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win64.Infected.dm
McAfee	Artemis!5523F28F2224
Cylance	Unsafe
VIPRE	Gen:Variant.Mikey.172236
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Mikey.172236
K7GW	Trojan ( 005b776e1 )
K7AntiVirus	Trojan ( 005b776e1 )
Arcabit	Trojan.Mikey.D2A0CC
VirIT	Trojan.Win32.Genus.WYQ
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Agent.EAQ
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	Backdoor.Win32.Androm.vtbt
Alibaba	Backdoor:Win64/Androm.b8ad226b
NANO-Antivirus	Trojan.Win64.Androm.kthnza
MicroWorld-eScan	Gen:Variant.Mikey.172236
Rising	Backdoor.Androm!8.113 (TFE:5:uGYVIXwGFbQ)
Emsisoft	Gen:Variant.Mikey.172236 (B)
F-Secure	Trojan.TR/AD.Nekark.ersvn
DrWeb	Trojan.Siggen29.60257
Zillya	Trojan.Agent.Win64.68202
McAfeeD	ti!B2F9C3002820
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.androm
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.5523f28f2224dde8
Google	Detected
Avira	TR/AD.Nekark.ersvn
Antiy-AVL	Trojan[Backdoor]/Win32.Androm
Kingsoft	malware.kb.a.888
Gridinsoft	Ransom.Win64.Wacatac.sa
Xcitium	Malware@#ct2zyii2g0b7
Microsoft	Trojan:Win64/Androm.MX!MTB
GData	Gen:Variant.Mikey.172236
Varist	W64/ABTrojan.WYCP-0927
AhnLab-V3	Trojan/Win.Tnaket.C5686895
VBA32	Backdoor.Androm
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.1839485187
Ikarus	Trojan.Win64.Agent
Panda	Trj/Chgt.AD
Tencent	Malware.Win32.Gencirc.141fe00a
Yandex	Backdoor.Androm!7kcNxiEd0tU

MJPVgHw.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All