Create Interactive Tour

Windows Analysis Report
apnmcp.exe

Overview

General Information

Sample Name:	apnmcp.exe
Analysis ID:	609650
MD5:	abd7edc38ff72ec115031a6cb98ad26e
SHA1:	91f424bf783e3c7f83b2d1987b2b1fe011b61603
SHA256:	c6c84273291a7e21d92d1eef0b92cc8d58dfdc40fa43d8ba52094f937528d92e
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to delete services

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 4068 cmdline: cmd /c sc create gjMgd binpath= "C:\Users\user\Desktop\apnmcp.exe" >> C:\servicereg.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6288 cmdline: sc create gjMgd binpath= "C:\Users\user\Desktop\apnmcp.exe" MD5: 24A3E2603E63BCB9695A2935D3B24695)

cmd.exe (PID: 3976 cmdline: cmd /c sc start gjMgd >> C:\servicestart.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6224 cmdline: sc start gjMgd MD5: 24A3E2603E63BCB9695A2935D3B24695)

apnmcp.exe (PID: 2124 cmdline: C:\Users\user\Desktop\apnmcp.exe MD5: ABD7EDC38FF72EC115031A6CB98AD26E)

svchost.exe (PID: 4524 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5656 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6996 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5504 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create gjMgd binpath= "C:\Users\user\Desktop\apnmcp.exe" , CommandLine: sc create gjMgd binpath= "C:\Users\user\Desktop\apnmcp.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: cmd /c sc create gjMgd binpath= "C:\Users\user\Desktop\apnmcp.exe" >> C:\servicereg.log 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4068, ParentProcessName: cmd.exe, ProcessCommandLine: sc create gjMgd binpath= "C:\Users\user\Desktop\apnmcp.exe" , ProcessId: 6288, ProcessName: sc.exe

Source: Process started

Author: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: cmd /c sc create gjMgd binpath= "C:\Users\user\Desktop\apnmcp.exe" >> C:\servicereg.log 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4068, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 5980, ProcessName: conhost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Cryptography
• Compliance
• Spreading
• Networking
• System Summary
• Data Obfuscation
• Boot Survival
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: apnmcp.exe	Virustotal: Detection: 43%	Perma Link
Source: apnmcp.exe	Metadefender: Detection: 32%	Perma Link
Source: apnmcp.exe	ReversingLabs: Detection: 27%

Source: C:\Users\user\Desktop\apnmcp.exe	Code function: 9_2_003B20F0 lstrcmpA,lstrcmpA,CryptDecodeObject,CryptDecodeObject,LocalAlloc,CryptDecodeObject,CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,CryptMsgClose,
Source: C:\Users\user\Desktop\apnmcp.exe	Code function: 9_2_003B2560 lstrcmpA,CryptDecodeObject,CryptDecodeObject,LocalAlloc,CryptDecodeObject,LocalFree,LocalFree,LocalFree,LocalFree,
Source: C:\Users\user\Desktop\apnmcp.exe	Code function: 9_2_003B2700 lstrlenW,CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,lstrlenW,CertFindCertificateInStore,CertGetNameStringW,LocalAlloc,CertGetNameStringW,LocalFree,CertGetNameStringW,LocalAlloc,CertGetNameStringW,LocalFree,CertGetNameStringW,LocalAlloc,CertGetNameStringW,LocalFree,_memset,CertFindCertificateInStore,CertGetNameStringW,CertGetNameStringW,CertGetNameStringW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CertCloseStore,CertCloseStore,CryptMsgClose,LocalFree,

Source: apnmcp.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: apnmcp.exe

Static PE information: certificate valid

Source: apnmcp.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Jenkins\workspace\TOOLBAR_PACKAGE_DEV\IE_CORE_SRC\Release\apnmcp.pdb source: apnmcp.exe

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003B4690 _memset,_memset,GetModuleFileNameExW,GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,GetLastError,GetLastError,GetLastError,

Source: svchost.exe, 00000012.00000003.503169717.000001986A372000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000012.00000003.503169717.000001986A372000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000012.00000003.503179817.000001986A383000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.503169717.000001986A372000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-04-01T12:22:08.0359010Z\|\|.\|\|a9882750-175e-43a3-823a-4412be4e3093\|\|1152921505694677957\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000012.00000003.503179817.000001986A383000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.503169717.000001986A372000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-04-01T12:22:08.0359010Z\|\|.\|\|a9882750-175e-43a3-823a-4412be4e3093\|\|1152921505694677957\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: apnmcp.exe	String found in binary or memory: http://apnstatic.ask.com/static/toolbar/everest/documents/legal/en/ask_eula.html0
Source: svchost.exe, 00000012.00000002.546134550.000001986A300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000012.00000002.546067999.0000019869AEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000012.00000003.525634027.000001986A382000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.521958092.000001986A399000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: apnmcp.exe	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: apnmcp.exe	String found in binary or memory: http://s2.symcb.com0
Source: apnmcp.exe	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: apnmcp.exe	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: apnmcp.exe	String found in binary or memory: http://sv.symcd.com0&
Source: apnmcp.exe	String found in binary or memory: http://www.symauth.com/cps0(
Source: apnmcp.exe	String found in binary or memory: http://www.symauth.com/rpa00
Source: apnmcp.exe	String found in binary or memory: https://anx.apnanalytics.com/tr.gif
Source: apnmcp.exe	String found in binary or memory: https://anx.apnanalytics.com/tr.gifSOFTWARE
Source: apnmcp.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: apnmcp.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000012.00000003.525634027.000001986A382000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.521958092.000001986A399000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000012.00000003.515870554.000001986A3A7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515802401.000001986A397000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515922687.000001986A803000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515951075.000001986A385000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.516074424.000001986A81A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515897470.000001986A802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515970248.000001986A3A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: apnmcp.exe	String found in binary or memory: https://tbapi.search.ask.com/v6/package?id=
Source: svchost.exe, 00000012.00000003.525634027.000001986A382000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.521958092.000001986A399000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000012.00000003.525634027.000001986A382000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.521958092.000001986A399000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000012.00000003.515870554.000001986A3A7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515802401.000001986A397000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515922687.000001986A803000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515951075.000001986A385000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.516074424.000001986A81A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515897470.000001986A802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515970248.000001986A3A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000012.00000003.515870554.000001986A3A7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515802401.000001986A397000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515922687.000001986A803000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515951075.000001986A385000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.516074424.000001986A81A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515897470.000001986A802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515970248.000001986A3A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000012.00000003.528521951.000001986A398000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report
Source: svchost.exe, 00000012.00000003.528613029.000001986A802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.528541641.000001986A3A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.528521951.000001986A398000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.528457791.000001986A3BF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.528441269.000001986A3BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: apnmcp.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\apnmcp.exe	Code function: 9_2_003CCA37
Source: C:\Users\user\Desktop\apnmcp.exe	Code function: 9_2_003CC4E6
Source: C:\Users\user\Desktop\apnmcp.exe	Code function: 9_2_003CD664
Source: C:\Users\user\Desktop\apnmcp.exe	Code function: 9_2_003CE761
Source: C:\Users\user\Desktop\apnmcp.exe	Code function: 9_2_003CCF88

Source: C:\Users\user\Desktop\apnmcp.exe	Code function: String function: 003C1FA0 appears 34 times
Source: C:\Users\user\Desktop\apnmcp.exe	Code function: String function: 003B4400 appears 44 times
Source: C:\Users\user\Desktop\apnmcp.exe	Code function: String function: 003BD170 appears 75 times

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003B9D60 _memset,_memset,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,GetLastError,lstrcmpiW,ProcessIdToSessionId,Process32NextW,OpenProcess,OpenProcessToken,GetLastError,GetLastError,LookupPrivilegeValueW,GetLastError,DuplicateTokenEx,GetLastError,SetTokenInformation,AdjustTokenPrivileges,GetLastError,GetLastError,GetLastError,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,CloseHandle,

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003B1860 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,GetLastError,MessageBoxW,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,MessageBoxW,

Source: apnmcp.exe	Virustotal: Detection: 43%
Source: apnmcp.exe	Metadefender: Detection: 32%
Source: apnmcp.exe	ReversingLabs: Detection: 27%

Source: apnmcp.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\sc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc create gjMgd binpath= "C:\Users\user\Desktop\apnmcp.exe" >> C:\servicereg.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create gjMgd binpath= "C:\Users\user\Desktop\apnmcp.exe"
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc start gjMgd >> C:\servicestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start gjMgd
Source: unknown	Process created: C:\Users\user\Desktop\apnmcp.exe C:\Users\user\Desktop\apnmcp.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create gjMgd binpath= "C:\Users\user\Desktop\apnmcp.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start gjMgd

Source: C:\Users\user\Desktop\apnmcp.exe	Code function: 9_2_003B9D60 _memset,_memset,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,GetLastError,lstrcmpiW,ProcessIdToSessionId,Process32NextW,OpenProcess,OpenProcessToken,GetLastError,GetLastError,LookupPrivilegeValueW,GetLastError,DuplicateTokenEx,GetLastError,SetTokenInformation,AdjustTokenPrivileges,GetLastError,GetLastError,GetLastError,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,CloseHandle,
Source: C:\Users\user\Desktop\apnmcp.exe	Code function: 9_2_003B9ED7 lstrcmpiW,ProcessIdToSessionId,Process32NextW,OpenProcess,OpenProcessToken,GetLastError,GetLastError,LookupPrivilegeValueW,GetLastError,DuplicateTokenEx,GetLastError,SetTokenInformation,AdjustTokenPrivileges,GetLastError,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,CloseHandle,

Source: classification engine

Classification label: mal48.winEXE@13/2@0/0

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003B1F00 CoCreateInstance,

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,GetModuleFileNameW,OpenSCManagerW,MessageBoxW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003B1D90 StartServiceCtrlDispatcherW,GetLastError,

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003B1D90 StartServiceCtrlDispatcherW,GetLastError,

Source: C:\Users\user\Desktop\apnmcp.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:204:120:WilError_01

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003B2D80 LoadResource,LockResource,SizeofResource,

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: apnmcp.exe

Static PE information: certificate valid

Source: apnmcp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: apnmcp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: apnmcp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: apnmcp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: apnmcp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: apnmcp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: apnmcp.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: apnmcp.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Jenkins\workspace\TOOLBAR_PACKAGE_DEV\IE_CORE_SRC\Release\apnmcp.pdb source: apnmcp.exe

Source: apnmcp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: apnmcp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: apnmcp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: apnmcp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: apnmcp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003C1FE5 push ecx; ret

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003CB847 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003B1D90 StartServiceCtrlDispatcherW,GetLastError,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc create gjMgd binpath= "C:\Users\user\Desktop\apnmcp.exe"

Source: C:\Windows\System32\svchost.exe TID: 6224

Thread sleep time: -60000s >= -30000s

Source: C:\Users\user\Desktop\apnmcp.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\apnmcp.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003B4690 _memset,_memset,GetModuleFileNameExW,GetProcessImageFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,GetLastError,GetLastError,GetLastError,

Source: C:\Users\user\Desktop\apnmcp.exe

API call chain: ExitProcess graph end node

Source: svchost.exe, 00000012.00000002.545991826.0000019869A81000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.545342475.0000019869A81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`X
Source: svchost.exe, 00000012.00000002.546067999.0000019869AEB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.545750897.0000019869A13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003BFBA6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003D0B72 GetProcessHeap,

Source: C:\Users\user\Desktop\apnmcp.exe	Code function: 9_2_003BFBA6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\apnmcp.exe	Code function: 9_2_003C84EA SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\apnmcp.exe	Code function: 9_2_003C17A7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create gjMgd binpath= "C:\Users\user\Desktop\apnmcp.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start gjMgd

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003BE290 ConvertStringSecurityDescriptorToSecurityDescriptorW,CreateEventW,CreateNamedPipeW,GetLastError,GetLastError,

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003B5380 GetLocalTime,GetCurrentThreadId,GetCurrentThreadId,GetCurrentProcessId,OutputDebugStringW,

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003C7864 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

Source: C:\Users\user\Desktop\apnmcp.exe

Code function: 9_2_003B2F70 _memset,GetVersionExW,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	13 Service Execution	1 Valid Accounts	1 Valid Accounts	1 Valid Accounts	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	3 Native API	15 Windows Service	11 Access Token Manipulation	1 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	15 Windows Service	11 Access Token Manipulation	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	12 Process Injection	12 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	3 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
apnmcp.exe	43%	Virustotal		Browse
apnmcp.exe	32%	Metadefender		Browse
apnmcp.exe	28%	ReversingLabs	Win32.PUA.BundledAsk

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://anx.apnanalytics.com/tr.gif	0%	Avira URL Cloud	safe
https://www.pango.co/privacy	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report	0%	URL Reputation	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
https://anx.apnanalytics.com/tr.gifSOFTWARE	0%	Avira URL Cloud	safe
http://help.disneyplus.com.	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000012.00000003.525634027.000001986A382000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.521958092.000001986A399000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000012.00000003.525634027.000001986A382000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.521958092.000001986A399000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tbapi.search.ask.com/v6/package?id=	apnmcp.exe	false		high
http://www.symauth.com/rpa00	apnmcp.exe	false		high
https://anx.apnanalytics.com/tr.gif	apnmcp.exe	false	Avira URL Cloud: safe	unknown
http://apnstatic.ask.com/static/toolbar/everest/documents/legal/en/ask_eula.html0	apnmcp.exe	false		high
https://www.hotspotshield.com/terms/	svchost.exe, 00000012.00000003.515870554.000001986A3A7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515802401.000001986A397000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515922687.000001986A803000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515951075.000001986A385000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.516074424.000001986A81A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515897470.000001986A802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515970248.000001986A3A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.pango.co/privacy	svchost.exe, 00000012.00000003.515870554.000001986A3A7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515802401.000001986A397000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515922687.000001986A803000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515951075.000001986A385000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.516074424.000001986A81A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515897470.000001986A802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515970248.000001986A3A7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 00000012.00000003.525634027.000001986A382000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.521958092.000001986A399000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 00000012.00000002.546067999.0000019869AEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.tiktok.com/legal/report	svchost.exe, 00000012.00000003.528521951.000001986A398000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000012.00000003.528613029.000001986A802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.528541641.000001986A3A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.528521951.000001986A398000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.528457791.000001986A3BF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.528441269.000001986A3BF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://anx.apnanalytics.com/tr.gifSOFTWARE	apnmcp.exe	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	apnmcp.exe	false		high
http://help.disneyplus.com.	svchost.exe, 00000012.00000003.525634027.000001986A382000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.521958092.000001986A399000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.hotspotshield.com/	svchost.exe, 00000012.00000003.515870554.000001986A3A7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515802401.000001986A397000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515922687.000001986A803000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515951075.000001986A385000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.516074424.000001986A81A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515897470.000001986A802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.515970248.000001986A3A7000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	609650
Start date and time: 14/04/202222:20:03	2022-04-14 22:20:03 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 19s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	apnmcp.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run as Windows Service
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winEXE@13/2@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.8% (good quality ratio 94.4%) Quality average: 73.5% Quality standard deviation: 29.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.54.113.53, 20.54.110.249
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
22:21:21	API Interceptor	1x Sleep call for process: apnmcp.exe modified
22:22:18	API Interceptor	8x Sleep call for process: svchost.exe modified

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	28
Entropy (8bit):	3.678439190827718
Encrypted:	false
SSDEEP:	3:4A4AnXjzSv:4HAnXjg
MD5:	A8F4D690C5BDE96AD275C7D4ABE0E3D3
SHA1:	7C62C96EFD2CA4F3C3EBF0B24C9B5B4C04A4570A
SHA-256:	596CCC911C1772735AAC6A6B756A76D3D55BCECD006B980CF147090B2243FA7B
SHA-512:	A875EBE3C5CDF222FF9D08576F4D996AF827A1C86B3E758CE23F6B33530D512A82CE8E39E519837512080C6212A0A19B3385809BE5F5001C4E488DD79550B852
Malicious:	false
Preview:	[SC] CreateService SUCCESS..

C:\servicestart.log

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	421
Entropy (8bit):	3.5211449278894897
Encrypted:	false
SSDEEP:	6:lg3D/8FsBgVKBRjGxVVLvH2s/u8qLLFmLaZnsHgm66//V+NmBufq:lgACgV0qVbH2suZLQqOVKmKq
MD5:	C29617BF6A7701B011E3AE6E370A9007
SHA1:	CBECB50A7AC496E91E0F3DEC1481409FB9B8B797
SHA-256:	72259919142CB39A07C114D431AE4C7BF838C2A018AA997F6E0D971B1125A572
SHA-512:	D4C60D7EB87BFCC2039D12B0837C39A9C09680CA9E45B120C2FB288CE2FDF6610547BDD811AC35931CCFA5D15F3CCAD03AFD5AEBA43E583F4B6F469CE280A9B6
Malicious:	false
Preview:	..SERVICE_NAME: gjMgd .. TYPE : 10 WIN32_OWN_PROCESS .. STATE : 2 START_PENDING .. (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN).. WIN32_EXIT_CODE : 0 (0x0).. SERVICE_EXIT_CODE : 0 (0x0).. CHECKPOINT : 0x0.. WAIT_HINT : 0x7d0.. PID : 2124.. FLAGS : ..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.374043405341055
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	apnmcp.exe
File size:	194632
MD5:	abd7edc38ff72ec115031a6cb98ad26e
SHA1:	91f424bf783e3c7f83b2d1987b2b1fe011b61603
SHA256:	c6c84273291a7e21d92d1eef0b92cc8d58dfdc40fa43d8ba52094f937528d92e
SHA512:	21cde1d6e011047109c7887ac545348f819dcbe4d5ba6ac19765f9d1989cf3aba3e42b02898461a3875042580a1e766674552f3e5e9f3b64735aa6c83f892b61
SSDEEP:	3072:+dbegS7294JXS0QWACZ4dtTsIBAnlhdQTjUx/J:+dZ8tBS0xACZ4dtQdQPU
TLSH:	0E145B303EDBD472E2A314329AF9D77A256AF732172290CB775807295E302E26B35717
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H.=^..S...S...S.......S.......S.......S.......S...R...S.....3.S.......S.......S.Rich..S.................PE..L...I:.Z...........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x41161e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5AB43A49 [Thu Mar 22 23:20:41 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	b205c9dc0ba089112bb651f20e10f63d

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/22/2016 4:00:00 PM 5/30/2018 4:59:59 PM
Subject Chain	CN=APN LLC, O=APN LLC, L=Oakland, S=California, C=US
Version:	3
Thumbprint MD5:	89603F1050557E005E5ECC9E96F58CEF
Thumbprint SHA-1:	6449676F42E028927AD7EC0F42364509B196CD10
Thumbprint SHA-256:	B2BE003349A92AE0D57F00B89F5BD13732610E96CA3190F24DA6DFE598964F6E
Serial:	643E1CE1B238C7969ABFC62773F3038C

Entrypoint Preview

Instruction
call 00007F912CAB2B79h
jmp 00007F912CAAB51Eh
mov edi, edi
push ebp
mov ebp, esp
mov ecx, dword ptr [ebp+0Ch]
push ebx
xor ebx, ebx
cmp ecx, ebx
jbe 00007F912CAAB6ADh
push FFFFFFE0h
xor edx, edx
pop eax
div ecx
cmp eax, dword ptr [ebp+10h]
jnc 00007F912CAAB6A1h
call 00007F912CAAB9C1h
mov dword ptr [eax], 0000000Ch
xor eax, eax
jmp 00007F912CAAB6D3h
imul ecx, dword ptr [ebp+10h]
push esi
push edi
mov esi, ecx
cmp dword ptr [ebp+08h], ebx
je 00007F912CAAB69Dh
push dword ptr [ebp+08h]
call 00007F912CAAF0BBh
pop ecx
mov ebx, eax
push esi
push dword ptr [ebp+08h]
call 00007F912CAB2BC4h
mov edi, eax
pop ecx
pop ecx
test edi, edi
je 00007F912CAAB6A6h
cmp ebx, esi
jnc 00007F912CAAB6A2h
sub esi, ebx
push esi
push 00000000h
add ebx, edi
push ebx
call 00007F912CAA9BC9h
add esp, 0Ch
mov eax, edi
pop edi
pop esi
pop ebx
pop ebp
ret
push 0000000Ch
push 00428B48h
call 00007F912CAABF93h
push 0000000Eh
call 00007F912CAB2DB5h
pop ecx
and dword ptr [ebp-04h], 00000000h
mov esi, dword ptr [ebp+08h]
mov ecx, dword ptr [esi+04h]
test ecx, ecx
je 00007F912CAAB6C1h
mov eax, dword ptr [0042D280h]
mov edx, 0042D27Ch
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F912CAAB6A3h
cmp dword ptr [eax], ecx
jne 00007F912CAAB6BEh
mov ecx, dword ptr [eax+04h]
mov dword ptr [edx+04h], ecx
push eax
call 00007F912CAAAC91h
pop ecx
push dword ptr [esi+04h]
call 00007F912CAAAC88h
pop ecx
and dword ptr [esi+04h], 00000000h

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[LNK] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x28f9c	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x30000	0x554	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2e400	0x1448
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x31000	0x1c78	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x21370	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x26de8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x21000	0x314	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1fc57	0x1fe00	False	0.524693627451	data	6.57026214325	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x21000	0x91de	0x9200	False	0.314560145548	data	4.55713666479	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x4230	0x1e00	False	0.282421875	data	3.98288696785	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x30000	0x554	0x600	False	0.41015625	data	4.38482350556	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x31000	0x2bf6	0x2c00	False	0.526100852273	data	5.12765424553	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_STRING	0x300e8	0x2c	data	English	United States
RT_VERSION	0x30114	0x2e4	data	English	United States
RT_MANIFEST	0x303f8	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
PSAPI.DLL	GetModuleFileNameExW, GetProcessImageFileNameW
KERNEL32.dll	SetEvent, Process32NextW, ProcessIdToSessionId, lstrcmpiW, Process32FirstW, CreateToolhelp32Snapshot, WriteFile, ReadFile, CreateNamedPipeW, ConnectNamedPipe, DisconnectNamedPipe, GetOverlappedResult, FlushFileBuffers, WriteConsoleW, SetStdHandle, GetStringTypeW, LCMapStringW, GetConsoleMode, GetConsoleCP, GetProcAddress, FreeLibrary, MultiByteToWideChar, OpenProcess, CloseHandle, FindResourceExW, FindResourceW, LoadResource, LockResource, SizeofResource, LocalFree, Beep, lstrlenW, SetEnvironmentVariableA, lstrcmpA, LocalAlloc, Sleep, InterlockedDecrement, WTSGetActiveConsoleSessionId, GetModuleFileNameW, GetCurrentThreadId, GetVersionExW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetLastError, RaiseException, CreateFileW, CompareStringW, SetFilePointer, GetTickCount, QueryPerformanceCounter, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, ExitThread, DecodePointer, EncodePointer, RtlUnwind, GetProcessHeap, HeapSize, GetTimeZoneInformation, WideCharToMultiByte, GetStdHandle, HeapCreate, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, ExitProcess, SetLastError, InterlockedIncrement, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, IsProcessorFeaturePresent, GetCurrentProcess, TerminateProcess, IsDebuggerPresent, SetUnhandledExceptionFilter, WaitForMultipleObjects, CreateEventW, GetSystemTime, GetModuleHandleW, GetLocalTime, GetCurrentProcessId, OutputDebugStringW, GetLogicalDriveStringsW, QueryDosDeviceW, GetCommandLineW, LoadLibraryW, UnhandledExceptionFilter, GetStartupInfoW, HeapSetInformation, GetSystemTimeAsFileTime, EnterCriticalSection, LeaveCriticalSection, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, CreateThread
USER32.dll	GetMessageW, MessageBoxW, PostThreadMessageW, CharUpperW, CharNextW, LoadStringW, TranslateMessage, SetTimer, KillTimer, RegisterWindowMessageW, DispatchMessageW
ADVAPI32.dll	GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumValueW, LookupPrivilegeValueW, SetTokenInformation, AdjustTokenPrivileges, RegQueryInfoKeyW, RegEnumKeyExW, RegSetValueExW, RegQueryValueExW, RegCloseKey, RegOpenKeyExW, CreateProcessAsUserW, OpenProcessToken, DuplicateTokenEx, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerExW, ControlService, DeleteService, CreateServiceW, OpenSCManagerW, OpenServiceW, CloseServiceHandle, SetServiceStatus, RegisterEventSourceW, ReportEventW, DeregisterEventSource
ole32.dll	CoInitializeSecurity, CoCreateInstance, CoAddRefServerProcess, CoReleaseServerProcess, CoUninitialize, CoInitializeEx, CoTaskMemAlloc, CoTaskMemFree
OLEAUT32.dll	VariantChangeType, VariantClear, VariantInit, SysFreeString, SysAllocString
SHLWAPI.dll	PathRemoveFileSpecW
WINHTTP.dll	WinHttpSetOption, WinHttpCloseHandle, WinHttpSendRequest, WinHttpCrackUrl, WinHttpConnect, WinHttpOpen, WinHttpReceiveResponse, WinHttpQueryDataAvailable, WinHttpOpenRequest, WinHttpQueryHeaders, WinHttpReadData
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile
WTSAPI32.dll	WTSFreeMemory, WTSEnumerateSessionsW
CRYPT32.dll	CertGetNameStringW, CertFreeCertificateContext, CertCloseStore, CertGetCertificateChain, CertFreeCertificateChain, CryptDecodeObject, CryptQueryObject, CryptMsgGetParam, CryptMsgClose, CertFindCertificateInStore
WINTRUST.dll	WinVerifyTrust
msi.dll

Version Infos

Description	Data
LegalCopyright	2018 APN, LLC. All Rights Reserved.
InternalName	APNMCP.exe
FileVersion	21.27.0.148
CompanyName	APN LLC.
ProductName	APN Updater
ProductVersion	21.27.0.148
FileDescription	APN Updater
OriginalFilename	APNMCP.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• cmd.exe
• conhost.exe
• sc.exe
• cmd.exe
• conhost.exe
• sc.exe
• apnmcp.exe
• svchost.exe
• svchost.exe
• svchost.exe
• svchost.exe

Click to jump to process

Target ID:	0
Start time:	22:21:16
Start date:	14/04/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c sc create gjMgd binpath= "C:\Users\user\Desktop\apnmcp.exe" >> C:\servicereg.log 2>&1
Imagebase:	0xed0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	22:21:16
Start date:	14/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: sc.exePID: 6288, Parent PID: 4068

General

Target ID:	3
Start time:	22:21:16
Start date:	14/04/2022
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc create gjMgd binpath= "C:\Users\user\Desktop\apnmcp.exe"
Imagebase:	0xb0000
File size:	60928 bytes
MD5 hash:	24A3E2603E63BCB9695A2935D3B24695
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	22:21:18
Start date:	14/04/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c sc start gjMgd >> C:\servicestart.log 2>&1
Imagebase:	0xed0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	22:21:19
Start date:	14/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: sc.exePID: 6224, Parent PID: 3976

General

Target ID:	8
Start time:	22:21:19
Start date:	14/04/2022
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc start gjMgd
Imagebase:	0xb0000
File size:	60928 bytes
MD5 hash:	24A3E2603E63BCB9695A2935D3B24695
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	22:21:19
Start date:	14/04/2022
Path:	C:\Users\user\Desktop\apnmcp.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\apnmcp.exe
Imagebase:	0x3b0000
File size:	194632 bytes
MD5 hash:	ABD7EDC38FF72EC115031A6CB98AD26E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: svchost.exePID: 4524, Parent PID: 588

General

Target ID:	10
Start time:	22:21:30
Start date:	14/04/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	12
Start time:	22:21:38
Start date:	14/04/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	15
Start time:	22:21:57
Start date:	14/04/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	18
Start time:	22:22:14
Start date:	14/04/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Disassembly

⊘No disassembly

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report apnmcp.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\servicereg.log

C:\servicestart.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: cmd.exePID: 4068, Parent PID: 824

General

File Activities

Windows Analysis Report
apnmcp.exe