Malware analysis pyonkichi.g1.xrea.com Malicious activity

Add for printing

URL:	pyonkichi.g1.xrea.com
Full analysis:	https://app.any.run/tasks/8a601826-753c-4ff9-8d5c-457ebee1ad90
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	September 04, 2025, 06:09:16
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec arch-scr arch-doc anti-evasion autohotkey ahk loader
Indicators:
MD5:	C06CC28E1B0E5895C8F5EF83998971E3
SHA1:	233026219B612A419AC5FF285EBF05E6CDB07FFF
SHA256:	ACBD8A9B1CD345696FB16F23AA823CAC7A5105115C465AB15498C49211A31FD1
SSDEEP:	3:pLbV0:lbV0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Copies file to a new location (SCRIPT)
  - wscript.exe (PID: 6776)
  - wscript.exe (PID: 6288)
- AHK has been detected (YARA)
  - MouseGestureL.exe (PID: 4224)
- Create files in the Startup directory
  - Setup.exe (PID: 6544)
SUSPICIOUS
- The process executes VB scripts
  - WinRAR.exe (PID: 5476)
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 5476)
  - cl64_410.exe (PID: 6720)
- Creates FileSystem object to access computer's file system (SCRIPT)
  - wscript.exe (PID: 6776)
  - wscript.exe (PID: 6288)
- Enumerates operating system information (Win32_OperatingSystem) (SCRIPT)
  - wscript.exe (PID: 6776)
  - wscript.exe (PID: 6288)
- Executes WMI query (SCRIPT)
  - wscript.exe (PID: 6776)
  - wscript.exe (PID: 6288)
- Executable content was dropped or overwritten
  - wscript.exe (PID: 6288)
  - cl64_410.exe (PID: 6720)
  - Setup.exe (PID: 6544)
- Application launched itself
  - MouseGestureL.exe (PID: 6620)
  - MouseGestureL.exe (PID: 4224)
- AUTOHOTKEY mutex has been found
  - MouseGestureL.exe (PID: 5368)
  - MouseGestureL.exe (PID: 3576)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 6288)
- There is functionality for taking screenshot (YARA)
  - MouseGestureL.exe (PID: 4224)
- Potential Corporate Privacy Violation
  - firefox.exe (PID: 5168)
- Reads the date of Windows installation
  - cl64_410.exe (PID: 6720)
- Deletes scheduled task without confirmation
  - schtasks.exe (PID: 8016)
- Creates a software uninstall entry
  - Setup.exe (PID: 6544)
INFO
- Application launched itself
  - firefox.exe (PID: 6680)
  - firefox.exe (PID: 5168)
- Manual execution by a user
  - WinRAR.exe (PID: 5476)
  - WinRAR.exe (PID: 2632)
  - wscript.exe (PID: 6288)
  - CLaunch.exe (PID: 7084)
- Reads Microsoft Office registry keys
  - firefox.exe (PID: 5168)
  - WinRAR.exe (PID: 5476)
- Launching a file from the Downloads directory
  - firefox.exe (PID: 5168)
- Checks proxy server information
  - slui.exe (PID: 4912)
- Reads the software policy settings
  - slui.exe (PID: 4912)
- The sample compiled with english language support
  - WinRAR.exe (PID: 2632)
  - wscript.exe (PID: 6288)
- The sample compiled with japanese language support
  - WinRAR.exe (PID: 2632)
  - cl64_410.exe (PID: 6720)
  - Setup.exe (PID: 6544)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2632)
  - firefox.exe (PID: 5168)
- Checks supported languages
  - MouseGestureL.exe (PID: 6620)
  - MouseGestureL.exe (PID: 4224)
  - MouseGestureL.exe (PID: 5368)
  - MouseGestureL.exe (PID: 3576)
  - cl64_410.exe (PID: 6720)
  - Setup.exe (PID: 6544)
  - CLaunch.exe (PID: 7084)
- AutoHotkey executable
  - wscript.exe (PID: 6288)
  - MouseGestureL.exe (PID: 6620)
  - MouseGestureL.exe (PID: 4224)
- Reads the computer name
  - MouseGestureL.exe (PID: 5368)
  - cl64_410.exe (PID: 6720)
  - Setup.exe (PID: 6544)
  - CLaunch.exe (PID: 7084)
- Detects AutoHotkey samples (YARA)
  - MouseGestureL.exe (PID: 4224)
- Process checks computer location settings
  - cl64_410.exe (PID: 6720)
- Creates files in the program directory
  - Setup.exe (PID: 6544)
- Create files in a temporary directory
  - cl64_410.exe (PID: 6720)
- Launching a file from the Startup directory
  - Setup.exe (PID: 6544)
- Creates files or folders in the user directory
  - Setup.exe (PID: 6544)
  - CLaunch.exe (PID: 7084)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

180

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

620

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -prefsHandle 2104 -prefsLen 36520 -prefMapHandle 2108 -prefMapSize 272997 -ipcHandle 2124 -initialChannelId {1184d41a-943c-4e5b-b306-37fcf48caa0a} -parentPid 5168 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5168" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

640

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -prefsHandle 3504 -prefsLen 36996 -prefMapHandle 3508 -prefMapSize 272997 -ipcHandle 3516 -initialChannelId {df460efc-159e-4609-88e0-8f3e4f36623d} -parentPid 5168 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5168" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

1212

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2676 -prefsLen 39530 -prefMapHandle 5564 -prefMapSize 272997 -jsInitHandle 6112 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 2952 -initialChannelId {268beb0d-a552-4e45-b5f1-96517a06566b} -parentPid 5168 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5168" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 17 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll

1644

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6068 -prefsLen 39530 -prefMapHandle 5716 -prefMapSize 272997 -jsInitHandle 5752 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 5712 -initialChannelId {4bae1271-adb2-4a5c-937a-56e1dd174604} -parentPid 5168 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5168" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 15 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

2132

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3404 -prefsLen 31090 -prefMapHandle 3408 -prefMapSize 272997 -jsInitHandle 3412 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 3420 -initialChannelId {9ad44e69-7817-414d-98f1-4bf0abe3f6c0} -parentPid 5168 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5168" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll

2200

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2388

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -sandboxingKind 1 -prefsHandle 5796 -prefsLen 45584 -prefMapHandle 5164 -prefMapSize 272997 -ipcHandle 4792 -initialChannelId {fb4c5839-6921-469a-ae38-e0c7dea9e1bf} -parentPid 5168 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5168" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 16 utility

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140_1.dll

2592

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

2632

"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\MGLahk141.zip" "?\"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

3576

"C:\Users\admin\Downloads\MGLahk141\MouseGestureL.exe" /restart /script "C:\Users\admin\Downloads\MGLahk141\MouseGestureL.ahk"

C:\Users\admin\Downloads\MGLahk141\MouseGestureL.exe

MouseGestureL.exe

User:

admin

Company:

AutoHotkey Foundation LLC

Integrity Level:

MEDIUM

Description:

AutoHotkey Unicode 64-bit

Version:

1.1.37.02

Modules

Images
c:\users\admin\downloads\mglahk141\mousegesturel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

Add for printing

Total events

26 782

Read events

26 711

Write events

Delete events

Modification events


(PID) Process:	(5168) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(5476) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(5476) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(5476) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(5476) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Downloads\MGLahk141.zip
(PID) Process:	(5476) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5476) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5476) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5476) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5476) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:	write	Name:	VBSFile
Value:

Add for printing

Executable files

Suspicious files

393

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5168	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite		—
		MD5:—	SHA256:—
5168	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5168	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
5168	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5168	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5168	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5168	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\safebrowsing-updating\ads-track-digest256.sbstore		—
		MD5:—	SHA256:—
5168	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal		binary
		MD5:0A228829C66CD69F1EB45FB747FA9DAD	SHA256:65E79FA3256D59D2FD868488CFE287D421CC9BC78201FB4380311D046321C62A
5168	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\activity-stream.contile.json.tmp		binary
		MD5:F0E4A1DDA5ACCC6806459EC811E369FC	SHA256:83B64890D2A5FE91EAEFA2AE65CCF5B51E2084B119FD4DF60CD030AD3AB35DA1
5168	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.js		text
		MD5:2FD670934FEF0C60E2119BD874AAF470	SHA256:771A7C83CA015BDBC6AB86A7BD9B1D54E40062E28942D311A9178A0FE6433CF2

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

240

TCP/UDP connections

316

DNS requests

271

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5168	firefox.exe	POST	200	172.217.18.99:80	http://o.pki.goog/s/wr3/vbw	unknown	—	—	whitelisted
5168	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
5168	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	whitelisted
5168	firefox.exe	POST	200	172.217.18.99:80	http://o.pki.goog/s/wr3/W6c	unknown	—	—	whitelisted
5168	firefox.exe	POST	200	104.18.20.226:80	http://ocsp.globalsign.com/gsgccr3dvtlsca2020	unknown	—	—	whitelisted
5168	firefox.exe	POST	200	104.18.20.226:80	http://ocsp.globalsign.com/gsgccr3dvtlsca2020	unknown	—	—	whitelisted
5168	firefox.exe	POST	200	172.217.18.99:80	http://o.pki.goog/we2	unknown	—	—	whitelisted
5168	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	whitelisted
5168	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
5168	firefox.exe	POST	200	172.217.18.99:80	http://o.pki.goog/s/wr3/W6c	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4084	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5168	firefox.exe	34.160.144.191:443	content-signature-2.cdn.mozilla.net	GOOGLE	US	whitelisted
5168	firefox.exe	160.251.150.243:443	pyonkichi.g1.xrea.com	GMO Internet,Inc	JP	whitelisted
5168	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
5168	firefox.exe	34.36.137.203:443	contile.services.mozilla.com	GOOGLE-CLOUD-PLATFORM	US	whitelisted
5168	firefox.exe	151.101.129.91:443	firefox.settings.services.mozilla.com	FASTLY	US	whitelisted
5168	firefox.exe	172.217.18.99:80	o.pki.goog	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158 51.104.136.2	whitelisted
google.com	172.217.23.110	whitelisted
content-signature-2.cdn.mozilla.net	34.160.144.191	whitelisted
content-signature-chains.prod.autograph.services.mozaws.net	34.160.144.191 2600:1901:0:92a9::	whitelisted
pyonkichi.g1.xrea.com	160.251.150.243	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
contile.services.mozilla.com	34.36.137.203	whitelisted
spocs.getpocket.com	34.36.137.203	whitelisted
example.org	23.220.75.238 23.220.75.235 23.215.0.132 23.215.0.133	whitelisted

Threats

PID	Process	Class	Message
2200	svchost.exe	Potentially Bad Traffic	ET DNS Query for .to TLD
2200	svchost.exe	Potentially Bad Traffic	ET DNS Query for .to TLD
2200	svchost.exe	Potentially Bad Traffic	ET DNS Query for .to TLD
5168	firefox.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
5168	firefox.exe	Misc activity	ET INFO Packed Executable Download

Add for printing

No debug info

General Info

pyonkichi.g1.xrea.com

C06CC28E1B0E5895C8F5EF83998971E3

233026219B612A419AC5FF285EBF05E6CDB07FFF

ACBD8A9B1CD345696FB16F23AA823CAC7A5105115C465AB15498C49211A31FD1

3:pLbV0:lbV0

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Copies file to a new location (SCRIPT)

AHK has been detected (YARA)

Create files in the Startup directory

SUSPICIOUS

The process executes VB scripts

Reads security settings of Internet Explorer

Creates FileSystem object to access computer's file system (SCRIPT)

Enumerates operating system information (Win32_OperatingSystem) (SCRIPT)

Executes WMI query (SCRIPT)

Executable content was dropped or overwritten

Application launched itself

AUTOHOTKEY mutex has been found

Runs shell command (SCRIPT)

There is functionality for taking screenshot (YARA)

Potential Corporate Privacy Violation

Reads the date of Windows installation

Deletes scheduled task without confirmation

Creates a software uninstall entry

INFO

Application launched itself

Manual execution by a user

Reads Microsoft Office registry keys

Launching a file from the Downloads directory

Checks proxy server information

Reads the software policy settings

The sample compiled with english language support

The sample compiled with japanese language support

Executable content was dropped or overwritten

Checks supported languages

AutoHotkey executable

Reads the computer name

Detects AutoHotkey samples (YARA)

Process checks computer location settings

Creates files in the program directory

Create files in a temporary directory

Launching a file from the Startup directory

Creates files or folders in the user directory

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files