Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 12, 2021, 9:39 a.m.	July 12, 2021, 9:42 a.m.

Size	177.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ab709667f7fda587f65ced022c09e455`
SHA256	`b114ef56a196fbcc1830e01d7307fb55f06b35cc6f4ddfcac27872552e019b49`
CRC32	`E29EF34D`
ssdeep	`3072:d45qKNLISAJZIn/fAI3TsmfvBgOa/n7BEDaXbUkAlGVEWL+:Ad0SAs/l3BPY7KDaXb0kV`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description)

P3GlorySetp.exe "C:\Users\test22\AppData\Local\Temp\P3GlorySetp.exe"
1684
- 7667577.exe "C:\Users\test22\AppData\Roaming\7667577.exe"
  2364
- 4126979.exe "C:\Users\test22\AppData\Roaming\4126979.exe"
  2656
  - WinHoster.exe "C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe"
    2312
- 3935621.exe "C:\Users\test22\AppData\Roaming\3935621.exe"
  2416

Name	Response	Post-Analysis Lookup
netoterizi.xyz	A 185.14.31.80	185.14.31.80
videoconvert-download38.xyz	A 104.21.42.63 A 172.67.201.250	172.67.201.250
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.201.250	Active	Moloch
185.14.31.80	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 12, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 9:33 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (10 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 12, 2021, 9:39 a.m.			0	0
IsDebuggerPresent July 12, 2021, 9:39 a.m.			0	0
IsDebuggerPresent July 12, 2021, 9:33 a.m.			0	0
IsDebuggerPresent July 12, 2021, 9:33 a.m.			0	0
IsDebuggerPresent July 12, 2021, 9:40 a.m.			0	0
IsDebuggerPresent July 12, 2021, 9:40 a.m.			0	0
IsDebuggerPresent July 12, 2021, 9:40 a.m.			0	0
IsDebuggerPresent July 12, 2021, 9:40 a.m.			0	0
IsDebuggerPresent July 12, 2021, 9:40 a.m.			0	0
IsDebuggerPresent July 12, 2021, 9:40 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (9 events)

Time & API	Arguments	Status	Return
CryptExportKey July 12, 2021, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000045c7f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000045c860 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000045c860 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000045ca20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000045ca20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000045ca20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039ade8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039ade8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0039afa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 12, 2021, 9:39 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	)`\x17\x03Th\x19\|
section

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 12, 2021, 9:33 a.m.	stacktrace: 0x7fe91ce1f87 0x7fe91cd799a 0x7fe91cd4042 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef136f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef136f242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef13bb042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef13bad83 mscorlib+0x563c95 @ 0x7fef0303c95 mscorlib+0x486001 @ 0x7fef0226001 mscorlib+0x48c543 @ 0x7fef022c543 0x7fe91d118c2 system+0x2e8e84 @ 0x7feedce8e84 PreBindAssemblyEx+0xb953 CreateHistoryReader-0x67311 clr+0x10e747 @ 0x7fef142e747 0x7fe91cc0f76 0x7fe91cc00af CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef136f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef136f242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef136f30b _CorExeMain+0x335c ClrCreateManagedInstance-0x15ae4 clr+0x1e721c @ 0x7fef150721c _CorExeMain+0x3ab6 ClrCreateManagedInstance-0x1538a clr+0x1e7976 @ 0x7fef1507976 _CorExeMain+0x39b0 ClrCreateManagedInstance-0x15490 clr+0x1e7870 @ 0x7fef1507870 _CorExeMain+0x3526 ClrCreateManagedInstance-0x1591a clr+0x1e73e6 @ 0x7fef15073e6 _CorExeMain+0x347e ClrCreateManagedInstance-0x159c2 clr+0x1e733e @ 0x7fef150733e _CorExeMain+0x14 ClrCreateManagedInstance-0x18e2c clr+0x1e3ed4 @ 0x7fef1503ed4 _CorExeMain+0x5d CLRCreateInstance-0x2bd3 mscoreei+0x74e5 @ 0x7fef30074e5 _CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef3805b21 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 48 8b 00 48 8b 40 40 4c 8b 9d c0 00 00 00 48 8b exception.instruction: mov rax, qword ptr [rax] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fe91ce1f87 registers.r14: 0 registers.r15: 0 registers.rcx: 8789949466360 registers.rsi: 0 registers.r10: 8796092039192 registers.rbx: 0 registers.rsp: 2554240 registers.r11: 2543872 registers.r8: 38086632 registers.r9: 0 registers.rdx: 38049080 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 12, 2021, 9:33 a.m.

stacktrace:

0x7fe91ce1f87
0x7fe91cd799a
0x7fe91cd4042
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef136f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef136f242
StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef13bb042
StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef13bad83
mscorlib+0x563c95 @ 0x7fef0303c95
mscorlib+0x486001 @ 0x7fef0226001
mscorlib+0x48c543 @ 0x7fef022c543
0x7fe91d118c2
system+0x2e8e84 @ 0x7feedce8e84
PreBindAssemblyEx+0xb953 CreateHistoryReader-0x67311 clr+0x10e747 @ 0x7fef142e747
0x7fe91cc0f76
0x7fe91cc00af
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef136f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef136f242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef136f30b
_CorExeMain+0x335c ClrCreateManagedInstance-0x15ae4 clr+0x1e721c @ 0x7fef150721c
_CorExeMain+0x3ab6 ClrCreateManagedInstance-0x1538a clr+0x1e7976 @ 0x7fef1507976
_CorExeMain+0x39b0 ClrCreateManagedInstance-0x15490 clr+0x1e7870 @ 0x7fef1507870
_CorExeMain+0x3526 ClrCreateManagedInstance-0x1591a clr+0x1e73e6 @ 0x7fef15073e6
_CorExeMain+0x347e ClrCreateManagedInstance-0x159c2 clr+0x1e733e @ 0x7fef150733e
_CorExeMain+0x14 ClrCreateManagedInstance-0x18e2c clr+0x1e3ed4 @ 0x7fef1503ed4
_CorExeMain+0x5d CLRCreateInstance-0x2bd3 mscoreei+0x74e5 @ 0x7fef30074e5
_CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef3805b21
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521

exception.instruction_r: 48 8b 00 48 8b 40 40 4c 8b 9d c0 00 00 00 48 8b
exception.instruction: mov rax, qword ptr [rax]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe91ce1f87
registers.r14: 0
registers.r15: 0
registers.rcx: 8789949466360
registers.rsi: 0
registers.r10: 8796092039192
registers.rbx: 0
registers.rsp: 2554240
registers.r11: 2543872
registers.r8: 38086632
registers.r9: 0
registers.rdx: 38049080
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://netoterizi.xyz/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://videoconvert-download38.xyz/?user=p3_1
suspicious_features	GET method with no useragent header	suspicious_request	GET https://videoconvert-download38.xyz/?user=p3_2
suspicious_features	GET method with no useragent header	suspicious_request	GET https://videoconvert-download38.xyz/?user=p3_3
suspicious_features	GET method with no useragent header	suspicious_request	GET https://videoconvert-download38.xyz/?user=p3_4
suspicious_features	GET method with no useragent header	suspicious_request	GET https://videoconvert-download38.xyz/?user=p3_5
suspicious_features	GET method with no useragent header	suspicious_request	GET https://videoconvert-download38.xyz/?user=p3_6
suspicious_features	GET method with no useragent header	suspicious_request	GET https://videoconvert-download38.xyz/?user=bld
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1WYBy7

Performs some HTTP requests (10 events)

request	POST http://netoterizi.xyz/
request	GET https://videoconvert-download38.xyz/?user=p3_1
request	GET https://videoconvert-download38.xyz/?user=p3_2
request	GET https://videoconvert-download38.xyz/?user=p3_3
request	GET https://videoconvert-download38.xyz/?user=p3_4
request	GET https://videoconvert-download38.xyz/?user=p3_5
request	GET https://videoconvert-download38.xyz/?user=p3_6
request	GET https://videoconvert-download38.xyz/?user=bld
request	GET https://iplogger.org/1WTBy7
request	GET https://iplogger.org/1WYBy7

Sends data using the HTTP POST Method (1 event)

request

POST http://netoterizi.xyz/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 258 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1321000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef19bb000 process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000ce0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000e90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91baa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 86016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001262000 process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cd2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cd3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cd4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cd5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cd6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cd7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cd8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cd9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cda000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cdb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bbd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 19968 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000ce0400 process_handle: 0xffffffffffffffff		-1073741746
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cdc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:39 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cdd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\4126979.exe
file	C:\Users\test22\AppData\Roaming\7667577.exe
file	C:\Users\test22\AppData\Roaming\3935621.exe

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW July 12, 2021, 9:40 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\WinHost filepath: C:\Users\test22\AppData\Roaming\WinHost	1	1	0
SetFileAttributesW July 12, 2021, 9:40 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe filepath: C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe	1	1	0

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Roaming\7667577.exe
file	C:\Users\test22\AppData\Roaming\4126979.exe
file	C:\Users\test22\AppData\Roaming\3935621.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Roaming\7667577.exe
file	C:\Users\test22\AppData\Roaming\3935621.exe
file	C:\Users\test22\AppData\Roaming\4126979.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 12, 2021, 9:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\7667577.exe parameters: filepath: C:\Users\test22\AppData\Roaming\7667577.exe	1	1
ShellExecuteExW July 12, 2021, 9:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\4126979.exe parameters: filepath: C:\Users\test22\AppData\Roaming\4126979.exe	1	1
ShellExecuteExW July 12, 2021, 9:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\3935621.exe parameters: filepath: C:\Users\test22\AppData\Roaming\3935621.exe	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 12, 2021, 9:39 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00014400', u'virtual_address': u'0x00002000', u'entropy': 7.998080645179345, u'name': u')`\\x17\\x03Th\\x19|', u'virtual_size': u'0x000143bc'}

entropy

7.99808064518

description

A section with a high entropy has been found

entropy

0.458923512748

description

Overall entropy of this PE file is high

Queries for potentially installed applications (3 events)

Time & API	Arguments	Status
RegOpenKeyExW July 12, 2021, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0xffffffff80000002 key_handle: 0x0000000000000310 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW July 12, 2021, 9:33 a.m.	regkey_r: 7-Zip base_handle: 0x0000000000000310 key_handle: 0x0000000000000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW July 12, 2021, 9:33 a.m.	regkey_r: AddressBook base_handle: 0x0000000000000310 key_handle: 0x0000000000000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WinHost

reg_value

C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe

Collects information about installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegQueryValueExW July 12, 2021, 9:33 a.m.	key_handle: 0x0000000000000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 19.00 (x64) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1	0	0

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

Executed a process and injected code into it, probably while unpacking (50 out of 53 events)

Time & API	Arguments	Status	Return
NtResumeThread July 12, 2021, 9:39 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 1684	1	0
NtResumeThread July 12, 2021, 9:39 a.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 1684	1	0
NtResumeThread July 12, 2021, 9:39 a.m.	thread_handle: 0x0000000000000174 suspend_count: 1 process_identifier: 1684	1	0
NtResumeThread July 12, 2021, 9:39 a.m.	thread_handle: 0x00000000000001e8 suspend_count: 1 process_identifier: 1684	1	0
NtGetContextThread July 12, 2021, 9:39 a.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread July 12, 2021, 9:39 a.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 1684	1	0
NtGetContextThread July 12, 2021, 9:39 a.m.	thread_handle: 0x0000000000000134	1	0
NtGetContextThread July 12, 2021, 9:39 a.m.	thread_handle: 0x0000000000000134	1	0
NtResumeThread July 12, 2021, 9:39 a.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 1684	1	0
NtGetContextThread July 12, 2021, 9:39 a.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread July 12, 2021, 9:39 a.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread July 12, 2021, 9:39 a.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 1684	1	0
NtGetContextThread July 12, 2021, 9:39 a.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread July 12, 2021, 9:39 a.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread July 12, 2021, 9:39 a.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 1684	1	0
NtGetContextThread July 12, 2021, 9:39 a.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread July 12, 2021, 9:39 a.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread July 12, 2021, 9:39 a.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 1684	1	0
NtGetContextThread July 12, 2021, 9:39 a.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread July 12, 2021, 9:39 a.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread July 12, 2021, 9:39 a.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 1684	1	0
NtResumeThread July 12, 2021, 9:39 a.m.	thread_handle: 0x0000000000000398 suspend_count: 1 process_identifier: 1684	1	0
NtGetContextThread July 12, 2021, 9:40 a.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread July 12, 2021, 9:40 a.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread July 12, 2021, 9:40 a.m.	thread_handle: 0x00000000000000c8	1	0
NtSetContextThread July 12, 2021, 9:40 a.m.	registers.r14: 2877536 registers.r15: 8789948074632 registers.rcx: 10 registers.rsi: 314046224 registers.r10: 314822448 registers.rbx: 314046240 registers.rsp: 2875456 registers.r11: 314046204 registers.r8: 4287688906 registers.r9: 314070666 registers.rip: 8791550951072 registers.rdx: 312041460 registers.r12: 40523600 registers.rbp: 776208 registers.rdi: 311976316 registers.rax: 65424 registers.r13: 40519664 thread_handle: 0x00000000000000c8 process_identifier: 1684	1	0
NtResumeThread July 12, 2021, 9:40 a.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 1684	1	0
CreateProcessInternalW July 12, 2021, 9:40 a.m.	thread_identifier: 1892 thread_handle: 0x00000000000006e0 process_identifier: 2364 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\7667577.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\7667577.exe" filepath_r: C:\Users\test22\AppData\Roaming\7667577.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000006e8	1	1
CreateProcessInternalW July 12, 2021, 9:40 a.m.	thread_identifier: 1568 thread_handle: 0x00000000000006e0 process_identifier: 2656 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\4126979.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\4126979.exe" filepath_r: C:\Users\test22\AppData\Roaming\4126979.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000006d4	1	1
CreateProcessInternalW July 12, 2021, 9:40 a.m.	thread_identifier: 2332 thread_handle: 0x00000000000006e8 process_identifier: 2416 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\3935621.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\3935621.exe" filepath_r: C:\Users\test22\AppData\Roaming\3935621.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000006ec	1	1
NtResumeThread July 12, 2021, 9:33 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2364	1	0
NtResumeThread July 12, 2021, 9:33 a.m.	thread_handle: 0x0000000000000138 suspend_count: 1 process_identifier: 2364	1	0
NtResumeThread July 12, 2021, 9:33 a.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 2364	1	0
NtResumeThread July 12, 2021, 9:33 a.m.	thread_handle: 0x0000000000000204 suspend_count: 1 process_identifier: 2364	1	0
NtResumeThread July 12, 2021, 9:33 a.m.	thread_handle: 0x00000000000002f0 suspend_count: 1 process_identifier: 2364	1	0
NtResumeThread July 12, 2021, 9:40 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread July 12, 2021, 9:40 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread July 12, 2021, 9:40 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread July 12, 2021, 9:40 a.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 2656	1	0
NtGetContextThread July 12, 2021, 9:40 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 12, 2021, 9:40 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 12, 2021, 9:40 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2656	1	0
CreateProcessInternalW July 12, 2021, 9:40 a.m.	thread_identifier: 1940 thread_handle: 0x00000474 process_identifier: 2312 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe" filepath_r: C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000047c	1	1
NtResumeThread July 12, 2021, 9:40 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2312	1	0
NtResumeThread July 12, 2021, 9:40 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2312	1	0
NtResumeThread July 12, 2021, 9:40 a.m.	thread_handle: 0x000001c4 suspend_count: 1 process_identifier: 2312	1	0
NtResumeThread July 12, 2021, 9:40 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2312	1	0
NtResumeThread July 12, 2021, 9:40 a.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 2312	1	0
NtResumeThread July 12, 2021, 9:40 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2416	1	0
NtResumeThread July 12, 2021, 9:40 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2416	1	0

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Cerbu.107196
FireEye	Generic.mg.ab709667f7fda587
ALYac	Gen:Variant.Cerbu.107196
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:MSIL/GenKryptik.5a8ba9f3
Cybereason	malicious.636bdc
BitDefenderTheta	Gen:NN.ZemsilF.34790.lu0@aKo!t5d
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.EWGN
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Cerbu.107196
Avast	FileRepMalware
Ad-Aware	Gen:Variant.Cerbu.107196
Emsisoft	Gen:Variant.Cerbu.107196 (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.ch
Sophos	Mal/Generic-S
Ikarus	Trojan-Spy.MSIL.Agent
Antiy-AVL	Trojan/Generic.ASMalwS.203F2E3
Microsoft	Trojan:Win32/Wacatac.B!ml
Gridinsoft	Trojan.Heur!.03013281
GData	Gen:Variant.Cerbu.107196
Cynet	Malicious (score: 100)
McAfee	Artemis!AB709667F7FD
MAX	malware (ai score=87)
VBA32	CIL.StupidPInvoker-1.Heur
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Win32/Trojan.Generic.HgIASYMA

P3GlorySetp.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All