Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 22, 2021, 5:34 p.m.	March 22, 2021, 5:38 p.m.

Size	71.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`1c9bb6efaebb7a43cab38e3d58b5134c`
SHA256	`596ab1ddff660a3cd00e14f5e43d5af6a0ad03a41d07a51344b8eb61a594d27f`
CRC32	`A88A607E`
ssdeep	`768:YdTddyzeY8phVbizLDQ9ANxKeE3R4ekDlEJJJJJJJJJJJJJJJJJcgll3YELFBk68:llJE46EsseeQXJH4CfK/CUcgQIb`
PDB Path	C:\Users\Test\Desktop\Desktop Files\Modern-Media-Player-UI-C-Sharp-master\PlayerUI\obj\Release\PlayerUI.pdb
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

PlayerUI5.exe "C:\Users\test22\AppData\Local\Temp\PlayerUI5.exe"
5032
- queeM2cQn445sP3z3DNfJmv7.exe "C:\Users\test22\Documents\queeM2cQn445sP3z3DNfJmv7.exe"
  9168
- 079d6Elc1QmiOG6jMdTGebqE.exe "C:\Users\test22\Documents\079d6Elc1QmiOG6jMdTGebqE.exe"
  2648
- R5OBPWKTPiD3JhILHPonZKTs.exe "C:\Users\test22\Documents\R5OBPWKTPiD3JhILHPonZKTs.exe"
  4104
- o4ow4y9aGUAUAw2RBlB55McU.exe "C:\Users\test22\Documents\o4ow4y9aGUAUAw2RBlB55McU.exe"
  2572
- gJeEWceXwkagZPf5F38xDLuR.exe "C:\Users\test22\Documents\gJeEWceXwkagZPf5F38xDLuR.exe"
  7312
  - gJeEWceXwkagZPf5F38xDLuR.exe "C:\Users\test22\Documents\gJeEWceXwkagZPf5F38xDLuR.exe"
    1032
- MfJYv3SVzdEPvV5iPTwPkkCR.exe "C:\Users\test22\Documents\MfJYv3SVzdEPvV5iPTwPkkCR.exe"
  6956
  - MfJYv3SVzdEPvV5iPTwPkkCR.exe "C:\Users\test22\Documents\MfJYv3SVzdEPvV5iPTwPkkCR.exe"
    6960
- IZL9sKSOxW6e6zUZMMQOs0uj.exe "C:\Users\test22\Documents\IZL9sKSOxW6e6zUZMMQOs0uj.exe"
  6708

Name	Response	Post-Analysis Lookup
aretywer.xyz	A 45.144.30.78	45.144.30.78
pastebin.com	A 104.23.99.190 A 104.23.98.190	104.23.98.190
www.investinae.com	CNAME investinae.com A 108.167.143.77	108.167.143.77
iplogger.org	A 88.99.66.31	88.99.66.31
msiamericas.com	A 141.136.39.190	141.136.39.190
d0wnl0ads.online
file.ekkggr3.com	A 104.21.66.169 A 172.67.162.110	172.67.162.110
digitalassets.ams3.digitaloceanspaces.com	A 5.101.110.225	5.101.110.225
whatitis.site	A 91.200.41.57 A 92.63.99.163	91.200.41.57
mytoolsprivacy.site	A 179.43.158.179	179.43.158.179
jg3.3uag.pw

IP Address	Status	Action
103.124.106.203	Active	Moloch
104.23.99.190	Active	Moloch
108.167.143.77	Active	Moloch
141.136.39.190	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
172.67.162.110	Active	Moloch
179.43.158.179	Active	Moloch
188.93.233.223	Active	Moloch
45.133.1.139	Active	Moloch
45.144.30.78	Active	Moloch
5.101.110.225	Active	Moloch
88.99.66.31	Active	Moloch
91.200.41.57	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49810 -> 104.23.99.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49806 -> 45.133.1.139:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49809 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49815 -> 5.101.110.225:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49818 -> 141.136.39.190:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49818 -> 141.136.39.190:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49818 -> 141.136.39.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49820 -> 108.167.143.77:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.200.41.57:80 -> 192.168.56.102:49811	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.102:49816 -> 5.101.110.225:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.200.41.57:80 -> 192.168.56.102:49811	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 91.200.41.57:80 -> 192.168.56.102:49811	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
UDP 192.168.56.102:62039 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49814 -> 103.124.106.203:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 179.43.158.179:80 -> 192.168.56.102:49819	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 103.124.106.203:80 -> 192.168.56.102:49814	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 103.124.106.203:80 -> 192.168.56.102:49814	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 45.144.30.78:80 -> 192.168.56.102:49821	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.133.1.139:80 -> 192.168.56.102:49806	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.133.1.139:80 -> 192.168.56.102:49806	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.133.1.139:80 -> 192.168.56.102:49806	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49827 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49813 -> 188.93.233.223:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 141.136.39.190:443 -> 192.168.56.102:49818	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.136.39.190:443 -> 192.168.56.102:49818	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49810 104.23.99.190:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	ce:69:3b:0c:23:1f:bf:e1:a4:87:d2:44:26:54:a5:e4:bd:26:2f:7a
TLSv1 192.168.56.102:49809 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.102:49827 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Queries for the computername (24 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 22, 2021, 5:34 p.m.			0	0
IsDebuggerPresent March 22, 2021, 5:34 p.m.			0	0
IsDebuggerPresent March 22, 2021, 5:35 p.m.			0	0
IsDebuggerPresent March 22, 2021, 5:35 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Test\Desktop\Desktop Files\Modern-Media-Player-UI-C-Sharp-master\PlayerUI\obj\Release\PlayerUI.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 22, 2021, 5:34 p.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: 0x2de211f 0x24e0a05 0x24e02b6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 68 64 b9 65 fc e8 bb 1b 01 00 8b 44 25 00 86 d2 exception.instruction: push 0xfc65b964 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x2e46108 registers.esp: 1637704 registers.edi: 4294967294 registers.eax: 1637736 registers.ebp: 1637816 registers.edx: 0 registers.ebx: 1 registers.esi: 12263504 registers.ecx: 1637816	1	0	0
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: 0x2c8211f 0x2380a05 0x23802b6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 68 64 b9 65 fc e8 bb 1b 01 00 8b 44 25 00 86 d2 exception.instruction: push 0xfc65b964 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x2ce6108 registers.esp: 1637704 registers.edi: 4294967294 registers.eax: 1637736 registers.ebp: 1637816 registers.edx: 0 registers.ebx: 1 registers.esi: 11608144 registers.ecx: 1637816	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.133.1.139/Manager/Temp/EFgzd7IrnKmvSY7NoweEU7Pm/KG5pc5F7jZu3r0hr7kiig97u.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://whatitis.site/dlc/mixinte
suspicious_features	Connection to IP address	suspicious_request	GET http://188.93.233.223/proxy1.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://103.124.106.203/cof4/inst.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1ixtu7
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/mH2EJxkv
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1lx5k

Performs some HTTP requests (11 events)

request	GET http://45.133.1.139/Manager/Temp/EFgzd7IrnKmvSY7NoweEU7Pm/KG5pc5F7jZu3r0hr7kiig97u.exe
request	GET http://whatitis.site/dlc/mixinte
request	GET http://188.93.233.223/proxy1.exe
request	GET http://103.124.106.203/cof4/inst.exe
request	GET http://file.ekkggr3.com/iuww/jvppp.exe
request	GET http://mytoolsprivacy.site/downloads/privacytools3.exe
request	GET http://aretywer.xyz/Corepad092.exe
request	GET https://iplogger.org/1ixtu7
request	GET https://pastebin.com/raw/mH2EJxkv
request	GET https://iplogger.org/1hVa87
request	GET https://iplogger.org/1lx5k

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

jg3.3uag.pw

description

Palau domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 55 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 9168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 110592 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009cb000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 9168 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 393216 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0099b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 2648 region_size: 614400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 4104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 393216 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0090b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 4104 region_size: 614400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 2572 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 2572 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 2572 region_size: 9498624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02de0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02de1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 663552 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dee000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 7312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 7312 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 6956 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0093b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 6956 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

PlayerUI5.exe tried to sleep 161 seconds, actually delayed analysis time by 161 seconds

Creates executable files on the filesystem (50 out of 8841 events)

file	C:\Users\test22\Documents\3MVOZUuX2dbYF1yEWzpy9ADF.exe
file	C:\Users\test22\Documents\uFr98lHUQUjyCx10bzWlaIJw.exe
file	C:\Users\test22\Documents\HJUOzR6HRT9Ns8OzmV1TVkCr.exe
file	C:\Users\test22\Documents\SZT85OGawVK8IluKC77mfGqh.exe
file	C:\Users\test22\Documents\TUtd4oHUQ7gxXMzrJozzjIbG.exe
file	C:\Users\test22\Documents\1tPftPMR1wgyhZMLm0IsiV4a.exe
file	C:\Users\test22\Documents\aprLg7l5I3tE2pYrXRlapppg.exe
file	C:\Users\test22\Documents\CufymhaDWT4SSd1QmABHDmTs.exe
file	C:\Users\test22\Documents\kqM8But77ZzFLexR9OPeVtMJ.exe
file	C:\Users\test22\Documents\vpgw66s05IGR9UY1529rAoKY.exe
file	C:\Users\test22\Documents\SD0N7Wm8BH5CVbVfyNwUxg1B.exe
file	C:\Users\test22\Documents\1qjX1cGr6knBtFftzoXsHJpk.exe
file	C:\Users\test22\Documents\S4GaGxa7zKdpyJ919uF2TpiG.exe
file	C:\Users\test22\Documents\SmMwkb0DjVUfSnFZERSILGSC.exe
file	C:\Users\test22\Documents\dF8imvMyJ5aQK1a3CUpmlm7h.exe
file	C:\Users\test22\Documents\S0Cf4xae9kO9copGMmTEwqiE.exe
file	C:\Users\test22\Documents\hKmHgYJykBj2RK9DbtAylgWV.exe
file	C:\Users\test22\Documents\uPM5mULYrz6C6b1DigXgVLqF.exe
file	C:\Users\test22\Documents\crByz1hYoPfcnIAYcZ0OYqfV.exe
file	C:\Users\test22\Documents\UHJO25yZx4DHmNQ9lbNpWbrP.exe
file	C:\Users\test22\Documents\MR00BKttJgc2FvroIGevmB0z.exe
file	C:\Users\test22\Documents\cdxaHhR2NIQm2rYo2hhozGLS.exe
file	C:\Users\test22\Documents\ivHuqxs04Miwq5f1NDb5IrVZ.exe
file	C:\Users\test22\Documents\Sk2us8FaaKcLsWSGG2OagMM6.exe
file	C:\Users\test22\Documents\WCKqxD1r0l55E6sOjyPYN6nx.exe
file	C:\Users\test22\Documents\R7vc9TiQ2XPBfA1KtechqZbS.exe
file	C:\Users\test22\Documents\X5wd0hd9QIzLyhLyyVW1vVlG.exe
file	C:\Users\test22\Documents\CXf6HIAqgKoeYrbHeILlytFq.exe
file	C:\Users\test22\Documents\DoCftfVQKIlEpt1ptnI5vuzm.exe
file	C:\Users\test22\Documents\2v3WhqknXAWikLLJE62g6YMk.exe
file	C:\Users\test22\Documents\uaeqFFLIVplr9hNetgG5V3e8.exe
file	C:\Users\test22\Documents\O3JOFfH26dINCYmKCowEQGOS.exe
file	C:\Users\test22\Documents\C2W7ueXDlbrpKNr53lDTjrFx.exe
file	C:\Users\test22\Documents\XetEJg8DVSK33tQJp7ZUJnuN.exe
file	C:\Users\test22\Documents\52qmrTEwjsuBeVObrfs6kk12.exe
file	C:\Users\test22\Documents\RAmbDYCZ7UWH1qv4U8WzGcGq.exe
file	C:\Users\test22\Documents\A6GOseebPFtiFaH6pTmO4HJN.exe
file	C:\Users\test22\Documents\z8HIROQ8lVVpXp6jfv7g5DfI.exe
file	C:\Users\test22\Documents\EdR7mGzS8ou4AqgwBILaQbpa.exe
file	C:\Users\test22\Documents\rxcfAbK1VwxiOto8xfQQn1vK.exe
file	C:\Users\test22\Documents\p4S4X5T7aJcPUIprIWnccCmu.exe
file	C:\Users\test22\Documents\KYb3xeaWd7b861Z6D8x7kQ5K.exe
file	C:\Users\test22\Documents\WnmKCim2YHlnfLSPS4YjRBpZ.exe
file	C:\Users\test22\Documents\54uboVVNUeuz3c6byYzruRYa.exe
file	C:\Users\test22\Documents\GKV8NcDen6gcEkbmJhxiaMqa.exe
file	C:\Users\test22\Documents\rwnDoJetsctuBpKIBeKw1Zia.exe
file	C:\Users\test22\Documents\F1PPKnhrp8vuGWTthUTiZgbm.exe
file	C:\Users\test22\Documents\qhFa7AbXwGwHgRdGkY0tc2J4.exe
file	C:\Users\test22\Documents\HjV90y8mB2axquf8fyZDd8xK.exe
file	C:\Users\test22\Documents\gcjeWdk3butR5qeyNqSAVCWg.exe

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile March 22, 2021, 5:35 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004a4 filepath: C:\Users\Public\Pictures\K8S5373.sys desired_access: 0x10100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_ALL) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\Public\Pictures\K8S5373.sys create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 7 (FILE_SHARE_READ\|FILE_SHARE_WRITE\|FILE_SHARE_DELETE)	1	0	0
NtCreateFile March 22, 2021, 5:35 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000012c filepath: C:\Users\Public\Documents\LJ3U13d2b6y.sys desired_access: 0x10100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_ALL) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\Public\Documents\LJ3U13d2b6y.sys create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 7 (FILE_SHARE_READ\|FILE_SHARE_WRITE\|FILE_SHARE_DELETE)	1	0	0

Creates a suspicious process (1 event)

cmdline

C:\Users\test22\Documents\TxpMBJFBeRBTvIQ2S4YllCmd.exe

Drops a binary and executes it (5 events)

file	C:\Users\test22\Documents\queeM2cQn445sP3z3DNfJmv7.exe
file	C:\Users\test22\Documents\R5OBPWKTPiD3JhILHPonZKTs.exe
file	C:\Users\test22\Documents\o4ow4y9aGUAUAw2RBlB55McU.exe
file	C:\Users\test22\Documents\gJeEWceXwkagZPf5F38xDLuR.exe
file	C:\Users\test22\Documents\URwyiL4EKtcvIg3XJ72FfEhX.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\4DD3.tmp

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 22, 2021, 5:34 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00011200', u'virtual_address': u'0x00002000', u'entropy': 7.0602172376556664, u'name': u'.text', u'virtual_size': u'0x00011178'}

entropy

7.06021723766

description

A section with a high entropy has been found

entropy

0.971631205674

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (6 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 22, 2021, 5:35 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 5:35 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 5:35 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 5:35 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 5:35 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 5:35 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1

Yara rule detected in process memory (14 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (23 events)

cmdline	C:\Users\test22\Documents\SmMwkb0DjVUfSnFZERSILGSC.exe
cmdline	C:\Users\test22\Documents\mK1nanN6Gu9iNwA0aUF1Blsc.exe
cmdline	C:\Users\test22\Documents\vhIyDGTeQPF4yUQEOwlmwLaT.exe
cmdline	C:\Users\test22\Documents\srcIWe6rPLgSwa9a2zpi5dSc.exe
cmdline	C:\Users\test22\Documents\j9i8DHhPvI6GsxAhDFZZdLAt.exe
cmdline	C:\Users\test22\Documents\33B7ho8ojHKHRHL879X1Oysc.exe
cmdline	C:\Users\test22\Documents\NwtblMyc9qIorEIPNagXnoSC.exe
cmdline	C:\Users\test22\Documents\U0EooRfhwgqI6fiPm9OydcAT.exe
cmdline	C:\Users\test22\Documents\e6NELqCYbnlVQJuEj6jSJ9at.exe
cmdline	C:\Users\test22\Documents\LLXuLeiCN84io1EWBIY5Adsc.exe
cmdline	C:\Users\test22\Documents\R5pfkJiqtreIe8qQM46UTlSc.exe
cmdline	C:\Users\test22\Documents\yRjQFp5sRGoE3Y3pgMiIP3SC.exe
cmdline	C:\Users\test22\Documents\Z5ri6hrv9UN25UWklZJ6yEAT.exe
cmdline	C:\Users\test22\Documents\5vNYwOSQpmT6ghoA1K8AIhAt.exe
cmdline	C:\Users\test22\Documents\vWYyHSQJt8nXTHNjlzx0gkaT.exe
cmdline	C:\Users\test22\Documents\YZud8pEg7rBIdg39vhEU1dAT.exe
cmdline	C:\Users\test22\Documents\yrAZ7742ua18N7hEM7LnPOSc.exe
cmdline	C:\Users\test22\Documents\G0u6AnHMp1uQsQfpeHRGdbaT.exe
cmdline	C:\Users\test22\Documents\0J0wvc3FGqiRqRYQ4cTfr7SC.exe
cmdline	C:\Users\test22\Documents\v3Y0brK3HdDRY0xYZCeegosc.exe
cmdline	C:\Users\test22\Documents\aIX6noLqasIsB2k5bYIes4sc.exe
cmdline	C:\Users\test22\Documents\MAd8P8mwdZHIbQO0CHxvJ6AT.exe
cmdline	C:\Users\test22\Documents\7JUe09cuG6HAJ1cyrHPRyxAt.exe

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: c65a1c55100a6721644281a07c430f1415e4242e

Communicates with host for which no DNS query was performed (4 events)

host	103.124.106.203
host	172.217.25.14
host	188.93.233.223
host	45.133.1.139

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 1032 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 6960 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\Documents\avgPq3oxvaP4W6Kmqrh3eCzd.exe

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 22, 2021, 5:34 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (50 out of 8848 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Muavi Music Player cUfL7VziLIELR_pGp2nTM0yBE9XWYHO5Ebr6	reg_value	C:\Users\test22\AppData\Roaming\MicrosofttJeHPxeSHxErXiT36sktW0FCUpdater.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\FEbTjzMwlm3OD3mRXaTs6zbEhVg1b27D	reg_value	C:\Users\test22\Documents\queeM2cQn445sP3z3DNfJmv7.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\nWwOTUUtpzPgef0Ouf9yfVs2jgaguPt5	reg_value	C:\Users\test22\Documents\8gZHbIqxsHUFWpw9a5IsTDAP.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bfb0Q61UZNZbxsd8lAaFOK4SAqwcJyWc	reg_value	C:\Users\test22\Documents\o4ow4y9aGUAUAw2RBlB55McU.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\bUvZXIJKdq5xWaeTIDT4wXF0kI0kJZKk	reg_value	C:\Users\test22\Documents\gJeEWceXwkagZPf5F38xDLuR.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\O4yOSiADfV7ZaAWEc1CgvgleMQYqFEFY	reg_value	C:\Users\test22\Documents\079d6Elc1QmiOG6jMdTGebqE.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TUCBJU8bPiHfvUyFqtQNdsVoHMi0Zb9H	reg_value	C:\Users\test22\Documents\R5OBPWKTPiD3JhILHPonZKTs.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\8Y47vIBxiA3Om3vikVn1EuPevwZ0fUNg	reg_value	C:\Users\test22\Documents\mgs5TIJ5jlnkZnawai6p3FOl.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\l2DHQpE5ksxyAJsagxlXQpk7EpVPGSfR	reg_value	C:\Users\test22\Documents\IZL9sKSOxW6e6zUZMMQOs0uj.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\plYzHL8HSB4OCfZCd0r5PXT5SFClTyyS	reg_value	C:\Users\test22\Documents\SH65OLJbkzBYuMKhxYEhcXgO.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SchBIWxeMmBgVBQkhWGwSEK6KdVACjrm	reg_value	C:\Users\test22\Documents\MfJYv3SVzdEPvV5iPTwPkkCR.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Sk1oBxcn4ZDd57OQKnGsBBmvQG801eIN	reg_value	C:\Users\test22\Documents\d1FTVRMcpkCITYNOCLrNeP9O.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\8FY5ylvaQzlE7e0mMOklxsahw33aaREl	reg_value	C:\Users\test22\Documents\21AuZhb2IZO4VtTE6bD0JRMQ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\p1I5rV98vAaNrgdqKD89E4ZhvbzAnJ4D	reg_value	C:\Users\test22\Documents\ouwTJfDgnxnfIPHckao5qkdQ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ckJQf8VlFW6K2MTCPqLZKRt1qvEpYRax	reg_value	C:\Users\test22\Documents\QgoRXIySyouHy4vD67unmdLu.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\1Sku4pMy6Iz8WgEr3VGBOR2FkTBq3dfi	reg_value	C:\Users\test22\Documents\U3zw8hwzTICb8kLuorX6RwkL.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ZeKknf4cnRqskYu1bcFAvCVX63DNbj2u	reg_value	C:\Users\test22\Documents\So5p7C4o5OfzuMXInqC5qi6k.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\JwoucqBDY6APIS9Gbprsz10RVySPEoQw	reg_value	C:\Users\test22\Documents\rVPc1UAaTDMdgohP5LeOd5yX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\6WZoYv8upOsQ94bMsEqqwPnDroEr1dha	reg_value	C:\Users\test22\Documents\g2SFpP7mCJEkoSGnLXwxOGhR.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\tV6uqR2LqR48wHWY1ZfcUNd1AxuSYYAe	reg_value	C:\Users\test22\Documents\VBIT0TNQKU5Zj0oQ6jFJZ0eq.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\2Et3hkwSQabTi1CXzmBjdL6UT5EsGAJe	reg_value	C:\Users\test22\Documents\gcjeWdk3butR5qeyNqSAVCWg.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\IZjlfEMQQ7OeOuoIQKmCKaFIosEMzadT	reg_value	C:\Users\test22\Documents\FDmStrW17bBfOKQVn4KtAwCq.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ub6w9Aa0d5dSkUBfytxZMyL3lK6x7mJB	reg_value	C:\Users\test22\Documents\A6JUHuV3OuOR6vG3PCc0J9fr.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PDLyEn20wc2IUVsQ0iFxAKlx1AwAkszU	reg_value	C:\Users\test22\Documents\ab9pxi3OUYxBRyT5B7BaLFff.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cX7D12QDmiM0683vXYSE5v2qYGvzIMUO	reg_value	C:\Users\test22\Documents\6eZtXEKrf6Pz5KlpOvkmArfF.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\eQpuHa5ZO71mr2oQipXtjfsnXf7T8szh	reg_value	C:\Users\test22\Documents\8URAHHzmqLMX8vtQ2zOlZbJq.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\iBWldmbfHUbHXxydJHdwVqtQ77IApGdu	reg_value	C:\Users\test22\Documents\Kkf0cFfPQxJB3Gi9K8CtDZH9.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SGofdbzA0qo1gXuPUzaswJlgWv0GghyH	reg_value	C:\Users\test22\Documents\cfRas4woVn4jpalWJjj66Vn1.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\eIJrlseT2h9FPIADpg33amum5ERM5rM6	reg_value	C:\Users\test22\Documents\2aImPRK3y3t8vt0vyUlH45FI.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\XgwgbSXLVDuPA35MOyeBhg2Kil2XPy4I	reg_value	C:\Users\test22\Documents\UAHHHcSFYZFNuugqUhcYBLr1.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\om7zaA6hIm6uJUhbKX9noLKS5bv9orbm	reg_value	C:\Users\test22\Documents\SPtkpwoGB32q9QqalPJNrqU1.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cp49O63bKTzRYemWr7qUnw79JeR5oH6O	reg_value	C:\Users\test22\Documents\526CzyqB7UiXU5RQssCTqrMd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\r5ztp7wDXll63cdAKq3fj63JmDz8fNNx	reg_value	C:\Users\test22\Documents\pckK3qxAaHMBG92NGqmsA20p.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BpGlIyiJXxU79fJFVaLaSYvrtLu3p2yR	reg_value	C:\Users\test22\Documents\m5c71EUdUJoeY5UoNliU8UFv.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\4Y16Doef9CHSi7HlFpzxSKFXgCaM3PIL	reg_value	C:\Users\test22\Documents\0r6L8tUgleGklWoscc9iJpdm.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TeaBNRlt46EPpitrM2wqjgJK251fwoVi	reg_value	C:\Users\test22\Documents\OTRj1Xc6AlljOWJfVYdezpUt.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VPJSaG6PlfQHSVtvJDrq1128FE0AWXqU	reg_value	C:\Users\test22\Documents\8iPX7ass92pRS40wovR72nKx.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\XKNVP63Nz6tzTBetvyvbLFVWji80k1Y3	reg_value	C:\Users\test22\Documents\XcCsRZS25ZqwnseSCfxy6d5d.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\z1vr7Cn7izSurXhxLw6sHoX4i7zgxPLD	reg_value	C:\Users\test22\Documents\hiUGM7m9fc7q9p9ABDDIsdSS.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\e1JANHJSoOdpGMmQvc4IfNhSnLAiSPfq	reg_value	C:\Users\test22\Documents\QBRVL5Bdy9IJWPTngP65hjKK.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\T0WBGl9Ytxx9VSeuMMSpsZh9nq5mEaAz	reg_value	C:\Users\test22\Documents\1G0UvAPrz0fHvohTmqKEpCpQ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TXXaqWTSw8hvRjG8mEymBjIFskaoihFb	reg_value	C:\Users\test22\Documents\bkA5nOkN1GY80i8ULa2dt9h3.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PSsF6ouO3GsK71IbhUy5XREehyVoqaQG	reg_value	C:\Users\test22\Documents\CHmP0KhexFL1ANDmT31oL52t.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NNiITFic0l5F0kAEwqjaSKAoJ23RTYAR	reg_value	C:\Users\test22\Documents\O2AhbchIV684e3ocvZH1G7W7.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\N38aLQJblnjxPwKW1TCwFGqjQs2QTj4j	reg_value	C:\Users\test22\Documents\fCUN4ZzQYfE37jmLYCFaX5pC.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NZJdY2ICs9Z8vK6cP4adzVjcwQYk90pf	reg_value	C:\Users\test22\Documents\XRAAaYEHWmRU9y5m1sjD327G.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\zrqIdhC2U4n2X5NoK58jujDzZsy2CqC0	reg_value	C:\Users\test22\Documents\U3wBOkteePl9Z70qvGy9cdR1.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\o0svsJzn1xPctruj5BVA4igbY8921gV4	reg_value	C:\Users\test22\Documents\m5Lg4lA6NtpeT8T02JygfsHP.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TRWuJ7wUcVoyzrqqxRG25Asi1ycl51hq	reg_value	C:\Users\test22\Documents\x52D2POE3Bnfs0GLZPldWHVG.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\jy3VeKZkx8OD7FxTWKmn7VWibuCAKcpG	reg_value	C:\Users\test22\Documents\jvtl2d46PSDXLSWsi4qEAdKS.exe

Loads a driver (6 events)

Time & API	Arguments	Return
NtLoadDriver March 22, 2021, 5:35 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\gq1m885	3221225473
NtLoadDriver March 22, 2021, 5:35 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\Omh0tPY66uaQ4l0	3221225473
NtLoadDriver March 22, 2021, 5:35 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\d5c06mrf3nzS0sy	3221225473
NtLoadDriver March 22, 2021, 5:35 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\2ykcJ4l0eJ15h	3221225473
NtLoadDriver March 22, 2021, 5:35 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\kN919ONa	3221225473
NtLoadDriver March 22, 2021, 5:35 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\o62R8ycVzQZY	3221225473

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 22, 2021, 5:35 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1032 process_handle: 0x00000080	1	1	0
WriteProcessMemory March 22, 2021, 5:35 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 6960 process_handle: 0x00000080	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 7312 called NtSetContextThread to modify thread in remote process 1032
Process injection	Process 6956 called NtSetContextThread to modify thread in remote process 6960
NtSetContextThread March 22, 2021, 5:35 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4205112 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 1032	1	0	0
NtSetContextThread March 22, 2021, 5:35 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4205112 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 6960	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 7312 resumed a thread in remote process 1032
Process injection	Process 6956 resumed a thread in remote process 6960
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 1032	1	0	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 6960	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (20 events)

cmdline	C:\Users\test22\Documents\qTNu8TCFSLOrYXbcuGavOpru.exe
cmdline	C:\Users\test22\Documents\8HrPGG5MacMcPDIYUY4uzHru.exe
cmdline	C:\Users\test22\Documents\eiryh07VzSBdV5uOlB4GIYRu.exe
cmdline	C:\Users\test22\Documents\DcZlQcp2nk54MWbnlORNvMRu.exe
cmdline	C:\Users\test22\Documents\T02wmnLojV4Rfp8l3LqlkrRu.exe
cmdline	C:\Users\test22\Documents\fQEtmVcLJyAsmQi8iifdfQDu.exe
cmdline	C:\Users\test22\Documents\wh1cvALlPL0y9iPYM4rCouru.exe
cmdline	C:\Users\test22\Documents\Q53VU5nmHpsFLMGsQOdXcqRU.exe
cmdline	C:\Users\test22\Documents\zLr16gvjS1IogumsrYofJjDU.exe
cmdline	C:\Users\test22\Documents\3KZPfhfsQgp9vjYmCJh75Kru.exe
cmdline	C:\Users\test22\Documents\o2BQq6zKHWAaQsbsisi02FrU.exe
cmdline	C:\Users\test22\Documents\79Ryu0RAul7a7clwvRR1JBRU.exe
cmdline	C:\Users\test22\Documents\GkKoFXoo08HusoIpU16bDtdU.exe
cmdline	C:\Users\test22\Documents\rc0VLAHxPTeFwKKFYEd4XYru.exe
cmdline	C:\Users\test22\Documents\fdK1wuwPiiYfLqR1TOIsjyrU.exe
cmdline	C:\Users\test22\Documents\s18NeuU4IIAQ5tgaZ9N2TXRu.exe
cmdline	C:\Users\test22\Documents\DH65yLUsgUNMa9eJOJTZZGRU.exe
cmdline	C:\Users\test22\Documents\u6irbMl48eUoueaZTeoCtLRu.exe
cmdline	C:\Users\test22\Documents\csfwNpmoK8E34nASPF7AGldu.exe
cmdline	C:\Users\test22\Documents\EbifxQ11dERxzdMsPvMWwBrU.exe

Generates some ICMP traffic

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

MicroWorld-eScan	Trojan.GenericKD.36543393
FireEye	Trojan.GenericKD.36543393
ALYac	Trojan.GenericKD.36543393
Sangfor	Trojan.Win32.Save.a
Alibaba	Ransom:Win32/Blocker.dc38e019
Arcabit	Trojan.Generic.D22D9BA1
BitDefenderTheta	Gen:NN.ZemsilF.34628.em0@au6akzd
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-Ransom.MSIL.Blocker.gen
BitDefender	Trojan.GenericKD.36543393
Ad-Aware	Trojan.GenericKD.36543393
Emsisoft	Trojan.GenericKD.36543393 (B)
DrWeb	Trojan.Siggen12.47248
McAfee-GW-Edition	Artemis!Trojan
MAX	malware (ai score=82)
Microsoft	Program:Win32/Wacapew.C!ml
GData	Trojan.GenericKD.36543393
McAfee	Artemis!1C9BB6EFAEBB
SentinelOne	Static AI - Malicious PE
Fortinet	PossibleThreat
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/Ransom.Blocker.HgIASRIA

Executed a process and injected code into it, probably while unpacking (50 out of 17724 events)

Time & API	Arguments	Status	Return
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x00000404 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x00000640 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x00000654 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x00000668 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x000006b4 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x000006d0 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x00000754 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x0000077c suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x000007b0 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x000007dc suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x0000080c suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x0000082c suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x00000860 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x00000888 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x00000980 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x0000099c suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x000008bc suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x0000085c suspend_count: 1 process_identifier: 5032	1	0
CreateProcessInternalW March 22, 2021, 5:34 p.m.	thread_identifier: 4220 thread_handle: 0x0000089c process_identifier: 9168 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\queeM2cQn445sP3z3DNfJmv7.exe track: 1 command_line: "C:\Users\test22\Documents\queeM2cQn445sP3z3DNfJmv7.exe" filepath_r: C:\Users\test22\Documents\queeM2cQn445sP3z3DNfJmv7.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000868	1	1
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000008bc suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000924 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x0000099c suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000008d4 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000930 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000900 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000920 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000008e8 suspend_count: 1 process_identifier: 5032	1	0
CreateProcessInternalW March 22, 2021, 5:35 p.m.	thread_identifier: 3968 thread_handle: 0x00000948 process_identifier: 2648 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\079d6Elc1QmiOG6jMdTGebqE.exe track: 1 command_line: "C:\Users\test22\Documents\079d6Elc1QmiOG6jMdTGebqE.exe" filepath_r: C:\Users\test22\Documents\079d6Elc1QmiOG6jMdTGebqE.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000408	1	1
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x0000089c suspend_count: 1 process_identifier: 5032	1	0
CreateProcessInternalW March 22, 2021, 5:35 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\8gZHbIqxsHUFWpw9a5IsTDAP.exe track: 0 command_line: "C:\Users\test22\Documents\8gZHbIqxsHUFWpw9a5IsTDAP.exe" filepath_r: C:\Users\test22\Documents\8gZHbIqxsHUFWpw9a5IsTDAP.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW March 22, 2021, 5:35 p.m.	thread_identifier: 3080 thread_handle: 0x000007b8 process_identifier: 4104 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\R5OBPWKTPiD3JhILHPonZKTs.exe track: 1 command_line: "C:\Users\test22\Documents\R5OBPWKTPiD3JhILHPonZKTs.exe" filepath_r: C:\Users\test22\Documents\R5OBPWKTPiD3JhILHPonZKTs.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000008d0	1	1
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000918 suspend_count: 1 process_identifier: 5032	1	0
CreateProcessInternalW March 22, 2021, 5:35 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\mgs5TIJ5jlnkZnawai6p3FOl.exe track: 0 command_line: "C:\Users\test22\Documents\mgs5TIJ5jlnkZnawai6p3FOl.exe" filepath_r: C:\Users\test22\Documents\mgs5TIJ5jlnkZnawai6p3FOl.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW March 22, 2021, 5:35 p.m.	thread_identifier: 4440 thread_handle: 0x00000948 process_identifier: 2572 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\o4ow4y9aGUAUAw2RBlB55McU.exe track: 1 command_line: "C:\Users\test22\Documents\o4ow4y9aGUAUAw2RBlB55McU.exe" filepath_r: C:\Users\test22\Documents\o4ow4y9aGUAUAw2RBlB55McU.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000009b0	1	1
CreateProcessInternalW March 22, 2021, 5:35 p.m.	thread_identifier: 7932 thread_handle: 0x000009bc process_identifier: 7312 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\gJeEWceXwkagZPf5F38xDLuR.exe track: 1 command_line: "C:\Users\test22\Documents\gJeEWceXwkagZPf5F38xDLuR.exe" filepath_r: C:\Users\test22\Documents\gJeEWceXwkagZPf5F38xDLuR.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000009b8	1	1
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000009b8 suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x0000094c suspend_count: 1 process_identifier: 5032	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000009b0 suspend_count: 1 process_identifier: 5032	1	0
CreateProcessInternalW March 22, 2021, 5:35 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\SH65OLJbkzBYuMKhxYEhcXgO.exe track: 0 command_line: "C:\Users\test22\Documents\SH65OLJbkzBYuMKhxYEhcXgO.exe" filepath_r: C:\Users\test22\Documents\SH65OLJbkzBYuMKhxYEhcXgO.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW March 22, 2021, 5:35 p.m.	thread_identifier: 3004 thread_handle: 0x00000a14 process_identifier: 6956 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\MfJYv3SVzdEPvV5iPTwPkkCR.exe track: 1 command_line: "C:\Users\test22\Documents\MfJYv3SVzdEPvV5iPTwPkkCR.exe" filepath_r: C:\Users\test22\Documents\MfJYv3SVzdEPvV5iPTwPkkCR.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000007b8	1	1
CreateProcessInternalW March 22, 2021, 5:35 p.m.	thread_identifier: 2860 thread_handle: 0x00000a1c process_identifier: 6708 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\IZL9sKSOxW6e6zUZMMQOs0uj.exe track: 1 command_line: "C:\Users\test22\Documents\IZL9sKSOxW6e6zUZMMQOs0uj.exe" filepath_r: C:\Users\test22\Documents\IZL9sKSOxW6e6zUZMMQOs0uj.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000a24	1	1
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000009e4 suspend_count: 1 process_identifier: 5032	1	0
CreateProcessInternalW March 22, 2021, 5:35 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\d1FTVRMcpkCITYNOCLrNeP9O.exe track: 0 command_line: "C:\Users\test22\Documents\d1FTVRMcpkCITYNOCLrNeP9O.exe" filepath_r: C:\Users\test22\Documents\d1FTVRMcpkCITYNOCLrNeP9O.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000a0c suspend_count: 1 process_identifier: 5032	1	0
CreateProcessInternalW March 22, 2021, 5:35 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\21AuZhb2IZO4VtTE6bD0JRMQ.exe track: 0 command_line: "C:\Users\test22\Documents\21AuZhb2IZO4VtTE6bD0JRMQ.exe" filepath_r: C:\Users\test22\Documents\21AuZhb2IZO4VtTE6bD0JRMQ.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0

Stops Windows services (6 events)

service	o62R8ycVzQZY (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\o62R8ycVzQZY\Start)
service	d5c06mrf3nzS0sy (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\d5c06mrf3nzS0sy\Start)
service	2ykcJ4l0eJ15h (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\2ykcJ4l0eJ15h\Start)
service	gq1m885 (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gq1m885\Start)
service	kN919ONa (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\kN919ONa\Start)
service	Omh0tPY66uaQ4l0 (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Omh0tPY66uaQ4l0\Start)

PlayerUI5.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All