Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 22, 2021, 6:39 p.m.	March 22, 2021, 7:10 p.m.

Size	71.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`eb8c3efd163f76ec76dd419a696f513f`
SHA256	`bcc495c75df0a47f59a60fdfb870bf833f0d320aff3f1e316f1cd96b5e578c07`
CRC32	`B58DDBA4`
ssdeep	`768:RdTddyzeY8phVbizLDQ9ANxKeE3R4ekDlEJJJJJJJJJJJJJJJJJcgll3YELFBk6O:elJE465sseeQXJH4CfK/CUcgQIq`
PDB Path	C:\Users\Test\Desktop\Desktop Files\Modern-Media-Player-UI-C-Sharp-master\PlayerUI\obj\Release\PlayerUI.pdb
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

PlayerUI6.exe "C:\Users\test22\AppData\Local\Temp\PlayerUI6.exe"
6200
- Pbt2MuyZJ5WF8UP93ckIgyZB.exe "C:\Users\test22\Documents\Pbt2MuyZJ5WF8UP93ckIgyZB.exe"
  5704
- OHWLOHg5g9aLYcDMB5TUWt5Q.exe "C:\Users\test22\Documents\OHWLOHg5g9aLYcDMB5TUWt5Q.exe"
  7128
  - OHWLOHg5g9aLYcDMB5TUWt5Q.exe "C:\Users\test22\Documents\OHWLOHg5g9aLYcDMB5TUWt5Q.exe"
    6684
- LF4P6cfUTnfiR3D9Me5pfsFz.exe "C:\Users\test22\Documents\LF4P6cfUTnfiR3D9Me5pfsFz.exe"
  7588
- AF8VXYNVwqbl492tlAflyh1I.exe "C:\Users\test22\Documents\AF8VXYNVwqbl492tlAflyh1I.exe"
  2308
  - AF8VXYNVwqbl492tlAflyh1I.exe "C:\Users\test22\Documents\AF8VXYNVwqbl492tlAflyh1I.exe"
    3984
- NzAYgJ1WyW4Z6zOEcs5Pvlbp.exe "C:\Users\test22\Documents\NzAYgJ1WyW4Z6zOEcs5Pvlbp.exe"
  4288

Name	Response	Post-Analysis Lookup
aretywer.xyz	A 45.144.30.78	45.144.30.78
pastebin.com	A 104.23.99.190 A 104.23.98.190	104.23.98.190
www.investinae.com	CNAME investinae.com A 108.167.143.77	108.167.143.77
iplogger.org	A 88.99.66.31	88.99.66.31
msiamericas.com	A 141.136.39.190	141.136.39.190
d0wnl0ads.online
file.ekkggr3.com	A 104.21.66.169 A 172.67.162.110	172.67.162.110
digitalassets.ams3.digitaloceanspaces.com	A 5.101.110.225	5.101.110.225
whatitis.site	A 91.200.41.57 A 92.63.99.163	92.63.99.163
mytoolsprivacy.site	A 179.43.158.179	179.43.158.179
jg3.3uag.pw

IP Address	Status	Action
103.124.106.203	Active	Moloch
104.21.66.169	Active	Moloch
104.23.98.190	Active	Moloch
108.167.143.77	Active	Moloch
141.136.39.190	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
179.43.158.179	Active	Moloch
188.93.233.223	Active	Moloch
45.133.1.139	Active	Moloch
45.144.30.78	Active	Moloch
5.101.110.225	Active	Moloch
88.99.66.31	Active	Moloch
91.200.41.57	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49810 -> 104.23.98.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49818 -> 141.136.39.190:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49818 -> 141.136.39.190:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49818 -> 141.136.39.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49808 -> 45.133.1.139:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49820 -> 108.167.143.77:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:51857 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49815 -> 5.101.110.225:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.200.41.57:80 -> 192.168.56.102:49811	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.102:49814 -> 5.101.110.225:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.144.30.78:80 -> 192.168.56.102:49817	2014819	ET INFO Packed Executable Download	Misc activity
TCP 91.200.41.57:80 -> 192.168.56.102:49811	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 91.200.41.57:80 -> 192.168.56.102:49811	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.144.30.78:80 -> 192.168.56.102:49817	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.133.1.139:80 -> 192.168.56.102:49808	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.133.1.139:80 -> 192.168.56.102:49808	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.133.1.139:80 -> 192.168.56.102:49808	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49809 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49812 -> 103.124.106.203:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 103.124.106.203:80 -> 192.168.56.102:49812	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 103.124.106.203:80 -> 192.168.56.102:49812	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49825 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 179.43.158.179:80 -> 192.168.56.102:49819	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 141.136.39.190:443 -> 192.168.56.102:49818	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.136.39.190:443 -> 192.168.56.102:49818	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49810 104.23.98.190:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	ce:69:3b:0c:23:1f:bf:e1:a4:87:d2:44:26:54:a5:e4:bd:26:2f:7a
TLSv1 192.168.56.102:49809 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.102:49825 88.99.66.31:443	None	None	None

Queries for the computername (24 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 7:09 p.m.			0	0
IsDebuggerPresent March 22, 2021, 7:09 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Test\Desktop\Desktop Files\Modern-Media-Player-UI-C-Sharp-master\PlayerUI\obj\Release\PlayerUI.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 22, 2021, 6:39 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.133.1.139/Manager/Temp/ZsvSrXaLxi4WHK1yiJGb7SHx/DIqMUyT98Untp5QhexOCjQdS.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://whatitis.site/dlc/mixinte
suspicious_features	Connection to IP address	suspicious_request	GET http://103.124.106.203/cof4/inst.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1ixtu7
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/mH2EJxkv
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1lA5k

Performs some HTTP requests (9 events)

request	GET http://45.133.1.139/Manager/Temp/ZsvSrXaLxi4WHK1yiJGb7SHx/DIqMUyT98Untp5QhexOCjQdS.exe
request	GET http://whatitis.site/dlc/mixinte
request	GET http://103.124.106.203/cof4/inst.exe
request	GET http://file.ekkggr3.com/iuww/jvppp.exe
request	GET http://aretywer.xyz/Corepad092.exe
request	GET http://mytoolsprivacy.site/downloads/privacytools3.exe
request	GET https://iplogger.org/1ixtu7
request	GET https://pastebin.com/raw/mH2EJxkv
request	GET https://iplogger.org/1lA5k

Allocates read-write-execute memory (usually to unpack itself) (45 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00391000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00396000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 7:08 p.m.	process_identifier: 5704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009ab000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 7:08 p.m.	process_identifier: 5704 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 7:09 p.m.	process_identifier: 7128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0092b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 7:09 p.m.	process_identifier: 7128 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 7:09 p.m.	process_identifier: 7588 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 393216 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0029b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 7:09 p.m.	process_identifier: 7588 region_size: 614400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 7:09 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 7:09 p.m.	process_identifier: 2308 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 7:09 p.m.	process_identifier: 4288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 393216 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0091b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 7:09 p.m.	process_identifier: 4288 region_size: 614400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (50 out of 5148 events)

file	C:\Users\test22\Documents\nzaclzgbHXJFmaJWGtJh5aJH.exe
file	C:\Users\test22\Documents\VDAihR3ru2oOGbA6ulrkFm2o.exe
file	C:\Users\test22\Documents\zGXZF64Pg4gty9twKUKHOZ8K.exe
file	C:\Users\test22\Documents\adxzIBE7BZdIgK1HwLYfbk1P.exe
file	C:\Users\test22\Documents\kohcKN3IOaoyE6hCR3n9F5ll.exe
file	C:\Users\test22\Documents\TegolIuW9r0XqsXZG68CxQi8.exe
file	C:\Users\test22\Documents\6bdLVWEqPftrg2mpnD6fNnpl.exe
file	C:\Users\test22\Documents\QeT6Hh3CwN2xrqHUYCYrmEx4.exe
file	C:\Users\test22\Documents\hvdnCGSfsjf3R9YBKsMEcqaA.exe
file	C:\Users\test22\Documents\KGBLlwX9yBtWiSonM1yWzueU.exe
file	C:\Users\test22\Documents\Km2TNOxF8F4VTWxqTwgm08Sz.exe
file	C:\Users\test22\Documents\OXQC3DToAaOrRXt2TCQKsTxv.exe
file	C:\Users\test22\Documents\33M44f7gDndZkWwSDdd9OjAu.exe
file	C:\Users\test22\Documents\XpBAVpkoVoRFFhJGyg5Z1Q1I.exe
file	C:\Users\test22\Documents\ajkv89WFwHeyRWvGJBuhiwxW.exe
file	C:\Users\test22\Documents\FBPvpgPODUtBMQ8IbE3rEvKj.exe
file	C:\Users\test22\Documents\XawFLhSHZ9bw88fiWqFYanof.exe
file	C:\Users\test22\Documents\6oqx0vXbANgaMCjgaQg44fjk.exe
file	C:\Users\test22\Documents\cKvSaNI15KgRYlVJfnjKzqyy.exe
file	C:\Users\test22\Documents\Rj3V6fIT4LhLXOn7WGUMwrpW.exe
file	C:\Users\test22\Documents\bcZ9DuI56nJvshe3MyEKJn4Z.exe
file	C:\Users\test22\Documents\CXfszy7YSlN2SFREvQqnq0ar.exe
file	C:\Users\test22\Documents\vqApn7c50IHRMjQZvjsihH7r.exe
file	C:\Users\test22\Documents\bdHQNRZzdf2z37INdTivDc0G.exe
file	C:\Users\test22\Documents\QYX78vNp9N8U8eG4121HKkMo.exe
file	C:\Users\test22\Documents\2D0flIfyn82KtXn17bbRmmrV.exe
file	C:\Users\test22\Documents\YBG3HA6IKWF03KmACzw6Pc1S.exe
file	C:\Users\test22\Documents\KZk6fDTp78U27NI9opzOLlv8.exe
file	C:\Users\test22\Documents\TTGWHjb0owWU4EIlLGU1dWGY.exe
file	C:\Users\test22\Documents\DIvOSjxyy3FduUnICbY70l8M.exe
file	C:\Users\test22\Documents\wlX9VSsNvYJfkaIQuBOKhfyk.exe
file	C:\Users\test22\Documents\4ci5meE7CfChPwoVcxBQE03h.exe
file	C:\Users\test22\Documents\fBJUzrPUWvBgLneXlKoYIZUx.exe
file	C:\Users\test22\Documents\TJJBMcQ0zzTbsltfk1H8ov7q.exe
file	C:\Users\test22\Documents\D0J4lYC3b0Lp7SRMZZhBKOBB.exe
file	C:\Users\test22\Documents\ZXlwx0qZmn4iLMaQK4ulVBzu.exe
file	C:\Users\test22\Documents\wZ7aJpjm6qwCx7VsotbyM3T4.exe
file	C:\Users\test22\Documents\yoHoMlI2p6kDOU4VWgyutbKe.exe
file	C:\Users\test22\Documents\HxWsHcEzz6NHmmyH9rpPhdj1.exe
file	C:\Users\test22\Documents\itTBWONKYKQMhg2iQkAx9jYY.exe
file	C:\Users\test22\Documents\Y4EDVanE2h0w3ofHskimjjKc.exe
file	C:\Users\test22\Documents\TeUCqiooAjJp7LmQ8hV8O4EU.exe
file	C:\Users\test22\Documents\zlcbGlxBTdZxE7RrvltBTTSV.exe
file	C:\Users\test22\Documents\xrR8JBsEhyCdnTkGzYQwNd2i.exe
file	C:\Users\test22\Documents\yeBFOpbmJbLwp5CZw5jMKQQH.exe
file	C:\Users\test22\Documents\lWwoCuKnHBux0wZj7fXqYbOf.exe
file	C:\Users\test22\Documents\19UUlzOrhxDUIRCIKjj6g3iI.exe
file	C:\Users\test22\Documents\CsPPHTTozwRbCT1VrO2QP7eI.exe
file	C:\Users\test22\Documents\kdrZK0tPkZ22ZHl1puTJVjRT.exe
file	C:\Users\test22\Documents\9w7mfuPwqcJ3AZNroDdCo0o6.exe

Drops a binary and executes it (4 events)

file	C:\Users\test22\Documents\Pbt2MuyZJ5WF8UP93ckIgyZB.exe
file	C:\Users\test22\Documents\AF8VXYNVwqbl492tlAflyh1I.exe
file	C:\Users\test22\Documents\NzAYgJ1WyW4Z6zOEcs5Pvlbp.exe
file	C:\Users\test22\Documents\iEs42uhMNbkkCINdKjqwrID4.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\4DD3.tmp

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 22, 2021, 6:39 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00011200', u'virtual_address': u'0x00002000', u'entropy': 7.060275648624989, u'name': u'.text', u'virtual_size': u'0x00011178'}

entropy

7.06027564862

description

A section with a high entropy has been found

entropy

0.971631205674

description

Overall entropy of this PE file is high

Yara rule detected in process memory (14 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (10 events)

cmdline	C:\Users\test22\Documents\bDtFvCkGFio1sqVJ3BddWsSC.exe
cmdline	C:\Users\test22\Documents\8ARyiAxCA8VmslEhPAcb2yat.exe
cmdline	C:\Users\test22\Documents\QSHm5F4xInnJ7MI03aSklgAt.exe
cmdline	C:\Users\test22\Documents\uc1suvkjB1JDDsUxdYyO8hAt.exe
cmdline	C:\Users\test22\Documents\SRimcpKN4FnidYZiJks7Xgsc.exe
cmdline	C:\Users\test22\Documents\tfG0De97ERVqWrZHzheVtcAT.exe
cmdline	C:\Users\test22\Documents\urTCFYenweEQAsh7IVzBzDel.exe
cmdline	C:\Users\test22\Documents\hAdTexnmjzaqLGh4bpdE5dir.exe
cmdline	C:\Users\test22\Documents\HvICrPNIIiMtO31ZwRVwrsaT.exe
cmdline	C:\Users\test22\Documents\slGshJm8HBGHryg34qum8ISc.exe

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 7d3402a52c946b042a10f289a9c9f0d45df441ef

Communicates with host for which no DNS query was performed (4 events)

host	103.124.106.203
host	172.217.25.14
host	188.93.233.223
host	45.133.1.139

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 22, 2021, 7:09 p.m.	process_identifier: 6684 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0
NtAllocateVirtualMemory March 22, 2021, 7:09 p.m.	process_identifier: 3984 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 22, 2021, 6:39 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (50 out of 5149 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Muavi Music Player Jgd_fdqMrgOyijoGSgMFcTcbK33JxBiNlUQE	reg_value	C:\Users\test22\AppData\Roaming\MicrosoftneKalbqsNzpwtR 9qrHv_a51Updater.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\m6meFfGjxgS6HhuVQQjbgeDqZ3YMTffa	reg_value	C:\Users\test22\Documents\Pbt2MuyZJ5WF8UP93ckIgyZB.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\25FMH4QSB14ZRfN665luMloGBCeEmPLE	reg_value	C:\Users\test22\Documents\CsPPHTTozwRbCT1VrO2QP7eI.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\R8KEZLpwpzKKJBszYqONLcri9SDr51se	reg_value	C:\Users\test22\Documents\OHWLOHg5g9aLYcDMB5TUWt5Q.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RlFHH81yHq8DHd25K34i7IRFPEeb5C9d	reg_value	C:\Users\test22\Documents\LF4P6cfUTnfiR3D9Me5pfsFz.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\U92DdZ2FqfDCfhhwqivQrpLPLvz5hXod	reg_value	C:\Users\test22\Documents\AF8VXYNVwqbl492tlAflyh1I.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xm1sj7hS0kypgJPgqYcVuwTVhvcycZsm	reg_value	C:\Users\test22\Documents\NzAYgJ1WyW4Z6zOEcs5Pvlbp.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TfLxet0b1MRLiWOhllhIN7U8NJVE0VdS	reg_value	C:\Users\test22\Documents\YVk3RJx0ymiWBihTcYiWIF4B.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\LMkUXwkgt8u8vcimPbWGcgr1YP4zl6uo	reg_value	C:\Users\test22\Documents\ajkv89WFwHeyRWvGJBuhiwxW.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fs6I1u4xNGMh2wNNuWjeaYPl4NWdnoOE	reg_value	C:\Users\test22\Documents\vOkwZBrAh8FSlwUqdISGar3p.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dVOoYbJj2IM6fgJKNxaHStBHYoijSJ65	reg_value	C:\Users\test22\Documents\U5QqEjIwDSFfjxyr4EWEHYOH.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TGPt3jQsLQPVTZztay8wGkggdKoHTm7k	reg_value	C:\Users\test22\Documents\rJMtVeXmJgnbk2LY5L0U8Gyt.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ksQt4JYiToA09lewFYhKUM4mFJvNsxcT	reg_value	C:\Users\test22\Documents\VdZOOntjP5QTm0EfVG4JHBnt.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\yonvYL0fMrBT68aFtbnnM6x2oAllttyW	reg_value	C:\Users\test22\Documents\zqogWApFgrA7zNfulHEtecZX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0uHXjPwd3pCpQsrzuSwqKpqcM84ttvhe	reg_value	C:\Users\test22\Documents\RRssX3rV0fvILLxnq99DywL2.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\EpLlUCtHHhja0FCbgL72aJSEl6bicAfl	reg_value	C:\Users\test22\Documents\Gz1mwTvltSPgJIW8RKSg9erL.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WGAXkLpGB8SKh5TW4QUTuqgoyPakBrET	reg_value	C:\Users\test22\Documents\IqhHHKQqiHZli6HLH19yhyv4.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\kViUuFFU38P4JSNBK71cG5A2lOCYxwyc	reg_value	C:\Users\test22\Documents\4nvBJ3GWbSjko6oMim3RecKp.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VqsgDrgHKxcD1YrYUfP1OUL2Kw85pR1u	reg_value	C:\Users\test22\Documents\cGayUvmVMPqpqtDQZ2Hhksio.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\f0VQslb25rfF5EWONtJpzRlLX7u6FxR1	reg_value	C:\Users\test22\Documents\hvdnCGSfsjf3R9YBKsMEcqaA.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PK3u0exIaotc6KeL6ChMUBrE2okH5iTl	reg_value	C:\Users\test22\Documents\VcHMuBxGIn7jdTFGW71thuLO.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cz2M3pN1UILDN3D4w3Wf22ePeYoPvzXS	reg_value	C:\Users\test22\Documents\R36kICQnzyJzjmKLdpweN83N.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\UmsfB7Gfu2EdvuusKM4lXEyXaEm3GEql	reg_value	C:\Users\test22\Documents\9tHSJDtJlReaaG8jm2sTmYUk.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xVF7UMZqMcEOwNX5EQaYYQV4PuwF4QHq	reg_value	C:\Users\test22\Documents\Zh8gVOInL9piCfy2HAJZdtNQ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\9KrjaTw6VY4EeXw37byZ4vdpo3cr44Xe	reg_value	C:\Users\test22\Documents\TrtAJKT8j8VjbjF3nNVNTz2g.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\qB4h1FBaAZOSXyaN3iMehaAneMQcofeX	reg_value	C:\Users\test22\Documents\zMA8dtiPMZODpBYQacP1AcmO.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BRCpzivf51slg8Y1KFGtYu0XSnbmhCHc	reg_value	C:\Users\test22\Documents\kvRbyBYHYxCPwG3mBC8bPHqQ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\apWLHJ82tPfej13cwQr1a59AgY8bv7cI	reg_value	C:\Users\test22\Documents\FBZh8sSzCgU5YRGCnGRKA61Q.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pVotKgHwxXTZtkGqhzT8u1O44LO5kr3K	reg_value	C:\Users\test22\Documents\KJHTVGs2ibLIwmdwMzXuP90e.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huy9SLMFdJHH6GOiHRpVfzm1ImM3fdea	reg_value	C:\Users\test22\Documents\SmoAb9rBTYVZSDCmtqMaq1uy.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\H70q9SkAoqOGMgXYihIQ4d4M5ja1KGNe	reg_value	C:\Users\test22\Documents\2z3rLstHMP5J65qncnSYMYSR.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CnuZ1sziduil7JhfYOk98pfWJflQPiOf	reg_value	C:\Users\test22\Documents\hljO1CI3p4ePrja5Q30pPBXo.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HYPWHiS5gCXB7TNpMn4B3jVUhd45RNE0	reg_value	C:\Users\test22\Documents\O5LOStC7F6w6By8HWUQAbYqX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\D5znoXnS8hwIMTMhxXXCJW3kT0xqZQVk	reg_value	C:\Users\test22\Documents\PyG3dp0gn0a8b6KDHkyyeodi.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BOUxj63rLLyodoqkfHzCW8aR9ASIPPU3	reg_value	C:\Users\test22\Documents\Ui0i0M1QNHA4KB1xYRBGQbYq.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\yCyiovc514eTIFtbajyDPbEwqjhzpKRx	reg_value	C:\Users\test22\Documents\JJgl1DqQNSt8NMUtkakJlWUD.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\7B2ENnQqmrdpT4MS7XNbUwEp8DIgcPPi	reg_value	C:\Users\test22\Documents\zcwyPHlb0xHSrBkerIsChRxX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\6NGKftOWc5A4D7DaJA33FEHD2VkCKEeS	reg_value	C:\Users\test22\Documents\pZ1OPgONhaqAh5Lw6aEKEWCL.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\FDRJJMMXashXpB9FSGrwgfIlllpgDazN	reg_value	C:\Users\test22\Documents\WpSCaDrxMThm4Rt8WoBDcJF1.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\5qiihqUA2UyOEmSucrpWU52PST1GocvQ	reg_value	C:\Users\test22\Documents\ja6Xwhn9HKLMtVTVo6vWbTUk.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ySPNyNVZjhIrKMvXPOgJldsOCzdniBmH	reg_value	C:\Users\test22\Documents\FWcG9FcazKUYhERBnB4un8P9.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\kBK8ts0i5Als5EhAm4UqosSd8DXBgNqA	reg_value	C:\Users\test22\Documents\GcRqzPmmy4z95j1aQheYbGYU.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\trAqVzBrUlo88t58BOmWnYfzhLCBbJOV	reg_value	C:\Users\test22\Documents\D7GxEn2GDRE47JfL9ewgvsq2.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\LLJKwAPKWSruojW0eYHQxJUA7wcnorQ6	reg_value	C:\Users\test22\Documents\QOEWmLuOPXkWehNQixegFTOV.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\1IMAhlfoCvt5Y5x462IYJIKdKcMApjtC	reg_value	C:\Users\test22\Documents\AtLaCkbOHZ9Lzdl9boCqM7hC.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\7tzFZf9cBrsPV3gfLmey9Gte1pJhzZMD	reg_value	C:\Users\test22\Documents\MIj3Xbqf4UJEtqlg1IuTzI3s.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\9UNuVcnleoAd723jgFdSDrhgeL5jR9ZK	reg_value	C:\Users\test22\Documents\P16ollGZVrCC7VK7lPIMoEt1.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xrPKgDUePzV2NnLKBkOmKNKxLNNtTzjr	reg_value	C:\Users\test22\Documents\IEoQYWD2DahTVrAsViqjlbxR.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\gb8TzkLZQol0KeDJOOgIJpcEsfWxSheG	reg_value	C:\Users\test22\Documents\RXcrG2VAGCEfVHesWghBMKGk.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\84lUOYHsJfjRSXPMDAReZviD6dT3ufcS	reg_value	C:\Users\test22\Documents\Q2Lp3CKf0oPqfoi2dYx8o8a0.exe

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 22, 2021, 7:09 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 6684 process_handle: 0x00000080	1	1	0
WriteProcessMemory March 22, 2021, 7:09 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3984 process_handle: 0x00000080	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 7128 called NtSetContextThread to modify thread in remote process 6684
Process injection	Process 2308 called NtSetContextThread to modify thread in remote process 3984
NtSetContextThread March 22, 2021, 7:09 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4205112 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 6684	1	0	0
NtSetContextThread March 22, 2021, 7:09 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4205112 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 3984	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 7128 resumed a thread in remote process 6684
Process injection	Process 2308 resumed a thread in remote process 3984
NtResumeThread March 22, 2021, 7:09 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 6684	1	0	0
NtResumeThread March 22, 2021, 7:09 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 3984	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (11 events)

cmdline	C:\Users\test22\Documents\v2dTibFmhkql5Pd5B9icodru.exe
cmdline	C:\Users\test22\Documents\atzzruLKZS7JsqwrnDC0Mqdu.exe
cmdline	C:\Users\test22\Documents\T2oARfSD3IoCL1AqbuwhClRU.exe
cmdline	C:\Users\test22\Documents\p8il3X8tSrs1cWmNOW79duRU.exe
cmdline	C:\Users\test22\Documents\kn1PoW0m68lynGXFbZ1vYKru.exe
cmdline	C:\Users\test22\Documents\lPx0CP0qBgOeWWyshN2SPgRu.exe
cmdline	C:\Users\test22\Documents\QYWeHpl7KKLZynMQAeG7a3ru.exe
cmdline	C:\Users\test22\Documents\DWvEMajBMmHZmt5jWSHOgqRU.exe
cmdline	C:\Users\test22\Documents\Gu5dVY1jzceqmoB1YVDRY8Ru.exe
cmdline	C:\Users\test22\Documents\zhcFm7Qz7iFCegJ6mV7iVhRu.exe
cmdline	C:\Users\test22\Documents\Kw4usGBOxnOoo76I1lLKcdDu.exe

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

MicroWorld-eScan	Trojan.GenericKD.36543445
ALYac	Trojan.GenericKD.36543445
Sangfor	Trojan.Win32.Save.a
BitDefender	Trojan.GenericKD.36543445
Arcabit	Trojan.Generic.D22D9BD5
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Ransom.MSIL.Blocker.gen
Alibaba	Ransom:Win32/Blocker.5bde1d2a
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Trojan.GenericKD.36543445
DrWeb	Trojan.Siggen12.47248
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.GenericKD.36543445
Emsisoft	Trojan.GenericKD.36543445 (B)
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=85)
Microsoft	Ransom:Win32/Blocker
ZoneAlarm	HEUR:Trojan-Ransom.MSIL.Blocker.gen
GData	Trojan.GenericKD.36543445
AhnLab-V3	Trojan/Win.Blocker.R373468
McAfee	RDN/Ransom
Fortinet	PossibleThreat
BitDefenderTheta	Gen:NN.ZemsilF.34628.em0@aeFcVlh
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/Ransom.Blocker.HgIASRIA

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

188.93.233.223:80

Executed a process and injected code into it, probably while unpacking (50 out of 10334 events)

Time & API	Arguments	Status	Return
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000003fc suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000638 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x0000064c suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000660 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000674 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000688 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000006b4 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000006f8 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000710 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000734 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x0000074c suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000778 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000840 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000898 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000978 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000009a0 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000858 suspend_count: 1 process_identifier: 6200	1	0
CreateProcessInternalW March 22, 2021, 6:39 p.m.	thread_identifier: 6636 thread_handle: 0x000009e4 process_identifier: 5704 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\Pbt2MuyZJ5WF8UP93ckIgyZB.exe track: 1 command_line: "C:\Users\test22\Documents\Pbt2MuyZJ5WF8UP93ckIgyZB.exe" filepath_r: C:\Users\test22\Documents\Pbt2MuyZJ5WF8UP93ckIgyZB.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000009e8	1	1
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000914 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000099c suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000980 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000750 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000938 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000734 suspend_count: 1 process_identifier: 6200	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 2584 thread_handle: 0x0000083c process_identifier: 7128 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\OHWLOHg5g9aLYcDMB5TUWt5Q.exe track: 1 command_line: "C:\Users\test22\Documents\OHWLOHg5g9aLYcDMB5TUWt5Q.exe" filepath_r: C:\Users\test22\Documents\OHWLOHg5g9aLYcDMB5TUWt5Q.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006e4	1	1
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\CsPPHTTozwRbCT1VrO2QP7eI.exe track: 0 command_line: "C:\Users\test22\Documents\CsPPHTTozwRbCT1VrO2QP7eI.exe" filepath_r: C:\Users\test22\Documents\CsPPHTTozwRbCT1VrO2QP7eI.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 5012 thread_handle: 0x00000770 process_identifier: 7588 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\LF4P6cfUTnfiR3D9Me5pfsFz.exe track: 1 command_line: "C:\Users\test22\Documents\LF4P6cfUTnfiR3D9Me5pfsFz.exe" filepath_r: C:\Users\test22\Documents\LF4P6cfUTnfiR3D9Me5pfsFz.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000894	1	1
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000834 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x000007e8 suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000890 suspend_count: 1 process_identifier: 6200	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\YVk3RJx0ymiWBihTcYiWIF4B.exe track: 0 command_line: "C:\Users\test22\Documents\YVk3RJx0ymiWBihTcYiWIF4B.exe" filepath_r: C:\Users\test22\Documents\YVk3RJx0ymiWBihTcYiWIF4B.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 6344 thread_handle: 0x000006ec process_identifier: 2308 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\AF8VXYNVwqbl492tlAflyh1I.exe track: 1 command_line: "C:\Users\test22\Documents\AF8VXYNVwqbl492tlAflyh1I.exe" filepath_r: C:\Users\test22\Documents\AF8VXYNVwqbl492tlAflyh1I.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000067c	1	1
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 5676 thread_handle: 0x00000674 process_identifier: 4288 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\NzAYgJ1WyW4Z6zOEcs5Pvlbp.exe track: 1 command_line: "C:\Users\test22\Documents\NzAYgJ1WyW4Z6zOEcs5Pvlbp.exe" filepath_r: C:\Users\test22\Documents\NzAYgJ1WyW4Z6zOEcs5Pvlbp.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000634	1	1
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000710 suspend_count: 1 process_identifier: 6200	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\ajkv89WFwHeyRWvGJBuhiwxW.exe track: 0 command_line: "C:\Users\test22\Documents\ajkv89WFwHeyRWvGJBuhiwxW.exe" filepath_r: C:\Users\test22\Documents\ajkv89WFwHeyRWvGJBuhiwxW.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000894 suspend_count: 1 process_identifier: 6200	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\vOkwZBrAh8FSlwUqdISGar3p.exe track: 0 command_line: "C:\Users\test22\Documents\vOkwZBrAh8FSlwUqdISGar3p.exe" filepath_r: C:\Users\test22\Documents\vOkwZBrAh8FSlwUqdISGar3p.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000700 suspend_count: 1 process_identifier: 6200	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\U5QqEjIwDSFfjxyr4EWEHYOH.exe track: 0 command_line: "C:\Users\test22\Documents\U5QqEjIwDSFfjxyr4EWEHYOH.exe" filepath_r: C:\Users\test22\Documents\U5QqEjIwDSFfjxyr4EWEHYOH.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000076c suspend_count: 1 process_identifier: 6200	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\rJMtVeXmJgnbk2LY5L0U8Gyt.exe track: 0 command_line: "C:\Users\test22\Documents\rJMtVeXmJgnbk2LY5L0U8Gyt.exe" filepath_r: C:\Users\test22\Documents\rJMtVeXmJgnbk2LY5L0U8Gyt.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x000006ec suspend_count: 1 process_identifier: 6200	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\VdZOOntjP5QTm0EfVG4JHBnt.exe track: 0 command_line: "C:\Users\test22\Documents\VdZOOntjP5QTm0EfVG4JHBnt.exe" filepath_r: C:\Users\test22\Documents\VdZOOntjP5QTm0EfVG4JHBnt.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 6200	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\zqogWApFgrA7zNfulHEtecZX.exe track: 0 command_line: "C:\Users\test22\Documents\zqogWApFgrA7zNfulHEtecZX.exe" filepath_r: C:\Users\test22\Documents\zqogWApFgrA7zNfulHEtecZX.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0

PlayerUI6.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All