Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 22, 2021, 6:39 p.m.	March 22, 2021, 7:40 p.m.

Size	71.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d6687321a99faf81d8a0e0df030fb8ce`
SHA256	`2a657c99025d05b2c5dddc0d7809644d1c3638977403ce62d16af9323e3c884e`
CRC32	`CBB8F1B7`
ssdeep	`768:adTddyzeY8phVbizLDQ9ANxKeE3R4ekDlEJJJJJJJJJJJJJJJJJcgll3YELFBk69:3lJE464sseeQXJH4CfK/CUcgQIO`
PDB Path	C:\Users\Test\Desktop\Desktop Files\Modern-Media-Player-UI-C-Sharp-master\PlayerUI\obj\Release\PlayerUI.pdb
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

PlayerUI4.exe "C:\Users\test22\AppData\Local\Temp\PlayerUI4.exe"
9068
- MDz03KDx5tY2Bi5d8d4StQ89.exe "C:\Users\test22\Documents\MDz03KDx5tY2Bi5d8d4StQ89.exe"
  6568
- JPEYSv7sm1a4YU5Z3WT22w29.exe "C:\Users\test22\Documents\JPEYSv7sm1a4YU5Z3WT22w29.exe"
  5992
- jQqtjXfsGV8RG8UdedlCTkGa.exe "C:\Users\test22\Documents\jQqtjXfsGV8RG8UdedlCTkGa.exe"
  7012
- EvIqSAozfNjxrPXQ4lbDswfK.exe "C:\Users\test22\Documents\EvIqSAozfNjxrPXQ4lbDswfK.exe"
  3320
  - EvIqSAozfNjxrPXQ4lbDswfK.exe "C:\Users\test22\Documents\EvIqSAozfNjxrPXQ4lbDswfK.exe"
    3468
- Q8CnUR0O37LKIHIksSmOScYw.exe "C:\Users\test22\Documents\Q8CnUR0O37LKIHIksSmOScYw.exe"
  7672
- IBtSNOSLSb41VdOtNJVApfMD.exe "C:\Users\test22\Documents\IBtSNOSLSb41VdOtNJVApfMD.exe"
  7000
- ppVmpMiM4YEQRsFVQ9dYWPAY.exe "C:\Users\test22\Documents\ppVmpMiM4YEQRsFVQ9dYWPAY.exe"
  6652
- qxx0TeSEcd64gVTUqJcsSLzZ.exe "C:\Users\test22\Documents\qxx0TeSEcd64gVTUqJcsSLzZ.exe"
  6636
- BEM5sD4e7YrRvA0NLvlEab9M.exe "C:\Users\test22\Documents\BEM5sD4e7YrRvA0NLvlEab9M.exe"
  5328
  - BEM5sD4e7YrRvA0NLvlEab9M.exe "C:\Users\test22\Documents\BEM5sD4e7YrRvA0NLvlEab9M.exe"
    5280

Name	Response	Post-Analysis Lookup
aretywer.xyz	A 45.144.30.78	45.144.30.78
pastebin.com	A 104.23.99.190 A 104.23.98.190	104.23.98.190
www.investinae.com	CNAME investinae.com A 108.167.143.77	108.167.143.77
iplogger.org	A 88.99.66.31	88.99.66.31
msiamericas.com	A 141.136.39.190	141.136.39.190
d0wnl0ads.online
whatitis.site	A 91.200.41.57 A 92.63.99.163	91.200.41.57
digitalassets.ams3.digitaloceanspaces.com	A 5.101.110.225	5.101.110.225
file.ekkggr3.com	A 104.21.66.169 A 172.67.162.110	104.21.66.169
mytoolsprivacy.site	A 179.43.158.179	179.43.158.179
jg3.3uag.pw

IP Address	Status	Action
103.124.106.203	Active	Moloch
104.23.98.190	Active	Moloch
108.167.143.77	Active	Moloch
141.136.39.190	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
172.67.162.110	Active	Moloch
179.43.158.179	Active	Moloch
188.93.233.223	Active	Moloch
45.133.1.139	Active	Moloch
45.144.30.78	Active	Moloch
5.101.110.225	Active	Moloch
88.99.66.31	Active	Moloch
91.200.41.57	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49814 -> 103.124.106.203:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49813 -> 5.101.110.225:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49811 -> 188.93.233.223:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49819 -> 108.167.143.77:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 103.124.106.203:80 -> 192.168.56.102:49814	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 103.124.106.203:80 -> 192.168.56.102:49814	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49809 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49810 -> 104.23.98.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 188.93.233.223:80 -> 192.168.56.102:49811	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 188.93.233.223:80 -> 192.168.56.102:49811	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.102:51857 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49807 -> 45.133.1.139:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49812 -> 5.101.110.225:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49816 -> 141.136.39.190:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49816 -> 141.136.39.190:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49816 -> 141.136.39.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.144.30.78:80 -> 192.168.56.102:49817	2014819	ET INFO Packed Executable Download	Misc activity
TCP 179.43.158.179:80 -> 192.168.56.102:49818	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.144.30.78:80 -> 192.168.56.102:49817	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.133.1.139:80 -> 192.168.56.102:49807	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.133.1.139:80 -> 192.168.56.102:49807	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.133.1.139:80 -> 192.168.56.102:49807	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49829 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.200.41.57:80 -> 192.168.56.102:49820	2014819	ET INFO Packed Executable Download	Misc activity
TCP 91.200.41.57:80 -> 192.168.56.102:49820	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 91.200.41.57:80 -> 192.168.56.102:49820	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 141.136.39.190:443 -> 192.168.56.102:49816	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.136.39.190:443 -> 192.168.56.102:49816	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49809 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.102:49810 104.23.98.190:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	ce:69:3b:0c:23:1f:bf:e1:a4:87:d2:44:26:54:a5:e4:bd:26:2f:7a
TLSv1 192.168.56.102:49829 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Queries for the computername (24 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:40 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:40 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Test\Desktop\Desktop Files\Modern-Media-Player-UI-C-Sharp-master\PlayerUI\obj\Release\PlayerUI.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 22, 2021, 6:39 p.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 22, 2021, 6:40 p.m.	stacktrace: 0x2d8211f 0x2480a05 0x24802b6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 68 64 b9 65 fc e8 bb 1b 01 00 8b 44 25 00 86 d2 exception.instruction: push 0xfc65b964 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x2de6108 registers.esp: 1637704 registers.edi: 4294967294 registers.eax: 1637736 registers.ebp: 1637816 registers.edx: 0 registers.ebx: 1 registers.esi: 11870288 registers.ecx: 1637816	1	0	0
__exception__ March 22, 2021, 6:40 p.m.	stacktrace: 0x2c5211f 0x2350a05 0x23502b6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 68 64 b9 65 fc e8 bb 1b 01 00 8b 44 25 00 86 d2 exception.instruction: push 0xfc65b964 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x2cb6108 registers.esp: 1637704 registers.edi: 4294967294 registers.eax: 1637736 registers.ebp: 1637816 registers.edx: 0 registers.ebx: 1 registers.esi: 11870288 registers.ecx: 1637816	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.133.1.139/Manager/Temp/Ryo2zvWeVt7DR5GJAxSwXZAc/a8ojAHyWHoBa8hMZ3OIGGUW1.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://188.93.233.223/proxy1.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://103.124.106.203/cof4/inst.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://whatitis.site/dlc/mixinte
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1ixtu7
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/mH2EJxkv
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1lp5k

Performs some HTTP requests (11 events)

request	GET http://45.133.1.139/Manager/Temp/Ryo2zvWeVt7DR5GJAxSwXZAc/a8ojAHyWHoBa8hMZ3OIGGUW1.exe
request	GET http://188.93.233.223/proxy1.exe
request	GET http://103.124.106.203/cof4/inst.exe
request	GET http://file.ekkggr3.com/iuww/jvppp.exe
request	GET http://aretywer.xyz/Corepad092.exe
request	GET http://mytoolsprivacy.site/downloads/privacytools3.exe
request	GET http://whatitis.site/dlc/mixinte
request	GET https://iplogger.org/1ixtu7
request	GET https://pastebin.com/raw/mH2EJxkv
request	GET https://iplogger.org/1hVa87
request	GET https://iplogger.org/1lp5k

Allocates read-write-execute memory (usually to unpack itself) (50 out of 59 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00880000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00325000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00327000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0030c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00317000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0030a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00316000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00591000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00596000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00598000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00599000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 9068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c5b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6568 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 5992 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 5992 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 5992 region_size: 9498624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 5992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 5992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 663552 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d8e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 7012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 327680 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bb000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 7012 region_size: 593920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 7672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 393216 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009bb000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 7672 region_size: 614400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 3320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008bb000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 3320 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 7000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 327680 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a2b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 7000 region_size: 593920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

PlayerUI4.exe tried to sleep 161 seconds, actually delayed analysis time by 161 seconds

Creates executable files on the filesystem (50 out of 8765 events)

file	C:\Users\test22\Documents\360DDsgbgNjKQLt08Hb1QKZD.exe
file	C:\Users\test22\Documents\6Zn73uPDNKQqydBSuqtJhmqv.exe
file	C:\Users\test22\Documents\cnCFTDhPmDEGVVf7n72YuEE2.exe
file	C:\Users\test22\Documents\hcV2YgCn4P8bNLmuKkgRAPUX.exe
file	C:\Users\test22\Documents\OiGaQJdPwTIZZWlGfSegXlaE.exe
file	C:\Users\test22\Documents\fita6k5OOViyoc7dt1T4ja9G.exe
file	C:\Users\test22\Documents\xLqCjfiMOaa6K1vYDiNYoNxS.exe
file	C:\Users\test22\Documents\abg4cnRmAloUK6HSS5swKBSs.exe
file	C:\Users\test22\Documents\Q3XaCe7djk6EtTxs5j0rZUFs.exe
file	C:\Users\test22\Documents\umlGhO6dusXofYOj6IX5NhBJ.exe
file	C:\Users\test22\Documents\BahJ3Y1d6YTaMwZaPgDMrC5a.exe
file	C:\Users\test22\Documents\3F1h4LHo4AAqgZBZ6se8G56j.exe
file	C:\Users\test22\Documents\utPgle2IKrAe0E9xn3m0IDJH.exe
file	C:\Users\test22\Documents\gj3wfV2Q3mvycnwrahp8Roe1.exe
file	C:\Users\test22\Documents\3lmPnlVst4nBXTexV0uzugYn.exe
file	C:\Users\test22\Documents\gLCramGBueYpaDKkUKZTgspj.exe
file	C:\Users\test22\Documents\5byeKX1grB6zXBgiWlCTY54i.exe
file	C:\Users\test22\Documents\TQL235Z6U2JrJUvRmugWFjFQ.exe
file	C:\Users\test22\Documents\CzD1vnpACgrKqluf5kLgM9JE.exe
file	C:\Users\test22\Documents\xGRvllWlDxn0Pp5Iz5wd8z2j.exe
file	C:\Users\test22\Documents\X9YY7CNkjeHaqpOdCvEb6f6e.exe
file	C:\Users\test22\Documents\8hHeXef4YtGwP7ZlSJfVxbuv.exe
file	C:\Users\test22\Documents\rFiSJKFJSFFq2MaEkYC0Av9F.exe
file	C:\Users\test22\Documents\dNRorzFOBZgPD7FVz0g5tjG5.exe
file	C:\Users\test22\Documents\EpGVVMLIipnwfBVbclPSLVq2.exe
file	C:\Users\test22\Documents\EoLN4DDwk9xDUgYDt9kJGpBu.exe
file	C:\Users\test22\Documents\MT3d6yxe1YxgVFbImtn6OT0Q.exe
file	C:\Users\test22\Documents\ixPsUeyVMGBupLb0sPSY3xBj.exe
file	C:\Users\test22\Documents\ZICwk3vLDiitzZKnDECjq6yY.exe
file	C:\Users\test22\Documents\JnviyamS9bVX0oCE4F8NIVdx.exe
file	C:\Users\test22\Documents\zdC1Z5fC6UjpV8ChkGPFLyPN.exe
file	C:\Users\test22\Documents\L2dYEz6U3sM5j8YM4gbJD4w0.exe
file	C:\Users\test22\Documents\Td7UyZs70zi8ep4JrLpr4iwy.exe
file	C:\Users\test22\Documents\zHCASCa1vDYiEQXIQ1lFgHYb.exe
file	C:\Users\test22\Documents\XoQm2g75YsIstQFmae1lEk2j.exe
file	C:\Users\test22\Documents\xWZPnKcGKyQnYZ0lldswkpdc.exe
file	C:\Users\test22\Documents\J6XPROZlC98XKvoW9C6pwfol.exe
file	C:\Users\test22\Documents\ZbANWBBEh4tW9s3fhabVDLU8.exe
file	C:\Users\test22\Documents\tbDdmCPRi0pewK1qa7YNUOlM.exe
file	C:\Users\test22\Documents\FcpFAYhfRhkn8ovGKtS3iGVF.exe
file	C:\Users\test22\Documents\9moPVu4ymzLAV9hheIkGr49N.exe
file	C:\Users\test22\Documents\R2eTGmZcTjErbd4ovtJULktV.exe
file	C:\Users\test22\Documents\SmtyuBsPNewjjNehK4WOEj0Y.exe
file	C:\Users\test22\Documents\c16mM1oDM7EQ3GxdF4rd1Tkf.exe
file	C:\Users\test22\Documents\5BspTRwxItWbkeH9kvJOf2C3.exe
file	C:\Users\test22\Documents\XN8FSFD6lrX6VV57nxxxabIX.exe
file	C:\Users\test22\Documents\eRpEk13XbzIRnD0db3R69Wji.exe
file	C:\Users\test22\Documents\UJMKb525Lhn2NSmuwIdEsnrm.exe
file	C:\Users\test22\Documents\qjJF78lEpP51CD18U1vjtRAj.exe
file	C:\Users\test22\Documents\hhRpynVcQk4teT3vcNqk5H3d.exe

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile March 22, 2021, 6:40 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004b0 filepath: C:\Users\Public\Documents\c4Bhm02YHz.sys desired_access: 0x10100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_ALL) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\Public\Documents\c4Bhm02YHz.sys create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 7 (FILE_SHARE_READ\|FILE_SHARE_WRITE\|FILE_SHARE_DELETE)	1	0	0
NtCreateFile March 22, 2021, 6:40 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000000d8 filepath: C:\Users\test22\Desktop\Wr103rcdY.sys desired_access: 0x10100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_ALL) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\Desktop\Wr103rcdY.sys create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 7 (FILE_SHARE_READ\|FILE_SHARE_WRITE\|FILE_SHARE_DELETE)	1	0	0

Creates a suspicious process (1 event)

cmdline

C:\Users\test22\Documents\YereJ6d5EVjew8g4fXGSacmD.exe

Drops a binary and executes it (6 events)

file	C:\Users\test22\Documents\MDz03KDx5tY2Bi5d8d4StQ89.exe
file	C:\Users\test22\Documents\Q8CnUR0O37LKIHIksSmOScYw.exe
file	C:\Users\test22\Documents\IBtSNOSLSb41VdOtNJVApfMD.exe
file	C:\Users\test22\Documents\qxx0TeSEcd64gVTUqJcsSLzZ.exe
file	C:\Users\test22\Documents\BEM5sD4e7YrRvA0NLvlEab9M.exe
file	C:\Users\test22\Documents\GeFA6Ctfc7OzkLICfC0Tn8yv.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\4DD3.tmp

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 22, 2021, 6:39 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00011200', u'virtual_address': u'0x00002000', u'entropy': 7.060306685808668, u'name': u'.text', u'virtual_size': u'0x00011178'}

entropy

7.06030668581

description

A section with a high entropy has been found

entropy

0.971631205674

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (6 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 22, 2021, 6:40 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:40 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:40 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:40 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:40 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:40 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1

Yara rule detected in process memory (14 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (14 events)

cmdline	C:\Users\test22\Documents\TkXWvE54wMDL0ZHCuY6FnDeL.exe
cmdline	C:\Users\test22\Documents\BmNlmwOfOQNQIkDGOtGuUOsc.exe
cmdline	C:\Users\test22\Documents\GjMY2ROkAz8qIRhNduFLWiSc.exe
cmdline	C:\Users\test22\Documents\QEf2qJV2CALD0BDunNraFaAT.exe
cmdline	C:\Users\test22\Documents\GAHq2offPPLJ6j7OccdMe2AT.exe
cmdline	C:\Users\test22\Documents\Uo8JhQOYgqW3teNy956lk2SC.exe
cmdline	C:\Users\test22\Documents\XDYeTiqHV7yUNxL46amksOsC.exe
cmdline	C:\Users\test22\Documents\rG7Gn4gPEXe0xeNCJsBLPcAt.exe
cmdline	C:\Users\test22\Documents\8gtAsboCrXchcPSRD05AsJIg.exe
cmdline	C:\Users\test22\Documents\1dKuYu6u5qJxBDg8StXRqjsC.exe
cmdline	C:\Users\test22\Documents\zWPqmtGyYfbhOe6HrMkBvtsc.exe
cmdline	C:\Users\test22\Documents\JzEkqbvKKVdIB4JYzE5JXaAT.exe
cmdline	C:\Users\test22\Documents\HqcffoS2LqXi8xlYh15GXjSc.exe
cmdline	C:\Users\test22\Documents\KKTeVpuo4mIpoQM60LsLwdat.exe

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 7bec0c20dc7534bc75d019a9350aa090b4116520

Communicates with host for which no DNS query was performed (4 events)

host	103.124.106.203
host	172.217.25.14
host	188.93.233.223
host	45.133.1.139

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 3468 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 5280 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Attempts to identify installed AV products by registry key (4 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\aVPwtNVvFLOGU33xyImuAqHyuFIvdpMV
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MScBMj3wDaZPcaVJwn8zzY3dwwSrzQyf
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\msCT1tjXHQNkE20T0ylpVuOWC4rZYkTT
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BkaVH1q7pA3DRme8Oprf5MqO45DJXlyF

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 22, 2021, 6:39 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (50 out of 8772 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Muavi Music Player 2zAOM0rwelSfckyviZxkJXInbw6S2C0tocie	reg_value	C:\Users\test22\AppData\Roaming\MicrosoftkFQYR16F mrjvgpcvsd5M3d0Updater.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TPLsw1HIkmVoBj59gJI5Ohu2pwcVYgw5	reg_value	C:\Users\test22\Documents\MDz03KDx5tY2Bi5d8d4StQ89.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fSDAZwuEzZjLCRAKIET8QVoYUCwduMyC	reg_value	C:\Users\test22\Documents\Fzgn9VADlPRZNQbZi5wkHCvv.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\nopX9QTmlgHQIT2IaedCv1rEofiIvvUR	reg_value	C:\Users\test22\Documents\EvIqSAozfNjxrPXQ4lbDswfK.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\7lsdsK00M0AJQOyJnPJypg6hX7adIF8x	reg_value	C:\Users\test22\Documents\Q8CnUR0O37LKIHIksSmOScYw.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oKFuuXsH1MjAiEjPtasUioaYn68oe5e9	reg_value	C:\Users\test22\Documents\jQqtjXfsGV8RG8UdedlCTkGa.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\tqGyZEm5rk0T9L68d9rrNgATBiuImmHX	reg_value	C:\Users\test22\Documents\JPEYSv7sm1a4YU5Z3WT22w29.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\F9B9hvoHoDcGsrLyRWgAhCa7vS0sAzur	reg_value	C:\Users\test22\Documents\WEploITiOfNydlZsZUY2ELvN.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\4tfJ0ztnzpRJCWdPha46w78MSHz43Inj	reg_value	C:\Users\test22\Documents\qxx0TeSEcd64gVTUqJcsSLzZ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BrDCVdrvvwSse1dl5AmglnCDjEOP45Hz	reg_value	C:\Users\test22\Documents\IBtSNOSLSb41VdOtNJVApfMD.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SvEBnIdyovOutrc3yPwANOFYpAdQPc1z	reg_value	C:\Users\test22\Documents\BEM5sD4e7YrRvA0NLvlEab9M.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\qlp4BLqj0WEIHVHTQp69MCk3PEZJmNsa	reg_value	C:\Users\test22\Documents\pdatxc8xgy10YRT1lUapJGmE.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\p75DhnKssfZ5o7O42JIqSALoBvp6vh6n	reg_value	C:\Users\test22\Documents\ppVmpMiM4YEQRsFVQ9dYWPAY.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\vRCv7O6KjwRAeEeyXfMFteAVhYGRQdim	reg_value	C:\Users\test22\Documents\nncKaDwmeNRrnpOR0eRdEBHo.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\QrOjIp4GNoeppVyW06znWK7TlTQxX9xd	reg_value	C:\Users\test22\Documents\gyYIAApQQGH0YNwwAcFjzC4R.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\t58yZGsN1AvjdekuyObVgOkeNlJoQ4Qn	reg_value	C:\Users\test22\Documents\4G2TwGHkLBnttHGposs3NR4G.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Udkx6E67uIXr4smeCWDHW1IqZ9fSzRxm	reg_value	C:\Users\test22\Documents\Lvj1ITLFSZ1sVhLJI8E8zjjf.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\U4Y6ioHcUug0M7woNzob35g5uG5OVTHs	reg_value	C:\Users\test22\Documents\LEgosYINc48NJePZWk6dfcJd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\YcMct2GBnx4Io8oCJ0oXDG7V2gaEDb4M	reg_value	C:\Users\test22\Documents\5DTx9Lpxwf2Z7ZNZyRPpysjZ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\e0jMcC7L3souiHC6vu8MUx1xvkb056JS	reg_value	C:\Users\test22\Documents\e4Zh9NE3Z0wKeEuzmNg7DLVR.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\9wa1lHQ6iWLaE4S3SkTtgEXuT5pVu0FY	reg_value	C:\Users\test22\Documents\iICIn2bX3kQwaARfKjMTNJ7r.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yphpc4MsQwPtvacsyhYM1T5deYEbzci7	reg_value	C:\Users\test22\Documents\LVI1bkwvUUNDz0bQRSAm0NL4.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\uELD0v2xOSjh8qpsN9FWg31w3NkipPIL	reg_value	C:\Users\test22\Documents\JOcvCGTZHexClrf00RxSz8DF.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MYKmKUI8JYWkprx7atugFio5Va6jKSRd	reg_value	C:\Users\test22\Documents\KXB84PiVm9yTH72JmFF03ri0.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\tOQtXix1G3ve5R2dicqOZ5UE6BRD2Hgw	reg_value	C:\Users\test22\Documents\yKvgF6LR00JtkRe4SHZK7Bvo.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\4MxWRt99X8FxeByGiXMHSni6BQy6fBa2	reg_value	C:\Users\test22\Documents\ZHw0pb3SCRmrfA9BO6mfVgOy.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\o1UA4DdWhM4gFVdAX2zpTBBzulyAEciv	reg_value	C:\Users\test22\Documents\276cnhATSnUh4MgNHf68UHfQ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0fQSPdSEoJEZgqyXekfVBThudC8H2Gdm	reg_value	C:\Users\test22\Documents\cpywM9YOJ79sR9HwC6kbSz7m.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\7fzNfKMhqbrUuHnYlzpHPZzvwm9oJvSF	reg_value	C:\Users\test22\Documents\rL5qtF9qp4DI5sPVIN7rTmkg.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\qDa2KiY4ImuVYaHyoJZt7Wu1C9EjpyIH	reg_value	C:\Users\test22\Documents\kZsNQwKfrgcdA4kAjjGe7dRi.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ti0KeyPTemNN34dWyQlZBWrxX5IY9UCj	reg_value	C:\Users\test22\Documents\HKgMVSVJHhVYKOmJbRzxEilU.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\1Dxiq0UJjooqBq5nkSH9cJw8plkgVOnX	reg_value	C:\Users\test22\Documents\jM3wbKpSSB3hAYPgxc9y6LT7.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rz3FQxxVBRxFvhReqpTrLZPGFd9AB9Tk	reg_value	C:\Users\test22\Documents\365XWGlbqu7WtifHgVNnETfr.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\kwAxxxUB8NohbtRKdavjDwVpHA6SC3jn	reg_value	C:\Users\test22\Documents\aNGhMgL26mVcvaW9Et6ZAxg1.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\aVqx1C8EnA0Mw1oFVmQtSy2Sdl0Q8Alt	reg_value	C:\Users\test22\Documents\rO7agYFISUehwyhUbw5jC7xx.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cXUPLsFnZGwm1dXDVAY14HVIDQIIvMDW	reg_value	C:\Users\test22\Documents\aJ9LsRRQVa3v7UhkHzOZqDfm.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CLL4j62NDZ8duDFU5vhnvejIhdqjIWrA	reg_value	C:\Users\test22\Documents\oXsU7BEmUQV0i4socLDqpnrV.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mCXGPSEqr8xWuTevsJPmraMSiRdZly4m	reg_value	C:\Users\test22\Documents\qXSwzJDYYIxJ6P4ZGtu3GDji.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\zEh8ypE3DKiAJs8vBJjk8O0AnqKmn7y1	reg_value	C:\Users\test22\Documents\xuKww7IGDGb8bioxO9K7y60L.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NgUHecQGWrHKvQV10KjaUkAAColNBJdn	reg_value	C:\Users\test22\Documents\386rZKSYBi4Q9nngAZ6pXPMl.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\gTE00CENOeYZwcBqRAJfqrej21J6VQ6A	reg_value	C:\Users\test22\Documents\vVe3zK3jRy4SfdvtEEyMqvQn.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ze783I27hYV5FfjOR4w9ndfh4h2NVQXT	reg_value	C:\Users\test22\Documents\E0WfGCsOtqEBEV7lDI5qmv7y.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\9aEWPpmQABBhz8KhjKKf9zh2BVoo2pU6	reg_value	C:\Users\test22\Documents\3iqlEtVlyHdpABghiqYs87LV.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\2LU4A7YVrFKeVf2jyBBwLj2CmEIBggJr	reg_value	C:\Users\test22\Documents\WVmop9VJeNo8A8skg0JywpVJ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TSR5yXyL5de1uY5X1d71S7OYzIC7hYCa	reg_value	C:\Users\test22\Documents\9dvdobJhyTQ4yOOA8j9voj7T.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\E3FqU1ohaEWSNkNougXM83oc1bT5f2zZ	reg_value	C:\Users\test22\Documents\fbKVJNtbeF9UtWQknm3KlFAV.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Omy2hsCiP61YS7grZtvg99c3EPgPburn	reg_value	C:\Users\test22\Documents\bzRQHCGnbb4pA8XDYPaEsxXL.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\K5xRMwGePN6N5BdLnCGnjYwGfFhsFskl	reg_value	C:\Users\test22\Documents\bFBeOOGsZVZEH8ubsso8C0LP.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\JrwHPYYgnVSJrKvzgcYoj2D7k0cmXk1V	reg_value	C:\Users\test22\Documents\4wUTaygnO5z3ChfrPdV9uipw.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oyhZ5wJCe6DI9DwHEhHRmWsO0X40HkMF	reg_value	C:\Users\test22\Documents\GiKsCYY0gSQrOV9FrgdRJBMQ.exe

Loads a driver (6 events)

Time & API	Arguments	Return
NtLoadDriver March 22, 2021, 6:40 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\K4oX30824TQq5	3221225473
NtLoadDriver March 22, 2021, 6:40 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\gM7523	3221225473
NtLoadDriver March 22, 2021, 6:40 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\cn16I4vm2	3221225473
NtLoadDriver March 22, 2021, 6:40 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\70194m3d5bBC3e	3221225473
NtLoadDriver March 22, 2021, 6:40 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\0xqrwo98Cm7TI5	3221225473
NtLoadDriver March 22, 2021, 6:40 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\AwQg9	3221225473

Creates known Hupigon files, registry keys and/or mutexes (1 event)

file	C:\Users\test22\Documents\UzTAN1kXOBpVg4X49u7vGqqQ.exe

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 22, 2021, 6:40 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3468 process_handle: 0x00000080	1	1	0
WriteProcessMemory March 22, 2021, 6:40 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 5280 process_handle: 0x00000080	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3320 called NtSetContextThread to modify thread in remote process 3468
Process injection	Process 5328 called NtSetContextThread to modify thread in remote process 5280
NtSetContextThread March 22, 2021, 6:40 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4205112 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 3468	1	0	0
NtSetContextThread March 22, 2021, 6:40 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4205112 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 5280	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3320 resumed a thread in remote process 3468
Process injection	Process 5328 resumed a thread in remote process 5280
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 3468	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 5280	1	0	0

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

C:\Users\test22\Documents\hfGV1tMYH1HIQUCSVDeVTRob.exe

Uses Sysinternals tools in order to add additional command line functionality (18 events)

cmdline	C:\Users\test22\Documents\PR3wvikcYuItJ1GyVEtE4mRu.exe
cmdline	C:\Users\test22\Documents\NWkT0Kdv38lQRkuflnD03bRu.exe
cmdline	C:\Users\test22\Documents\t7PpXCSo8Czcf3TTaXmqkzru.exe
cmdline	C:\Users\test22\Documents\wOs5NklNwxGqX5N8Gfk6SrRu.exe
cmdline	C:\Users\test22\Documents\b8qufdQQPgZArp8Qo5xp31Ru.exe
cmdline	C:\Users\test22\Documents\cfnGaQpD32mF4G7zdnsJFqdU.exe
cmdline	C:\Users\test22\Documents\nLsiIGwsftdsfl8sks48BqRu.exe
cmdline	C:\Users\test22\Documents\LmV56g6c5ZWS9OHwIlRMgIRU.exe
cmdline	C:\Users\test22\Documents\zyI9fekS0vgh5FhWYTVlDnDU.exe
cmdline	C:\Users\test22\Documents\M4hjIaQjQrDAIkQuU59u7aru.exe
cmdline	C:\Users\test22\Documents\GV6qJqspx9rU9Nlu2HG2GWrU.exe
cmdline	C:\Users\test22\Documents\azXhxYzJVBSGEHGRvTiaPMru.exe
cmdline	C:\Users\test22\Documents\aJLLgED5t5l8V0wle5XvWXrU.exe
cmdline	C:\Users\test22\Documents\6Wa65etG8vpjn0IJK5m5farU.exe
cmdline	C:\Users\test22\Documents\ALzrsoS0UeMgK0fHcM0ZFLDU.exe
cmdline	C:\Users\test22\Documents\GvmbfWQNIIdOuLP3GXVcdgDU.exe
cmdline	C:\Users\test22\Documents\lRcmD6VqEEz4D02BRLOsq0ru.exe
cmdline	C:\Users\test22\Documents\IaOGlaCmGgDULYw2GX68h4du.exe

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (50 out of 17571 events)

Time & API	Arguments	Status	Return
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000003fc suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000638 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x0000064c suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000664 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000006a0 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000006b8 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000006d4 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000006f4 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000714 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000730 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x0000078c suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000007e8 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x0000083c suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000878 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000008f8 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000978 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000918 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000860 suspend_count: 1 process_identifier: 9068	1	0
CreateProcessInternalW March 22, 2021, 6:39 p.m.	thread_identifier: 8868 thread_handle: 0x000002c0 process_identifier: 6568 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\MDz03KDx5tY2Bi5d8d4StQ89.exe track: 1 command_line: "C:\Users\test22\Documents\MDz03KDx5tY2Bi5d8d4StQ89.exe" filepath_r: C:\Users\test22\Documents\MDz03KDx5tY2Bi5d8d4StQ89.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002cc	1	1
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000918 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000978 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000714 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x000003e8 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000042c suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000954 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000884 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000850 suspend_count: 1 process_identifier: 9068	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\Fzgn9VADlPRZNQbZi5wkHCvv.exe track: 0 command_line: "C:\Users\test22\Documents\Fzgn9VADlPRZNQbZi5wkHCvv.exe" filepath_r: C:\Users\test22\Documents\Fzgn9VADlPRZNQbZi5wkHCvv.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 5860 thread_handle: 0x000009d8 process_identifier: 5992 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\JPEYSv7sm1a4YU5Z3WT22w29.exe track: 1 command_line: "C:\Users\test22\Documents\JPEYSv7sm1a4YU5Z3WT22w29.exe" filepath_r: C:\Users\test22\Documents\JPEYSv7sm1a4YU5Z3WT22w29.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000009dc	1	1
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 3684 thread_handle: 0x000009e8 process_identifier: 7012 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\jQqtjXfsGV8RG8UdedlCTkGa.exe track: 1 command_line: "C:\Users\test22\Documents\jQqtjXfsGV8RG8UdedlCTkGa.exe" filepath_r: C:\Users\test22\Documents\jQqtjXfsGV8RG8UdedlCTkGa.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000009e4	1	1
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 8140 thread_handle: 0x00000a04 process_identifier: 3320 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\EvIqSAozfNjxrPXQ4lbDswfK.exe track: 1 command_line: "C:\Users\test22\Documents\EvIqSAozfNjxrPXQ4lbDswfK.exe" filepath_r: C:\Users\test22\Documents\EvIqSAozfNjxrPXQ4lbDswfK.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000a08	1	1
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 8248 thread_handle: 0x000009f8 process_identifier: 7672 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\Q8CnUR0O37LKIHIksSmOScYw.exe track: 1 command_line: "C:\Users\test22\Documents\Q8CnUR0O37LKIHIksSmOScYw.exe" filepath_r: C:\Users\test22\Documents\Q8CnUR0O37LKIHIksSmOScYw.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000a1c	1	1
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000718 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x000009d4 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000a04 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x000009bc suspend_count: 1 process_identifier: 9068	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\WEploITiOfNydlZsZUY2ELvN.exe track: 0 command_line: "C:\Users\test22\Documents\WEploITiOfNydlZsZUY2ELvN.exe" filepath_r: C:\Users\test22\Documents\WEploITiOfNydlZsZUY2ELvN.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 2424 thread_handle: 0x000009f4 process_identifier: 7000 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\IBtSNOSLSb41VdOtNJVApfMD.exe track: 1 command_line: "C:\Users\test22\Documents\IBtSNOSLSb41VdOtNJVApfMD.exe" filepath_r: C:\Users\test22\Documents\IBtSNOSLSb41VdOtNJVApfMD.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000009dc	1	1
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000700 suspend_count: 1 process_identifier: 9068	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000958 suspend_count: 1 process_identifier: 9068	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\pdatxc8xgy10YRT1lUapJGmE.exe track: 0 command_line: "C:\Users\test22\Documents\pdatxc8xgy10YRT1lUapJGmE.exe" filepath_r: C:\Users\test22\Documents\pdatxc8xgy10YRT1lUapJGmE.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 6688 thread_handle: 0x00000a70 process_identifier: 6652 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\ppVmpMiM4YEQRsFVQ9dYWPAY.exe track: 1 command_line: "C:\Users\test22\Documents\ppVmpMiM4YEQRsFVQ9dYWPAY.exe" filepath_r: C:\Users\test22\Documents\ppVmpMiM4YEQRsFVQ9dYWPAY.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000a7c	1	1
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000a38 suspend_count: 1 process_identifier: 9068	1	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

MicroWorld-eScan	Trojan.GenericKD.36542592
Qihoo-360	Win32/Ransom.Blocker.HgIASRIA
ALYac	Trojan.GenericKD.36542592
Sangfor	Trojan.Win32.Save.a
Alibaba	Ransom:Win32/Blocker.72df3665
Arcabit	Trojan.Generic.D22D9880
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Ransom.MSIL.Blocker.gen
BitDefender	Trojan.GenericKD.36542592
Avast	Win32:PWSX-gen [Trj]
Rising	Ransom.Blocker!8.12A (CLOUD)
Ad-Aware	Trojan.GenericKD.36542592
Emsisoft	Trojan.GenericKD.36542592 (B)
F-Secure	Trojan.TR/Blocker.bdmmf
DrWeb	Trojan.Siggen12.47248
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.GenericKD.36542592
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
Avira	TR/Blocker.bdmmf
Gridinsoft	Ransom.Win32.Blocker.vb
Microsoft	Trojan:Win32/Ymacco.AA08
AegisLab	Trojan.MSIL.Blocker.j!c
ZoneAlarm	HEUR:Trojan-Ransom.MSIL.Blocker.gen
GData	Trojan.GenericKD.36542592
Cynet	Malicious (score: 85)
AhnLab-V3	Trojan/Win.Blocker.R373468
McAfee	Artemis!D6687321A99F
MAX	malware (ai score=82)
Malwarebytes	Trojan.Downloader
Ikarus	Win32.Outbreak
Fortinet	PossibleThreat
BitDefenderTheta	Gen:NN.ZemsilF.34628.em0@aSFghNo
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)

Stops Windows services (6 events)

service	0xqrwo98Cm7TI5 (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\0xqrwo98Cm7TI5\Start)
service	AwQg9 (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AwQg9\Start)
service	K4oX30824TQq5 (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\K4oX30824TQq5\Start)
service	cn16I4vm2 (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cn16I4vm2\Start)
service	70194m3d5bBC3e (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\70194m3d5bBC3e\Start)
service	gM7523 (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gM7523\Start)

PlayerUI4.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All